dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2023, 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
Size

1.8MB
MD5

01a569da489b7b6e9f8754f90f74eaf9
SHA1

22c8bd58abb079c51ea9495e3c2eeba25ca79c56
SHA256

dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d
SHA512

76b4faefb564d7ef69dfd6a604e319b6ae842bee64d83ac29250fd91f07db0082d5cd5eb5497996bc7369b65d90f8ceb2e321a26d9d0c77236692fdb545e8783
SSDEEP

49152:mx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WABaB0zj0yjoB2:mvbjVkjjCAzJxB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4840	alg.exe
3384	DiagnosticsHub.StandardCollector.Service.exe
228	fxssvc.exe
2000	elevation_service.exe
208	elevation_service.exe
1044	maintenanceservice.exe
4332	msdtc.exe
1668	OSE.EXE
4924	PerceptionSimulationService.exe
3372	perfhost.exe
912	locator.exe
1384	SensorDataService.exe
4968	snmptrap.exe
1992	spectrum.exe
4244	ssh-agent.exe
4364	TieringEngineService.exe
2948	AgentService.exe
5084	vds.exe
1444	vssvc.exe
2096	wbengine.exe
2312	WmiApSrv.exe
3480	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Windows\System32\msdtc.exe	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Windows\system32\locator.exe	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e74979ec6b2b65a2.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAB24.tmp\goopdateres_pt-PT.dll	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAB24.tmp\goopdateres_sk.dll	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAB24.tmp\goopdateres_fr.dll	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAB24.tmp\goopdateres_gu.dll	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAB24.tmp\goopdateres_pl.dll	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAB24.tmp\goopdateres_ca.dll	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAB24.tmp\GoogleCrashHandler64.exe	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006fdda9dc4a21da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bec77ade4a21da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc4c1fdf4a21da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a00efdc4a21da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b96c5dd4a21da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000258c9ede4a21da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3384	DiagnosticsHub.StandardCollector.Service.exe
3384	DiagnosticsHub.StandardCollector.Service.exe
3384	DiagnosticsHub.StandardCollector.Service.exe
3384	DiagnosticsHub.StandardCollector.Service.exe
3384	DiagnosticsHub.StandardCollector.Service.exe
3384	DiagnosticsHub.StandardCollector.Service.exe
3384	DiagnosticsHub.StandardCollector.Service.exe
2000	elevation_service.exe
2000	elevation_service.exe
2000	elevation_service.exe
2000	elevation_service.exe
2000	elevation_service.exe
2000	elevation_service.exe
2000	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
680	Process not Found
680	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2432	dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
Token: SeAuditPrivilege	228	fxssvc.exe
Token: SeDebugPrivilege	3384	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	2000	elevation_service.exe
Token: SeRestorePrivilege	4364	TieringEngineService.exe
Token: SeManageVolumePrivilege	4364	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2948	AgentService.exe
Token: SeBackupPrivilege	1444	vssvc.exe
Token: SeRestorePrivilege	1444	vssvc.exe
Token: SeAuditPrivilege	1444	vssvc.exe
Token: SeBackupPrivilege	2096	wbengine.exe
Token: SeRestorePrivilege	2096	wbengine.exe
Token: SeSecurityPrivilege	2096	wbengine.exe
Token: 33	3480	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeDebugPrivilege	2000	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 3300	3480	SearchIndexer.exe	119
PID 3480 wrote to memory of 3300	3480	SearchIndexer.exe	119
PID 3480 wrote to memory of 4172	3480	SearchIndexer.exe	120
PID 3480 wrote to memory of 4172	3480	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe
"C:\Users\Admin\AppData\Local\Temp\dcf0d3967f4c9d98cd2ac32d296e11671851b1907986b9927fa5b72969708f6d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4840

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3384

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1656

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:208

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1044

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4332

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1668

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4924

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3372

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:912

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1384

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4968

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1992

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4876

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5084

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2312

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3300
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
32f2e813cb95e4004afa297b2f48a6aa

SHA1
a438509b4376dfeca8d868ae77706a9d3a64bcfa

SHA256
b5c097e89baf0e4f2b5ba58cbd5c722d6d74a61141bcfe7a82a091b9ca12c9cd

SHA512
2533b75d81355cadd2fe9a1409d3556be66e83802ed076d6c4aa9785b1d6b36d8f9f12fb31445a1925b0c6fc17ed84584dc0267208c326d2e486f230425f3ceb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
a61bfa7f37df6050534d795fb37d2d8c

