cce2828d41c4018017e9be64b7c0838c01d0be57b941278acea820c4c7f4db14

Analysis

max time kernel
178s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
18/11/2023, 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.bb095c3d72529e3443ba09021dbed980.exe
Size

622KB
MD5

bb095c3d72529e3443ba09021dbed980
SHA1

0ebc66c21b8f22890a676a212fa3162ffc1ae3b8
SHA256

cce2828d41c4018017e9be64b7c0838c01d0be57b941278acea820c4c7f4db14
SHA512

a20c9c9c13f4937ef7ced8e07a13a5ec586ca1711af86ecf18c6d1c283ae22ad4d4aacac26deb167926bb66c299fe85ef8f01e7ac8344389d3dece80e82c80c5
SSDEEP

12288:Og4+Xq1gYgR+8DAoczI2ZfnwlQTePINayz+ByIne7xmmZjIUTSl+0/1:OgxMdIuwe3zfIe7xmvH/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1396	alg.exe
5104	DiagnosticsHub.StandardCollector.Service.exe
1996	fxssvc.exe
452	elevation_service.exe
856	elevation_service.exe
212	maintenanceservice.exe
3380	msdtc.exe
632	OSE.EXE
2768	PerceptionSimulationService.exe
3964	perfhost.exe
968	locator.exe
2420	SensorDataService.exe
1964	snmptrap.exe
4232	spectrum.exe
4996	ssh-agent.exe
708	TieringEngineService.exe
1772	AgentService.exe
4404	vds.exe
4276	vssvc.exe
4568	wbengine.exe
2036	WmiApSrv.exe
4796	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\AgentService.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\vssvc.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\17bb0bf47a240f41.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\msiexec.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\spectrum.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\locator.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\System32\vds.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_153718\javaws.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_153718\java.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	NEAS.bb095c3d72529e3443ba09021dbed980.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000417a35bd219da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022ab1c5cd219da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000251d655bd219da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094cb9f5cd219da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004c04e5cd219da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac49df5dd219da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f3c315dd219da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000039d525dd219da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5e4dc5dd219da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
Token: SeAuditPrivilege	1996	fxssvc.exe
Token: SeRestorePrivilege	708	TieringEngineService.exe
Token: SeManageVolumePrivilege	708	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1772	AgentService.exe
Token: SeBackupPrivilege	4276	vssvc.exe
Token: SeRestorePrivilege	4276	vssvc.exe
Token: SeAuditPrivilege	4276	vssvc.exe
Token: SeBackupPrivilege	4568	wbengine.exe
Token: SeRestorePrivilege	4568	wbengine.exe
Token: SeSecurityPrivilege	4568	wbengine.exe
Token: 33	4796	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeDebugPrivilege	4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
Token: SeDebugPrivilege	4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
Token: SeDebugPrivilege	4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
Token: SeDebugPrivilege	4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
Token: SeDebugPrivilege	4672	NEAS.bb095c3d72529e3443ba09021dbed980.exe
Token: SeDebugPrivilege	1396	alg.exe
Token: SeDebugPrivilege	1396	alg.exe
Token: SeDebugPrivilege	1396	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 6076	4796	SearchIndexer.exe	131
PID 4796 wrote to memory of 6076	4796	SearchIndexer.exe	131
PID 4796 wrote to memory of 6100	4796	SearchIndexer.exe	132
PID 4796 wrote to memory of 6100	4796	SearchIndexer.exe	132

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\NEAS.bb095c3d72529e3443ba09021dbed980.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.bb095c3d72529e3443ba09021dbed980.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3348

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:452

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:856

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:212

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3380

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:632

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2768

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3964

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:968

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2420

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1964

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4232

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3288

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:708

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2036

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6076
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
23a08ac929638ee81bdf2ba8e6c76c0f

SHA1
6e901dbd1a1d724c5062cf6f813d0efd6f380c7b

SHA256
0fbed97e5982e7cce6c73b4faba5fc97aa763768844470931bbcb427c1dac028

SHA512
f256f8ef3472c0d98c05db65ff9cfc1e942ac7a578e732289589129ad964485a5b592c1b5f4af7175dca2a908da11bc4d0ff1d4a0e73f4543616a5c6862f5bbc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
e1047a1fe8dab1382407b027ffb2bda9

SHA1
d154e37951dd183d4ea31e74f5e339e15adc49f6

SHA256
d1cca65399861b3906b939908e9117accce00e8b7c9b978d26d84b1cab22e86f

SHA512
8caf80b9220ebf49cd1d70a6b40b870ecacd12fe36c2359c91226c90279ff4e42907360515ae9155a292862c5144c9b4c89cff6cc2f3e4566af1737f3529bc82