SHA1
4c3cb840d1f5387a218a6afc8bcd0a6f8d56fa5c

SHA256
e52c02794f0dc0cce7a423e84448b1f9649b118618edb1aa2063a7bcbb0e956a

SHA512
967c7c5a993081b0053d3fda460b293d6dbda7aeda1d0df4545814e5896e8705c40614c5d516c18a60fa2c96d5b2fd52fb59b5899884f2b7f0efca48acc41cc7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
a61bfa7f37df6050534d795fb37d2d8c

SHA1
4c3cb840d1f5387a218a6afc8bcd0a6f8d56fa5c

SHA256
e52c02794f0dc0cce7a423e84448b1f9649b118618edb1aa2063a7bcbb0e956a

SHA512
967c7c5a993081b0053d3fda460b293d6dbda7aeda1d0df4545814e5896e8705c40614c5d516c18a60fa2c96d5b2fd52fb59b5899884f2b7f0efca48acc41cc7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
91d1ac0dd4303549386ab8a2ab967d95

SHA1
c03f281f3548bf7e523f5bf240d046a212349236

SHA256
19ecc54eb6f44ee044ca93ea69a01a5f984f07575871df5d51c99c25627bc26d

SHA512
d9eeb4afcc7046453148312e058260c7747726fa37ef43e79c3513f93a5c666d38e0952acab74a67e80ec0dabc292532224205f9060fcaeb7ddf0df8a838ee69

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
2b4e22b71847969bb3ef4e6499447403

SHA1
2f473152c4043743ed80397f4ae1b65567ad65f1

SHA256
115313618d219d0a3545e9677330a51dbc40d69e3a353b18ebf4b5a1bbaf17f0

SHA512
200ddb1772d8c1dbdb19b53a267ac553bb592a37b162c6e6fbb097c45f414c3ec6d38fc903dc8faf955a34230ea3336272ee9fa82720d5694e2ae858cb3c6106

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
6149860c50a9497e05ba852bbf8cc724

SHA1
d7d5803ce46a2fe22bc71ae0a97d1edd92709962

SHA256
5874e2321aa0c00d1e7b061588021e245ac36959dac075cb1c96da2756b56c0c

SHA512
5544b9630698250006e64d0648b449ead50f534f26ca0526e3e97cb60c55552d427aa49bbd9d37d7cd9cf2ed6efce28ad1277f13c3475426f9300fd9547af32e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
f5707a67396ca89e021ed77ca0ccd65c

SHA1
edea8adc0f1cb80a8acf6b393cccb9090d979cb5

SHA256
1060eb4320bf518dd2eb5db513b67e3355bf42e74918009b7cca812c1d9b81c6

SHA512
0964ed9b95ff9db9f2e7480fd308cae3eb6b90527480942750494ceb10bf84599fa015bce22824237ce611cbb96fe95c8222334db97986b15dc9df900113652a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
2945961e68bf2b16d9505700c7a31b98

SHA1
5adde7cf48a3ca92593f520224a33e29745a3b58

SHA256
332cbe699d417554bca23d95f1ced979cd66d39178e8d3c52eebf13db8025962

SHA512
8002116d9ba612f325550bfc3a80439ed41337157b336b2f32591c1d5095ce7dd4ccfcdd837371e4c5d0fdfa8422227f159985621029ed865f17e04570335e70

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
cd00a8686cd20369aaf56bdcace96b98

SHA1
bdc81591e21aa09189f93c3a174988fc490d5368

SHA256
ab8a64b9e39a723b91fcab59fc0947d7b061036e80128e453deb9ce369002d55

SHA512
04d112408ec518f042b32b034a6cb9ddf3d802dafad2f396ee02f3d61963b07993ddc611f5a45a88ebfeef8c19067313d42598c24f8c71d4761682c4ac7ee61f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
f9ac22b719ab9d6143acc74c48e07fd8

SHA1
db17fd32d3dd3134c38a85d32c94bc46bb6a2d1e

SHA256
c4e88aac3d95e79326806aea96a5ecd8c180b48dc9c7b8ddedff785904ed994f

SHA512
102ced94e6eeb924d0bc6f14f0f44a4e7b6f2bf6cffd761f85188f91e02815952a8ac6cf20166458741984f7cf59391d0f923c40c801d206244e139644c04e5f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
499bf30e4885c8552205a0596135e0bc

SHA1
7fb64cfda844b97165de904b027d5a23c010d0a9

SHA256
3c62b25342a3e67284fff81d3ed4934477e18f368fb4bd0d25edf79d181073fc

SHA512
e9324e8adbc1cda941e9ba0be1fb5fb68f1dce4d61187f2c6e696eca755db0bd15503fdc348d558d2e98f907c294704e78c283c29ffb0a144056dc80b0e8260f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0eecd52d4f0d3fe73ac6692abe6e11f4

SHA1
a05226edd2be7aa0030900d55d1b9b5dae95e675

SHA256
dab1df1a192523fe8df437b7cfe5cabe29357da460be8707dc2502bd38ad58e2

SHA512
6126c5531218e8da2fcd4173a1bd63f2d0f9b98ea4b5e922ed82e0ad81402e6ec2d38134f3602bb629b2db971e0a5c63632d4e90a11ad793b7ba2b8680b9d33e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
303b5096a77342b836b709aadc93b1f5

SHA1
b23864e19e6614e6af56a4d4b1c504356e8379e5

SHA256
6e4b727e0b5e201a6e974c287ca174fb3538fab59f75f86ee7d1cc487c22b436

SHA512
deb58c2c1ba58e48042d9914a51884421ca1a1dfc5c120408f6c32faa1d9f63a2be93e1dd4b6ee30ead02c8aa35b047185a8c84ef54b08226cea12189dd49a4d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
27d78f6014b234bbe038cca48dfec4c5

SHA1
a21c0b63062cc5db9788c15ec76a5fe8c1fb9a24

SHA256
f498d29aaec0875b0d25e726e4230570a497c4f360313ac95b3c96a6c784a535

SHA512
f3b5ca6511e2f8445cc77f97eaab7ea34215bc69460507b9762f00d5a225e4e396803deb8b5b1e236c3a50487385100a43d91e016a12e5801ac6834c8a1c5532

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
93588adee0cb9e7051ea607d5bcd4117

SHA1
94795128682d6fe0903bb988973691fe808c01e2

SHA256
76b9f489b5393c85defff1a8fb9fc3789eb792b0c787787f8fa8d19d39578b23

SHA512
6c7e9885e390a271a0940f9821078684630f5ba4d8bd1e142c38cbb5252e56e8740d7ad0a81cf3a2b58e3cb3659df69ffb5d25c7c4afdf18f6c1e484fadcb22a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
654eb5ba5ad81225192be63d471a9ed6

SHA1
94733de8c6d25bc19f46a72bd94553d1a30c9f9b

SHA256
f7c9b876680bddb020086d891b45d55bc082a154739b1404982d85ec4fad98cc

SHA512
18926d6662728a2655eb29abcef12bf5ac2e163dfa7e4cdf2cbfdd14c4021992c6e6da6b1e921fe0da70e6bd03d0aff6ef59970d2aa616f919c7f9caa924345c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
de1605624703dbbc29e9bd5062a16a3f

SHA1
9551a006cfb5fd4bd2da547fea1f1b959beaa566

SHA256
6adaf0004fafd63c1ef3e0c62220c71322cf76e2851796b7d69c0188634b3fbc

SHA512
6c9c419724489820ff0a108e2535592d85a28e01762340f4d8718b3b78ea1fa0827b4a51cf9250178d589b0006840a600ecaa68300201e8072975adee45f4915

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
0de12ff5db0b217eca17cf7bd78c5205

SHA1
a8aa8e71c20be2ba7698759b514e10c8718f8acb

SHA256
65808aaafba39016250f6608b835f685de7520e911a736e36e157f7ec5a5a286

SHA512
afc402504476d9a3df9bd1b551211e3a101f96619a4c9b97fe254ef71330f262556041218392c72657a9dab0236c2f761cbd01d22d8039eccbdc1f2a11aea485

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
34d65428dcf0ed4c78f2c0cdbbdb143e

SHA1
db9ee5297757bb784ac05fa9b6592cb05802aa0c

SHA256
e23a474bf4043027fb3fe4fd51795119757012f2bd206786bb4b16bb35add0c3

SHA512
ef6e175f65124067e16d7a234a8b85d87a6875b733bb0fdc5f319e6be0df94a09cb244d522d07a42109af859d9071fbc292bf96fc93257b600f8ba28ca503724

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
8e3360e27ba982d474cf220b45f906f2

SHA1
b00c0f92e6247f39087ffc9237e0cf928e7bb883

SHA256
9b51d8d86bb29f2640d099894ef5d057c5b9d24158d8742b66faf606b6bde98f

SHA512
c2f1c569bcf4d14c6a0c980664383458e5962ea4ace27fa1873680dbfd0e772586e19e24fed2c022b1bd9c9164407def8596f0e2bc91d5fa5eda2827e101e0b3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
ef5381a232f3482e58b6cb15b4460aff

SHA1
cf6d08317e58dfa4ebc45341bde20a4c494b0ffc

SHA256
1d2fb0448151b699c2fbbf5ce4977490daf2cc34f82128a75452af798e85845b

SHA512
2296773f056f5b40e8f34548c80da8a3f023864993be609cb0778e0614825c9e6a20a9fc169a131b5af7fa51e3e8690cbb9f3dd07cf5556cec2c27a18a24c951

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
fbfa0219665d0ed78a2447bd134be465