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
e1047a1fe8dab1382407b027ffb2bda9

SHA1
d154e37951dd183d4ea31e74f5e339e15adc49f6

SHA256
d1cca65399861b3906b939908e9117accce00e8b7c9b978d26d84b1cab22e86f

SHA512
8caf80b9220ebf49cd1d70a6b40b870ecacd12fe36c2359c91226c90279ff4e42907360515ae9155a292862c5144c9b4c89cff6cc2f3e4566af1737f3529bc82

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.0MB

MD5
e3e0497921e9397991f83f1b3ff4c407

SHA1
65d58a9df1604d2512b9a4bb2dae00cca82ad6e0

SHA256
f31b6efbcc38129ccee8c5ee51b3d97e4bceda16e9245fecc3b6cc556bb4489c

SHA512
4627ebbc1752f0f5c339ea1dee1d87d9513147c739c4a336de840b5c3e3e292e19e44b036d733f48a9a6b1e4e9121fd086f356e46e6f64abf3f5d7f8430b15b0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
7711f9e6135e03e36f507cf3c636c096

SHA1
db0ef87d769d32c1445fda6a3cae231196878649

SHA256
e0d897e691605ff9e93d0bca63a46ce41db665decc7b668669a33a791e3e9a47

SHA512
769143f3d3ea6f524f8ac8fb86262a66ef0efd7298fefa97c4611b0d97a7d432a33b52464eca219f3aecbc4bdb455f4e31e68b35184dc075090d6d0a169ddee6

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
b65a583a273e9250e9d3952b47f69928

SHA1
a0c4ff3b07006d7c6dc4de8dc3240a221742a355

SHA256
f41de4d385b80b1d2da9afba68dd645d4d6151ea9602f733353adf6085816700

SHA512
421fc8c2a7ea5961807e7b780c95044e2c754a9a6f907051321075eedcf3e87e3b12c40dd7c027a1c015f8e2bb7355ccd7e566edeb84fbc7d448f3e7912a3396

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
583KB

MD5
6c8afd0127d893bd475b4019d96c4908

SHA1
8d009bfa31d5121e0ca577e967ee2d89f70ae6bb

SHA256
8399cb6e4b940b4e87fb06fdcb774cceb3ed21843a14b4cd14af991ccff19d96

SHA512
d128a7518cad60d5c668d8baca62d6d89d4e3b71b99c4b27af3e94f79afb9a91bde4086dea8327d40f9871582435c9c7eda7830460e861c6acfc10dcaf002baa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
25f178a4b45c7b0373b82070e9a153ba

SHA1
a324bbc453483b8df04aa7f6c973b4e90193f566

SHA256
07812c8ffd81da7fad58764b1d7d6d83d4ecd1b10a10580f8afef56d198be291

SHA512
fcf6b37dea97b99c08f0de7caa9cba06767086fcd97ea502e3697df4db8e5e76552bee99acfaf816328ddf07c0a484e4ee6744f51c21b01cb30b6f5adc0afdec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a22c325487c61237334c2e098200cdea

SHA1
0f2172956aa754c65955f6f30d5340efe5646e22

SHA256
872146c4c940a1d7121a199f7887846469f2e9d33584c18437b8346b57a98a04

SHA512
05549e2c35b682bf2091f8abf5341ef0f49a195cb851ab57ebd0b6949c0a1a8c5642a90be9592d7e65d15fae62875cf9a035e998f2e1891f299dc2b1294237f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
03586194d6fd01aae0bc28a90d84d127

SHA1
d184055a01562e9723cf3df418b37d235f2537f9

SHA256
28dd042f41fbcce6d9799a867f9173cf5166d48d029809a7781266695b77c6a1

SHA512
975aa3b9e14fe1b6a304d56cb4d89899a78f2a5d791f0dbc0c2f27569350d841766a4a24991a45f897fe5914c24dc3608bc37c59eb954a3ca90957f5b39451c8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
85543aebf703fe78d697a949438660b0

SHA1
6df20bfb5e7c738f6a872c801eca34538e2786f2

SHA256
28265cf0916a5d4de1e5f8d5d4311592efb63ac63d910dddab43412fda0e3f83

SHA512
2e24c597a693ecefcd0b5c741e5b3a7a6a094fb99a8f7787eb53658417771db19171efff9fd752339af36fdf81d15211f3e8503e17042533216256dd2a48c577