SHA1
8d468072f5e924a227c7602ca0f9706a1c7494e7

SHA256
e56377b2d8e1c7f422bb6b9e5c0909baa2444f5418df289f11fcdb7b0403da3b

SHA512
5214d8f672a97a3b498cfff4c9e6d9e78a23839de4e75ef8924db2353b8474d45391ce4034d83d6d64e6d7c64decf7da6b75118263262a400b5f26f649611e2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
de92b5a045ca274509f1dc4b04fe6c29

SHA1
e26e5336266bec049cb85077637f630ce25bbcec

SHA256
7f1b09636302c881c98f10c005d52257913296fa100ab73527b2b9e690f26e35

SHA512
ab0bab593421052d466c191e87aebc9bb71ce0285742a8f86071629146e4fc73774c4e6fb52ab82c68128e063a0a7af7d313041b306f0ce3fb3bd60adc87e38d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
f09fb3662d7bbd19b498cbfd628f9672

SHA1
5250aa73b6003db4e05e8b19ec5eee0f700c324c

SHA256
6037d1f112996ff7017acbaf520c7eeadf52749799c53329fe2743879691130c

SHA512
1f07a0f66c03b4983f6a77eb4ca2657f4894caab49feee9e851e661e4e49c5364d22a48a267c02ca72faa65e5852aae29daaf473654d0f8d74c974891a5185d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
b360eee41904f101426c84421c9df9c4

SHA1
3129b5f7a201e8b3dc3b3a93f65eb84b4801b4f6

SHA256
a247cbc9df525113895fa62e677ae97246751ce5ef9778753828465ae6f98b78

SHA512
ade8753699f83044b9d689183f9185a4ae1969487b77b2173f2b1f76135101b280cf5254940f8991d47300c1f7b4d325ceeffad7a2a23f7adb26ff23f701a75d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
c2542cecb51306803e84394e7ea2a0d9

SHA1
4729f6129007dbe1c371f414a32bd698ec1d039c

SHA256
95d6eff1359608ada411b38ab38ec62a06c11e2bbdf5f7d2d8327d6ec2fb2267

SHA512
dbb1b31305dc09229e654630e726bbc1ec555c480fff19b664c166b86991cc21eff8fd4ba682789090ae53f69dac2a2dffe4587edcd19700cc216e2d4246cc68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
e49b90beedecbfece3f3798e84a6f0a9

SHA1
0288e69b05db9a1036d47785ab2782049a23c60a

SHA256
043c0c28e891c2c43d6c4b559ceed14c6ae99ec11a009efd7ef26b479e4a567e

SHA512
289989c77bf98825d2816b75dc7b7c0d02d667b6f814a8a187f808cfe72b17e51c7b929ee75286e8b9449b1eee7436568f3f42c21239976847288d5a53096fa8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
d007687a9e7c24929c28cdb34dc18a0a

SHA1
4607470eeb6163a82acc5d94ac28d8211cb4674b

SHA256
de113fbf1159d1845fed24bfaf15ab463710f4e9789aedb68419835766648c36

SHA512
38e6ee943be982b20dac1c6e4e4c1f553f9c6d410d39ab063701835a4aa98ec2173414d78610d3f9475c1af376de2f99f742d156cc406048d54a54e61f733ce6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
666fcdf9e2b5b6040bc9fb767a07ee3e

SHA1
2329c09b9e119274e84427cee332e60de18665d2

SHA256
97e91996634630bd909e237a0d8371e96f1716a3a7404d76d58be986e06fcfb0

SHA512
e09490e9956a01101e6f132de212b13f2bca2c6f1c11cd9a816078102af34329d0888c501f9ae108b99ab38629c327960048cd0ea76bf962421eeb531770126d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
a0635fd0a3d78bd2fb434dab24d8e2f8

SHA1
9c305bc016bd7b2a0833954d5b47b7cc66eb9cfe

SHA256
0a5bd913cb4586009e7e1e1625653e4eb6ac21777e16e7976833ed2ec7629f2d

SHA512
a12636310232cc8a304d9e2e27e2be00d7aabfa6f6abc42cb2f7813354ab2d15eca81feca6ef3d2a700b620ddcf1f6b421d0f2037cfbb0ab65e0f3229f3a6be4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
881b5479d009e7a402bf7f22dc3ff3c1

SHA1
0979ae6a694ba5cc28324132b3215b915ed37285

SHA256
2e77dd0394d9f36411f664403904a592783c6feba06d633575a1e9dfdf201675

SHA512
9639c0f225cf5b33e5c5c603b4e6e929b408eec27b957286fd9c372a5550374f02ad254e5b1e0cd1b043a7f9d9c1f0396c458b692ce5072832956f46be427405

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
94940e5d5c0e786e353a8ade6f2cf56d

SHA1
a705e697692ebef39593d93a7d99f57ab9ed338b

SHA256
83479cc77eacf36934dbdc196082c2056e3356519d91e73107ec9847c0963baa

SHA512
81b4938f963714e2995ccf01c4f497d74f7453aebd26561c9511139bf07139ce56976101cf7488ab3f08825f1e01ec9173ccdb155403381c9ffa4cf777bbc74e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
076decdbea5b714f139743a358bbd53b

SHA1
72b35a3642699ec9396d2902f45b3504d616df79

SHA256
c36dd3da028ee99d9583fdce40195c171e30a9976e0b06f9ba4a370bea6f4770

SHA512
3f0af9655714e0615ecd65f89017c8ca5416a0021e157861ad711a047fb6e275138d4331a08d877ee1543ef093197f8f5c20d55bfb8f6f3ac9a39bd9d5811d70

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
3f49c3c3c268e47ed2af8c12053d26fb

SHA1
0f1a11a3557c24e8009e570b905b97120cfe4b5f

SHA256
cfd938498adf4092d4309ded8cad435899021cc65abd74eec78103735632d01d

SHA512
20c8e7c9355a9bd0cee34c79bb486532c279b2c9cb6f656762795dbcd7633c019449b315c0d0c88dcda6318fe44b253b85f12c324c09b99280d97999a827934c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
92e651dfab171e4f7b00af6b932c3584

SHA1
1122997d81361b4a1089359a11c7206dedd3df06

SHA256
e3256fb25c546acebe09187133706738067183337e27bf11a713163f600c8c41

SHA512
c55e24eac6b12b717f9ac76d598faf1bae94e9c6cf36222e0d13f40cad3911bdaeb7169d38c5baef39f23a78e2eecf6d3ef47427736855578d5dc47055af87aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
39249c2dcdad777bf4a98bdfcaabc0a4

SHA1
2f26bb7e47c1efbd28d5fb8593fdb3557a6558ee

SHA256
088a390949d12226f803d8111430c891486c512c74590e4602f7acf5a6105843

SHA512
0c3450219f5555e18dc0c0d92fdca1f38b3214d0f66f170d15a04944cf69c3cec1a2c41e36e143478a164d4bd937679b70e4122f1c93e0caf21cf74a093dd28e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
b4355e70c122c10e6c03aea771dcedaf

SHA1
02aff78c5ca32a2a7bba0b236e697ee7e66301b1

SHA256
ad5d3ad925c2a4f3af825f7afca4d7b1861d09778779b44a76c4b3a8a51bf44f

SHA512
50b94cb37e64917e98c6348621ca919b73d362691fda96e5ba5fb06c641398f8a7130c2fc14516c1f841331bbdb05dbbebd377d2e4e9cd1d1287fd7bcc42b70f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
09a7dc28776913753a170b45145bf789

SHA1
7850c0b6b104fdc0818407ae999f1a00395492bb

SHA256
5afe83e368280cf849755801689ea035854f126eb186032ea32aa2daa676d345

SHA512
268c03fff7a4cc9191129fa18d579453daa071d864e1557556b1c0a31f6ad7c0fca07cb09cbbce9b749125dc9ce9671d6d074c8c724597084b8ce3afbdfa475a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
72c2b4194e08bb5fe1b207d438d1e3b2

SHA1
078d3f32fb6f46f476f50708a90bae0f5841a7c2

SHA256
0f5717bbabf0b1ebb5750b9896eb1f36a0734daf89ccfe2ae7f4788e6c3ecdd5

SHA512
51d62b16604bc863c854bef22990a7fcc5ffcf0f05ee7e560231dd2d31ff4057cdb34ef51c717409c5ffa6548da1ebaf62897f94e1e013c3165af6bd7c0af90a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
9a37e84fa87c5ee9c47ed79d2d259bcc

SHA1
695cd19e9c1838de974a4cbb1be17b021748ca4c

SHA256
725a1220e143a848ed9b9d930f3b813aeacb064641a12cff74f4048d1b240252

SHA512
34c1bb7a727b4d5db3656fedc91a30ee32ef3736ef41e21ddbb8f74e1a463088debc9e367748072fa9ab4ed6e53788adcb662efad624e604ae25675fe281ca50

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
e504093f25af1213804f6e0fe3432417

SHA1
b7ed0fa77c4958a9c7274f9fb00aa30f9f17d253

SHA256
cd0aa096335ae56a0b42d8e2e53a42464d60764d5362300a6f736e0cf4f1fe3e

SHA512
4669bb85ba70fb410401b3fecc9922ba932e4e8251e08a3ff740b0731eab89285450973edb8e8e76dc83d714d81f4041e92f66cfc0043fc4f887e3dcbd7c9ead