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
31b71de4106064f6b26fa27bc6960c61

SHA1
716031dfe51496a0e27f30554375bf2a9e42ec19

SHA256
a805a871cb289b9457a1291871698e2f401cc1239850a0c6bf9aef6d01386823

SHA512
21e512b621b821429593d3937a3a1a9be62c11f19a4645369fd9329ac958b9cd9016e8fd08c7f72148a22d95a1991066f4d143deafdf5a1c165c9cf9a885637e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3902a9b5d0a3e52daf30f8b821d19e18

SHA1
a1864a6e73b98ad02a94665a7a5f4d31a43d3202

SHA256
4640cbbe41612a01f6e9ba09022c86ad6e6cdf06bf181eb733d56df494fd3b04

SHA512
a1a4872d065595a543176013bffb8f328c988d1af08dd3dc13fe0de3626bc292ac945ece222e95d9fc914a7997e0c54cc478be07cf4805952308466d7ab75051

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ae48a3a8638ae2ba708fe92e48d6a26c

SHA1
766c6b4b6f7eeccd5b7d72b9490c9219b48b6f99

SHA256
0412759b06e3d533579a3b1bf718b82048aa5b1541c3b23d0ed6800f52d74396

SHA512
f8d4ce96c052ac7da983c642917d42d26675b44b90a50c70127670f15af932b362a33a26a71cf4862bf11e4e2f7a197eac99274ca82f6f181b3f74439d76a4e7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
9e657c0c92ab5a9ec540914fbe4ae2c7

SHA1
bb50a7e00908d17970c08cb2e2d5e4952c8563ab

SHA256
d1ad3a17ab2c132a93443cb01b1bff7e74b6eefc8d085a0c76be981546c7f42b

SHA512
f27a62b3b75ff9c27f13f85823bfb29aae53dee618fba66068a52fb173f7a1a06d306993f28ba5502c6c24e7233ed1903e98d88718b3b6cbb495825db41cad15

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
778a16bb14400e5e39ab97a357916975

SHA1
43b6ecb9cb154541678f51ddbd07a17cc2f36156

SHA256
5396c98c3a185445349167fe913fbc99287b638f51785fe4ac587ba214d347fa

SHA512
d0e55432e73b2b958aac7d62445f93b4f1b11a1d51c4e4219b378076c39cc823b2bc077a44962524ff1919cb495a4ecddd16b801eb1f45724aa5862c14b3ac47

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
f2806818f8885104d2dcd3d070290cf9

SHA1
376ff7c045ea4ccff8571e5325f142d976dc2bb3

SHA256
e5b3160a2e3f2df4e2cc59027ba749d057026c3da7c80f3dc09153ead365ca62

SHA512
c95d8d9fe1dc687d9b5da2eaf3f5e1791acfaeea85844ac16976a0ba9afe64ecf7a38c0bb9bb0982b1f41acde167cc87443d9ac316d4b3138b3b8de481543f56

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
4915f53a069d9e490bedfc8607400368

SHA1
38d100574a66c45bd5945b559967668bf02538b2

SHA256
d6037a3a32cffee3fcf57f3172034dfbf2491fb8999cb92c87473a72680258f5

SHA512
0abb7bcd8c0b7979b82b71bf773d3c26b5816840df48d5d5247163315fd968f42d34d29b10f80dcd877fb5a5346759eea828795442b487a9d6aaeb7b15b95dae

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
8744a9c18c3e3f8349340a148179d06c

SHA1
4d78d2eb61d1302c27bfeb5594a3a0424c960bb8

SHA256
7c5bad4f1d759d4b2961c1cfe2cb0ee3fc8f418ac970daae691a733ae5b9eeb7

SHA512
a09c6f7c42faa9fab93cc77481f6b7febfd5d9156a1dc137cf9e949365644412bcc7b62c1327ac98f0b4e322c4585c5ca4fefcbe4b07e567f9e817a489e9379c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
279083be07c739c9820f1203c62bb39f

SHA1
ee794b77a3036f85c8696d1f2d0af1bb73b03a7c

SHA256
ad9a9470789f8923102fdcaa9e13cd1267fe864105b9cfe48a1700dc2bcff760

SHA512
4935f4d487d4aef682adbde5a5a411514275bad7251787d76f005410babab696d79e518f2f7a065df794c442d7540b2b8ad25f7fe1430151c9f2b8dee8d680e7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
505bc0cf914105e648f37c5bf5d3ed41

SHA1
133cdc6c5732a0815b62d923d84a401f5b5da45b

SHA256
93017bb3748e7743088e032ae7b90ca608b1865dfeece8684f798404556a53fd

SHA512
0e6fca10f8ba8eba7fa9584b9742eb2fd3664f71bf654a99120dd4c3584437439fb6d1f1ea8f4aa0da4b706a6a3136805e1198f18a8d426dbe866557a96e7cb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
002f201ea6056457707a41399ffc5e3a

SHA1
643c8f2c95e713782a462baa744b911f047d6988

SHA256
4e9c0e647f0865468f72e048fbb7f21573022c1d6999a66cde1e7ab351064485

SHA512
3a4f269c8c34f5f780880bfbeac2b68dc84563d54167a4c03e8899e6483f4749de2eaca546486d561ac337bce55c34875c1bbdbc642d70c3a4026345c3268cdf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
ffff0636c15526955a7d2db8ee14935b

SHA1
4400dfd071fe50919cd93e420a6873aa1a3e3097

SHA256
a59b2ff4e4db9b3d3e5e7c99c551aee4587579e3fd1829d276f1a478abb0f117

SHA512
cbe941a89e9ff55c7906bf805a73ee96183a6198a9e10be46249c1aa0489f2ba1cb873bde2cc365473994cbe0b05add41a4e6b5365929d61b9c6be3aac91aed6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
1b9f0a83a6a5ec12fc68a5ec09fcdcfa

SHA1
338da5a72673acde044d17f30807026d6adb1618

SHA256
fd338670e92a5ee32b7d22e7aa2f71e098b49d1d1e7c675422a1f1c980bd82d3

SHA512
dcf6b59f4c6dbc39c5f58a2b23c79055601c89b6ed1075eee6db101f4abc456e61882d7f271c90eb90c545682529146e097db130e593532a6e3377c2b0b62038

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
925e522d4d92faef934044734be5e63d

SHA1
e494a93c49c7e84f2fe8cb7d78f08afbd663a29c

SHA256
2a29d7ec4f6bd4f2f4e1dd7ff4fd52ad28b611a00f22de7e594565bf731ea148

SHA512
b3d0b4712499fcc4a57ebe05c7f5e3a7cc73fdfa9d62414e77064477fc45809a0448b9706deb89b1efa31bb54d38bec979e2c4aff2dbe412b960f84b3d936324

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
a2b8d8ca3553ce1489e18d22a005e07d

SHA1
8b77ae4f28e88ed00e4d59c817b9e340123c6876

SHA256
940b5883fe32ac4083048b39e969c6f549cd5852397c25cbf8396827cdc6bbab

SHA512
0312ca591fdf4e19db197aee6b2bd3da121f7afa1140b84c3061c4ae3e62295dafd8e2305c2f98cdcc8a9b322153e1196834238ac65197c2b1f25f113469d79d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
57bcae0d6697f84398826730d70c9a14

SHA1
79573bd58cea90c8599926a62dfb60012d0999f8

SHA256
7ec7b4ee9b6f3bcb0c912cb852c9a41a814c881a58cd0ee2bd48085c70ab4d49

SHA512
14230ec5a5e7ffc9e5febef1dd14bcf300c197af9b39595f97b267667aa8cae20d3b777ce48dcdd844fd279c6bb5e19d98afc21fdac9b35d091d8421778fa0c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
1c31abfa4e41053ecf3ec16c70efbb66

SHA1
e6463d0e5a4b62bf98e9b3352e5f7d141dc79065

SHA256
8d3bcc2ddb288ed7da3b2ceb0b9ff09e39c896614e64346145829fbe15b06c8c

SHA512
6709f4dfc359aca3ffeea1d62ac8cac3834b65bcf9e762e578a10d8f66d95be707baafd91a010a9a558d37ccb77351207d476df4777162cd7d4a03293d76f862

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
647d31fed826bc3bbb33db9504b87422

SHA1
c837bd2f38f7b47e52eeef43f3a8a1a1696262b8

SHA256
2097b3b944081ceb94809f0a0d6367fba04ccb36ddac2017b0d8a3f1605c8202

SHA512
13365b34b174fd43457a76988574658f0958426b49615fcb3a184117bf85d3d33fc0bcecf3f6fb5e4fdef3449835139ba51782f17235552bbc913d441f29ecaa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
98c0aec16afd08a2a518acd72e475d95