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ed9b6f5f021eb579496c319e8e4d4758

SHA1
0ece4695fb4ece4a8f73c1dc97e6d0f570bf4c09

SHA256
7469c942775ba7e91345a3cfdae837c7c27cf007f4f6ee19b6d9c9caad75f89f

SHA512
8b28721a9f9b1d5f8627c013f2a956cff4124dbbe35f1555ec76abc1994efe445f56a3956bd6b9178e8e0d90d42a480ef3e3e2fc2eb70e501898b5fba23e5810

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
8a26594548b9aa064c8b3432ba1f0b54

SHA1
4739613861d6d53139cc1456d7bdeabfb62e9bb4

SHA256
ff320ebdc329ddf4edbde05d3ff7d185add28175a5e60053d98913bd5da2ed3d

SHA512
8355b4c944abd743e7dd4b508fcfdfce7ef6fa59baac83c411f58737d2c990d985d67ce481b234834198e01450e340d8e20456b88cfcd1e72500bf82eeb90a37

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1459ffa9dc3c3aef9b65cc3ee729727d

SHA1
5f08b847613032d76180ab4d13f4d05f39dcb17c

SHA256
49cfc2cdfb79a967f38e2fc1aaa325b0edb289ecb8ca469633f0f0aef0e8a1ef

SHA512
0f56e269a6e05b39e927f1a27bc7ad124d167eb7196aee3829ae2c7af0cfc93b713658292b5ba26efdf8aa0019da21d43b0b2a41a58d83aa915a3fcec18653cf

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
09b1b8c3af0c89a0d75139d6a41a8962

SHA1
98dd29ad9f0856fd387db2930c7e72e1adf6d484

SHA256
da1ea686dca16ed96c45692241e2105e9b82ab2c230b674a64f2979906afe4dc

SHA512
6221ec94b1e1c896017ffd5118a71531de3991e26dc58742de5d2fb3e3e02390867efbdd7bd51d0de008231de37407c9f512c9241f6140c230653b334eec42f2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
0502c57acbd31ff47a46f079400aac36

SHA1
5bd9e4fc6979ddd2cb7516b9f3954138856fe9f6

SHA256
8651a1480c89af85c7995b27943259b96ef8d023d9a9aabffda3e8afdde584e3

SHA512
ecc314d60afdc83b2272c2a37f36b11033761e9978ae4d43d4fc54fd74a1237c77f03ed8a10e5c955fbb623478c2e0b6dd4c5085c84802c2f83f145800f9ccf0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
0502c57acbd31ff47a46f079400aac36

SHA1
5bd9e4fc6979ddd2cb7516b9f3954138856fe9f6

SHA256
8651a1480c89af85c7995b27943259b96ef8d023d9a9aabffda3e8afdde584e3

SHA512
ecc314d60afdc83b2272c2a37f36b11033761e9978ae4d43d4fc54fd74a1237c77f03ed8a10e5c955fbb623478c2e0b6dd4c5085c84802c2f83f145800f9ccf0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
36f05065c4fc957246d7c83f0fe7cf8f

SHA1
a902978b991ecca9fbb95c760b9ceb5f9c462e34

SHA256
18a081da29ab471476366ca88f8b87ae8429eba41d2a8af126e66b2de2a9f51a

SHA512
f4861f8a5027bc52e75ec85459d3bcffc674d75873548dd3fb79ee44f2616d9844abbb2377ab4c132fe436c292ce7d2ba459059d416e2fd7691303f83fa89403

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2037699f800a1bcb7a7972211b1dda3f

SHA1
7caa0f638822d8ddae3f8553fe24fc000e33b3ab

SHA256
457337ae85a896f943b2454fee342e47248e6609f4b17954de2a2e9d0a8a06b8

SHA512
950d99df6eb4f7ee355aa91b1ea087a1488c03982ba6b6abe8f6442ecf568049f92e55235a0193f75fb70702d3c29880273f938f2bc84d1d9705163784616cf7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ddaea1b31e6d861e93f7c9675b3eb05e

SHA1
66ff2405e23ee4a0175db4177ff3722f3b1bfc57

SHA256
68c801371ff3b9abc74a266454576e1e217e48f243d449143f79430587e9923b

SHA512
5e71d283a87fd702bdfbf78596a5c11d70d6f904c0a7df7fbb2508765f8c714c3febc66bc676e8998215f041e4888689fed8d53b4164983865f53e5734b640f0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ddaea1b31e6d861e93f7c9675b3eb05e