SHA1
a15cc2b55c93fcf8e7f57dc2f0ad3ab50418b632

SHA256
04a04c2ad3e52573f445aba0ee27a0183dd31a9665a2987422ca67e8e623efad

SHA512
a453e328275c92de17b67f99d10d001be1cc64a7be87f951beeebf5eed6c6f51f1ba0b9dd0ab5778c7c0560de00f28b8f07fa4dc934a378d45cf118ed965bd84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
d7b21bf16a97bbf3a7065c79c82e564e

SHA1
36d4f47b717a422d1787480ad7ddcdfe3eb6af3b

SHA256
2f57a0463d8cb0f178743ec0894630ef7c37401bfc5bac0e5df35b4b74a93cac

SHA512
99f8c81c23c9c183f8ab3f61ea8a98a4ef1175de86ee47f518fff6ae6029e7505804e01d88178c0286bb5f5950ca093e8e43f98a5582b4bb07729df55747ef2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
e998f73e5cb2b906c9563cdc36fba972

SHA1
2520a8e3dd2cf12a7c8b9b222af196276383e3c5

SHA256
22c068cb67b67822913e08c2a64f0ce3cd589a6489fa562438682015d8e3f9f8

SHA512
38750fb4e3cf43927ace599ffd6f4cb689553c4c9708e978f465626d862e9bc92b54743ee670aa514129d83a9404b7c8da4a1b4abdf489e56364910a535effd3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
2f416a68c8dd95edcae51e4c3b772c4f

SHA1
6847a333f4d8a9b7c80d3b18561ad98402c2f190

SHA256
dc25481621cee754593a718364cfc10324934b6204b5dc8b955109d79de847e4

SHA512
5b2af18de054a36b827f75b59bff4234d11136266fa27b393960973f5d9d2e9451a31030acb0dbd6f6fe1bd90745b64027e8322e8e87d7e133159ca694e1a40e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
040a91c68fe8303c1803932b51763b9f

SHA1
cea9ec6e6455f9439ca5353267c884c8925b7e0e

SHA256
8a7e76d8eec2dbf5dfbf9de75c08f20ca5bed8179b22746f61cfbc88f0e2846c

SHA512
adaef5c5ef15cedb8e55b4bef598ac264153779c6f70a9ca9cc7eecee05ca6e1775e911b209b5383004f9a98f2196a458e99d556144c71fd2ac12e237565ad73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
63f341957e89e46a7266cd8d00871f2a

SHA1
84739669e3dd9a64fbae66484b97970445f9dacc

SHA256
e80f188cf7c7325bc276e5799b8abf97400d6d7c632db34b1c45440fe8308fac

SHA512
ee1aa893721e25ad5301294bb0ccd8cbf83b63136ac700cd80e5462221327809b023016c60ccf5fdc61153876bef58461b6cb8f881c18aa3f769cc8e47967550

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
0dded6687502471d4dd7d1969dcf852b

SHA1
1501601099499ed6279d9fa775f2a8bcd49521b1

SHA256
b750eb5f1b794287ace0520f96b64b3948a691f197be4a1a8ddbe9cce6f2a27b

SHA512
4959a448be5126cbce5881525c9769819cdb1f22588f1318e99237fa4ce59095cd5bf5d535909126eeb0c9554772167952fe644437f8a5584d5180ceeeec0a64

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
0e0de29da74e5497621c13c7d91e83b2

SHA1
4e155c1fe16d1e14fcfbcf31689785760e60e9e0

SHA256
971f8e1886f12245e55373ea7c78a362e28a2d9e259bbf6593fc45c37afdbcda

SHA512
8bbd644bbb5b3e0e153fc1f40e916969707a1d503fd922af5bc8f4aa186131586f4bcd820ae248964fa947270dd64f88f10c64255565aec4d8ac03a2b2d9a053

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c9a06e554d25a1c20bc60c56b0448e22

SHA1
966b4054ef2f74468cc506e85ee386e6e9296d4f

SHA256
db9184561de09a1a44968b185210427796d13b39f6871d7c541e3033371c46cd

SHA512
c23d131e30ec62c544f30b967ad9b33bd0af0c69c7f66a2f33cba8536cf45d5acec5461749331a500c0eecc0b0b707711afd9e220b280091df2ff0c01073a065

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
80397e2145d22084d898ab097c5df41b

SHA1
168f007c17fbef0ed395384346b2544e69db15b4

SHA256
d819d70d2a1655b4d297b0d4366c4ddac1fe32f1d47ef68e07d43e84ead38731

SHA512
e0d885d03fdbe330640ecff0a80db5216800ff657892e66f79a09c73a9e9c478efa811ddc9b6967e77bdd8271105fcd7da59f6eda7d31a9cee4b918c69ca508f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1b1e99386656a1612009e6221524440b

SHA1
cd9ddea5e35dba9783b097639eb6bc786ef9cc59

SHA256
fb8baa221b6fc928fee01ca7fa01efae9402ceb809ecee939d5787b080216dae

SHA512
8dc441c436ae60d16938ec34d77f8b2b70373fe03fca1ffea6127de2da87f5816a371ba9ce69613f0ac77aa9113f8af21d484b1bb4d53fe7124dffff0e23b017

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
153ac106a57f24452389c6e381cf7f2c

SHA1
bc6037b230d5cd6127540148014dbd8b6342cc88

SHA256
1c3893dc5907db823af647078bc81b15a1178a109e2a6e961524b4393877fc43

SHA512
4917e01ac44abddba9f057e685957709b7b1d1e242e86165a45eb9d2dd8c902b341040e0873574d953a793c053a23794c018869e9052fc7508f799ab2bc18f7d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a059155e2c22e9a111faa577ede78ba3

SHA1
091527ce56cc82b73f4f2b0458635f9da6f02f88

SHA256
a5b36e31ff14a777330a3b9e1f8e3f658cb5c854082909340655780e1e2fa502

SHA512
d28965eaaba2da90690c1f69d8272951b4ddbc1b4094e95ccc7b22f7f50662c65921f7cdd0a1f9f3284eebbc34c5ed88d0b50f377aaeb10debc815a82d43f13c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
4fa537d64d55471b215ff72f3feb874c

SHA1
6864cc101aacc6944bb0af80ad51c13809a0a275

SHA256
785eb6920a7932f631ab3a160fb3ab8463c7f023dee769add45670bb326af54a

SHA512
94e1cf5c7715168617ca958c5c052cbacb69932f12ee90b5dff3bc1812eaa33b0e2c818036bad4a0b6aaa0a76880e96ff0f019f4b43b9ccbb0fd7bfdab54f495

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
52aee1bed469667cb32a508532c3bb30

SHA1
01e15345cdaba503541b6bca5dde51f3af61e6df

SHA256
e8f4866b1fa21cf377741ecac15c62ddd71538087bfcecdf02811d48f7e5179d

SHA512
68973cd06789268195a8071d960727450b94e4934d89b03435b642a2b550037b46a8eb5973080700f2be634f00a59b4cfe7cdba981775d52cc23448d8e18ae23

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
52aee1bed469667cb32a508532c3bb30

SHA1
01e15345cdaba503541b6bca5dde51f3af61e6df

SHA256
e8f4866b1fa21cf377741ecac15c62ddd71538087bfcecdf02811d48f7e5179d

SHA512
68973cd06789268195a8071d960727450b94e4934d89b03435b642a2b550037b46a8eb5973080700f2be634f00a59b4cfe7cdba981775d52cc23448d8e18ae23

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
9a9ed67d659b4601e196e46882001459

SHA1
46b96f520b84c51cf3939fadda6049d07f20d241

SHA256
62b9402a4fd6a2e405588b7b761e4f96b5f71058e61277626ee0514a52994e8d

SHA512
cf4683849af1220717ceb47f3d979f0618e8ebdcde498e52d605c704758ad57678f8ec2c57523a2adf58da5d8d35038ede763835c7352232cc7e87bb4f6836b1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
41d95f388106c095a874a01aab41febf

SHA1
830637f06e87b105d2f97bdd225adda3a4232bf1

SHA256
453a6852f8c08d05c951dc9624600c90a822c5571d7f494c22e2bf19df443443

SHA512
0bfcad8f7501c12491ca82000c2b9e3d69aa6c8bb47b2e1fd2102f31bd95781aa23a1764265a1393d65d38c1dea003a8d39264a92ae18d82ee662b1395cbc2d4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
156be09ed56d33b69dd56793f545a5ca

SHA1
bde686b113a8b7f5196435551a73f9363948a269

SHA256
da48e0ed32710d1db8709ecac9b578658b5983150f93648086f5d2e2a4ae1052

SHA512
e70f7360713968e700a637a6c10616bc32eb25937cd607ba9a1a369f18a1e5055a71935ec71332949259f4abf6d7edfc4018e2931d896bbd71e2135001e4a27f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
156be09ed56d33b69dd56793f545a5ca