SHA1
66ff2405e23ee4a0175db4177ff3722f3b1bfc57

SHA256
68c801371ff3b9abc74a266454576e1e217e48f243d449143f79430587e9923b

SHA512
5e71d283a87fd702bdfbf78596a5c11d70d6f904c0a7df7fbb2508765f8c714c3febc66bc676e8998215f041e4888689fed8d53b4164983865f53e5734b640f0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
dd15d94dd147e195e9f001341bf3883f

SHA1
03382d88af99a65cbb6d9966eeaf535ca24c1d88

SHA256
ad9cbb9e79dff41ea0fff5d333a4a0e8f59b23e79702eca1f66404d932b271fa

SHA512
632f29f8adb9d0b72e686509124975602b98b8b5829c34bc8e34e4ac019cf50e35875086556475292714e09007f46ca6992afa24641cb23e521c8bd5a7fe37c6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
a69b7e848a3138a1552631cf65b2ea52

SHA1
4d5bef7a904fb5db899837b26121f5f9a5322835

SHA256
2bdc1af4cffb33b0e20c9b4c1167b42b7ad6a0b3722edb85333b4cda0f35589e

SHA512
b321f5a43fcecf030dfb6e96b92a86306383590c67a6010b54467c1a581ed313b395643d593bd515712343965a5d33ebce5369069952109feb16651285dea86e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a851b4a05d90d003c087a10f3c5ece53

SHA1
a23ad313fa133bf37a5f195bd091682530675591

SHA256
8464c7d77da652ad1a03a1dfcc1aa3e0e3c0f87e428f82ba4066c181db80a960

SHA512
863c86dc38b341a2371f7aab7498ce04a7b4a0c75ce1bfb02b2b815e18f08616c4752cdb88ec84328e68f36e3dfadaccd25aae654308bd5882a73afa5424a749

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
37f9811ed2623499772f4103cfbdf269

SHA1
28758a1fec5431a7b142799ac3da9bd403728b2b

SHA256
fd4a7b920596d951ef560de64f4320f1f280ac89ba02544c47c07ff28d5424c7

SHA512
13d9a21ea83526ea96ff1ed9351c4c87b145067b95670a6b099e9986b5099fb0083b651d18e05aea65a023501b4767673264d27424f8ba342180dee27272bf5f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
e613e7120b12643c999294b3f8961289

SHA1
a6efd8729ad76638fdaf8dd06739d819b93eaefa

SHA256
64c80ef2cd1a7e070b23711d1de99fa9c54b58c7e1ac4c05eee0da10f23985a5

SHA512
b4a25ec9ddd938c6eb7dbc03b0dc18109331fe97554c07fcdbebf11ddcbb0b85b749ff227feedf1ccfde311d1ff88f365ffd2f430108795e4f31a00aeaafca0c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
170557959ec5b7459a5e472c52164854

SHA1
7ceea9578bb5e61394a95e277208ee1a7c3f3497

SHA256
1c44f60595097d172479d99a73fece16874e0fd8cee8dce7b76ddb25266db8c9

SHA512
ba84f72b249e2a0b6cc00417535c1d1a04b8a307fe9b1cb52518800ff90e8641c9b65ae33cfb1e29e74529cb60d6cea5998fec10772c7f3115547041b5e908d3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ac1071d45417e39607182af76c9343e6

SHA1
8ca3608ba386819e7cf11f31ff17ef60b47eae68

SHA256
d5d8de8ded00ae56230d6fe0b55d8e672e245a3eea33945c5b454757a3900510

SHA512
10aeb0dcf30e986f7617fff5351ab92b29bc149a93515c47282ac37a63ec98e9a71088fecb7fbb82ae1c1b87e89938221cf5da8b14b51c5af27459320ad9d947

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
8927f25883db1228bec5a840643521ff

SHA1
5f58c12a27b9c7b93bd8cb6b02d920617e29dbce

SHA256
7109e4f80986b8a13dd70f1d23c7fe2790a127ef1121bf13baf047228e500894

SHA512
f5477b28ea4de80d8a362b291398fe7860d0e68f058c3e41f39c9c8eb06071bc77b2625d4a4cb3e6d0903b3995e642dc09108a79b67e015dc9dfd63a65dad810

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
54a3c365a29d26fb911150d76308d339

SHA1
7355bae1f2e4f35af86e37cacb6863f087fcbfa8

SHA256
6fb1000efa2813b3f1c842768c64b51eda16e95ac5d34396e5cf126d8da22d84

SHA512
d6f14bcd9c5f1613f5f451cc709dc971375a98032d5f6431fd25fde389a8e601e89a271976eb570bdaa9a50ae3005081d848fd089f918716903ce248c2b770ba

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
27d03d339850f3a7300e4f5ecd1a85b4