SHA1
bde686b113a8b7f5196435551a73f9363948a269

SHA256
da48e0ed32710d1db8709ecac9b578658b5983150f93648086f5d2e2a4ae1052

SHA512
e70f7360713968e700a637a6c10616bc32eb25937cd607ba9a1a369f18a1e5055a71935ec71332949259f4abf6d7edfc4018e2931d896bbd71e2135001e4a27f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ca81b5e95158e7957f0b77ec6774c5dc

SHA1
0829fcdf131579d5b4637df3b09afd242f999bff

SHA256
7478e6cbd6c662589623dabe55fe691c0b55995c86e8fcfea0209fc5aeedf6a2

SHA512
00547dffca6b0439593329dab7e928a730539da54aabe4179ff4f363a9c2d21cab5d6370b63578901034127e75eb8e5040e8d0e029e73ce0cf7778a8eaf2f017

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
b92d11593cfd2d97e9e4f85e84e87fee

SHA1
4b3f6d79e77177c76eef98b70975744726fe1633

SHA256
75559d81959b6792dbc99937e6bb3abd7230f24fd434f47369dcea8ff8ea7b3b

SHA512
659fe544a35047c3d69777183be06deb6f8075e6f0bd76445312dd51cab8075fee480646ee807bc058aa978d611aa30bd7fa8f1bc327304e361149c09b43b8e6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
192f4ffd770c1bd6171f6a84d20fece2

SHA1
4729a3950040a2d61d486ee11bd7328a8d50b6d5

SHA256
4a4f724d37d7f404ced84c9322149c6af6752b303b8e0d982fce1d8cd21b23bb

SHA512
5e5821398aba8d7bd9d3980434177041317c9319b459c8645fd1f5eddf36c2deced8147a5a851d1e5b984bc96d7db53c611b800377300cdb133c3bdcda4e89c2

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
1fd58c393d8edaf87f88487844845678

SHA1
7cb01d946dcb874236318cb32f23067f39718978

SHA256
919f15d04bf75bd49d1aca779da1a347d775b4d2ec759d1f3193fd562f7c6fd5

SHA512
da86642d874c506056003d3094cc0974ccbad0c3fadb67c79fa51f296e92eb58577c0ebb139ab4e986d6ad46e88057e9a973f5e0ef85525225452203971f72d5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
fb79a3b72b2e0fa3880e46b96d01dad2

SHA1
2b46d830a9a2722c94d317dd163b62fb3d342c13

SHA256
cde5983515bbcbfb0d9aa6dbb469dd09156a4cb127ec7b3ce226fd6fea87da00

SHA512
40c86d70eca4039980a205b579df6ae0eb89f16e44bb88b4f65c8b568b3a31a3b840d74ccd8f4ca66b534ecf72f99bb3dbaaa4bcffd94eb70a6f746249052e2d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
4f72d1396dbee32dc3af68623a2c470d

SHA1
3d15bef35be50d945cb1181769f688e368783f40

SHA256
dc73e791d92e71dbcdc2a06626e67555eb02fc6b3ce3036da169f339810b3ffd

SHA512
a7f806f04a0d3ff307c4b10412b26458089b6b1ba07b3bcce447e444da29875d97c89137ba4ca4588439728f57d9f8f1b19fb3c335c06ab599033e2b12cec95f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
fbf5bf2febc18f316062e42021cdab09

SHA1
10a7025dcc68960a469c356464c278b05cb5165b

SHA256
40a83de417e3333de051493a8707a1bac52e2aec7c64b6e177cf7f2883dbc93c

SHA512
7d23faab9daf3b6b6f74e82dfcd6aae84c7468fc500401df8b7367605a2db2f294a1ec25e210b79eca422f82b755e0a5d7f6a89cf2c8b47251393f220166d576

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
2f20715f8ebbd529f67ef62c0d2d32b3

SHA1
9640adba7159bdfee8387c8cf576de1df7afb526

SHA256
0fe08be072112404a5a34a0b7455d9785124e2988816158e3d580c85837aa290

SHA512
479ca40396c08d520c2d8d53bfc5c3ce1833768a4a0ea1b4b4a5b14e8322a4b5b3a6654969e640ef091325998aa593c95d5ced21c04f18b8a791b3d584c56893

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
856af5fa6fc291ad984b5ab8764d88c0

SHA1
6b45298eb2f6f0ecee779499f614c13d7d675ad3

SHA256
772964ac816f89eb68e3e70ca21de40ff57e699f19af417fb1987225b9b8656e

SHA512
9e3f206627ee3ab0cc9bad51a870bd1318d1f15130a582751e9a68d114698af79e170902288464f61e5bc2a1e53da08940ebf7f82235510248995df3814c6b57