SHA1
8450f73a1e68ee2d3822e4ecc3ba732d852a4050

SHA256
22e5b831f96f297fb4da88ea0dd07acbd93d8a54d06314f19584c7ec2863dfd5

SHA512
401e3a918adfb2caa04ac8313cbc792ab93377f9ec4cb5c25ba1f4d9dbb0ad6647553c61c8eb1cfc1177b276233aed3a93c3a56afd8e46195a0ac8447495eba4

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
1459ffa9dc3c3aef9b65cc3ee729727d

SHA1
5f08b847613032d76180ab4d13f4d05f39dcb17c

SHA256
49cfc2cdfb79a967f38e2fc1aaa325b0edb289ecb8ca469633f0f0aef0e8a1ef

SHA512
0f56e269a6e05b39e927f1a27bc7ad124d167eb7196aee3829ae2c7af0cfc93b713658292b5ba26efdf8aa0019da21d43b0b2a41a58d83aa915a3fcec18653cf

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
125e5e73f33ed0750df9b8ef70643449

SHA1
6cb44229abab7a209ece3ae56052025c4ae4f265

SHA256
ef0743889e60b27b051a2ffc47b8e859e561dc0c0204810b6a7bd24d3eeda3f8

SHA512
d7018edb198dd5057301de7494953344f5937db2ef2b4fe8ccfb7f8a9ff1ccc35ba4d1eff6806103495aa061e20cbfe69e0b441a33207958e00e2fdccc1e1418

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
bc929cf4deab469b11ca1307764aab26

SHA1
69ec396830a19e12b7030779ff22e4c9307c4093

SHA256
23f52345de4eef4ebce76265ffb2babfeae659efa3f1b74c0f4fbb015cdaf619

SHA512
1e66e37ba0697281417a374c469ed1154192ab9cb16e1a0e342ad21a3d72a3db9f9f97d3f2f13bdda28cfec9539b12eb2fa44336ebe95d7b2b327e8151a7a015

Download Submit
memory/208-119-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/208-181-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/208-113-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/208-112-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/228-97-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/228-98-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/912-184-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1044-131-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1044-125-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1044-124-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1044-132-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1044-135-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1044-138-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1384-418-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1384-258-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1444-473-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1444-604-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1668-149-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1668-150-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/1668-417-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/1668-157-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1992-438-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1992-484-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1992-558-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1992-445-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2000-102-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2000-101-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2000-108-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2000-169-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2096-476-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2312-481-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2432-6-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/2432-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2432-7-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/2432-123-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2432-264-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2432-1-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/2948-466-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2948-468-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3372-173-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3372-174-0x0000000000860000-0x00000000008C7000-memory.dmp

Filesize
412KB

Download
memory/3372-179-0x0000000000860000-0x00000000008C7000-memory.dmp

Filesize
412KB

Download
memory/3372-420-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3384-92-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3384-85-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3384-84-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3384-148-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3480-485-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4172-563-0x000002193A5C0000-0x000002193A5D0000-memory.dmp

Filesize
64KB

Download
memory/4172-611-0x000002193BA90000-0x000002193BAA0000-memory.dmp

Filesize
64KB

Download
memory/4172-597-0x000002193A5C0000-0x000002193A5D0000-memory.dmp

Filesize
64KB

Download
memory/4172-627-0x000002193BA90000-0x000002193BAA0000-memory.dmp

Filesize
64KB

Download
memory/4172-626-0x000002193A5C0000-0x000002193A5D0000-memory.dmp

Filesize
64KB

Download
memory/4172-621-0x000002193A5C0000-0x000002193A5D0000-memory.dmp

Filesize
64KB

Download
memory/4172-610-0x000002193A5C0000-0x000002193A5D0000-memory.dmp

Filesize
64KB

Download
memory/4172-564-0x000002193A5D0000-0x000002193A5E0000-memory.dmp

Filesize
64KB

Download
memory/4172-601-0x000002193A600000-0x000002193A610000-memory.dmp

Filesize
64KB

Download
memory/4172-598-0x000002193A5E0000-0x000002193A5E1000-memory.dmp

Filesize
4KB

Download
memory/4172-567-0x000002193A5C0000-0x000002193A5D0000-memory.dmp

Filesize
64KB

Download
memory/4172-600-0x000002193A600000-0x000002193A610000-memory.dmp

Filesize
64KB

Download
memory/4172-599-0x000002193A600000-0x000002193A610000-memory.dmp

Filesize
64KB

Download
memory/4172-602-0x000002193A600000-0x000002193A610000-memory.dmp

Filesize
64KB

Download
memory/4244-451-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/4244-562-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4244-559-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/4244-458-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4332-141-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4364-463-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4364-566-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4840-12-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4840-140-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4924-419-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4924-168-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4924-162-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4924-161-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4968-479-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4968-435-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/5084-603-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5084-470-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download