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
1b1e99386656a1612009e6221524440b

SHA1
cd9ddea5e35dba9783b097639eb6bc786ef9cc59

SHA256
fb8baa221b6fc928fee01ca7fa01efae9402ceb809ecee939d5787b080216dae

SHA512
8dc441c436ae60d16938ec34d77f8b2b70373fe03fca1ffea6127de2da87f5816a371ba9ce69613f0ac77aa9113f8af21d484b1bb4d53fe7124dffff0e23b017

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4954dc074eecf75d7d49d17a0b4edecb

SHA1
e427c73f823a2f1ec7a3ab9c6923a822b121e5ad

SHA256
11d32ed1d388be12a5d3574067f151978811a2f8c9b1dcf2afff898e7e723c87

SHA512
8cfd6554940c4d330e1320bf1f8294b43161edd630ccba326a2f7722e11ec303157622c409f501e469ff914529cb46714f4c01f36c487987ae27c20b5082c1c9

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
6133b37dadec395d6a9752c47a5b4bd7

SHA1
3afff46b4f0cbc7a1f6f9516fc5215ff01c8eb0d

SHA256
41fec3703ff201ea165a493320ddac239472060722d2371fbee7a105b5b7d764

SHA512
4434d4efcb031ba3ca893abf99ec98da836904118f531c3a632cd3a24e13c8be1326c44e8ad1a97a6aef63d14f4a26c37b5609ae1254463bb7fdc73d23b8b645

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
a059155e2c22e9a111faa577ede78ba3

SHA1
091527ce56cc82b73f4f2b0458635f9da6f02f88

SHA256
a5b36e31ff14a777330a3b9e1f8e3f658cb5c854082909340655780e1e2fa502

SHA512
d28965eaaba2da90690c1f69d8272951b4ddbc1b4094e95ccc7b22f7f50662c65921f7cdd0a1f9f3284eebbc34c5ed88d0b50f377aaeb10debc815a82d43f13c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
4d213eab98053bef36dfd26ba629fe34

SHA1
b88879ba5f312714b39da69cf627070dd2c14213

SHA256
c4e572dbeb4e853d9f6e44bdb86929bed5339aff4fa5e06fc15492af90fe16d3

SHA512
1772533d6cfae06c1090969568dc53e9a2b97490ab7eaece1eeae00bfe9182b798534daf9e7c4d0eeceb0dea089e043a1d52ad303c3b6e33d778cf01733834e2

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
fe8d58ec4de1e8a3712f6b2eddf67ab8

SHA1
39d860cdf8207013829a6926f1fede983c81fe4f

SHA256
1866115199161471caf38107aeff6e870b6beede66ece0831c853629ce680033

SHA512
09c9fee73de100f7d1232ec4d4df7704f7bac4bd08a0a995d867a0b39558be6d1b2a2fc8382a315ea63a304526ea5c279c4caa75cc0b732072442c667c07fc3a

Download Submit
memory/212-90-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/212-84-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/212-87-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/212-77-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/212-78-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/452-52-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/452-123-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/452-59-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/452-53-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/632-116-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/632-107-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/632-173-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/708-273-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/708-214-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/708-205-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/856-65-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/856-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/856-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/856-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/968-138-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/968-147-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/968-204-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1396-76-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1396-19-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1396-20-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1396-13-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1396-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1772-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1772-226-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1772-231-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1772-232-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1964-174-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1964-234-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1964-164-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1996-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1996-48-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1996-45-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1996-39-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1996-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2036-282-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2036-275-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2420-301-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2420-217-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2420-160-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2420-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2420-300-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2768-185-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2768-125-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2768-130-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/3380-158-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3380-93-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3380-94-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3380-102-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3964-199-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3964-135-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4232-177-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4232-186-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4232-247-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4276-248-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4276-256-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4404-297-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4404-235-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4404-243-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4568-263-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4568-270-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4672-61-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4672-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4672-1-0x0000000000680000-0x00000000006E7000-memory.dmp

Filesize
412KB

Download
memory/4672-7-0x0000000000680000-0x00000000006E7000-memory.dmp

Filesize
412KB

Download
memory/4672-6-0x0000000000680000-0x00000000006E7000-memory.dmp

Filesize
412KB

Download
memory/4796-288-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4796-295-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/4996-200-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/4996-260-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4996-191-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5104-33-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/5104-92-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5104-26-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/5104-28-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5104-34-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download