06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
12/12/2023, 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
Size

1.8MB
MD5

92587081f842ffa5646cc94e151f6482
SHA1

00745cce0dea244957ea4ab48641b9a94246fe94
SHA256

06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443
SHA512

84586e6c729676ec45f554713623b0b8ca376763745f3374fef75b7461c56706284ba976e64be330f9efe6806f0bf375ee3b55b37f3e3b05afc20637efca1fbf
SSDEEP

49152:fx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WArgDUYmvFur31yAipQCtXxc0H:fvbjVkjjCAzJNU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
760	alg.exe
440	DiagnosticsHub.StandardCollector.Service.exe
2992	fxssvc.exe
2624	elevation_service.exe
1516	elevation_service.exe
2896	maintenanceservice.exe
532	msdtc.exe
2280	OSE.EXE
1548	PerceptionSimulationService.exe
4340	perfhost.exe
3408	locator.exe
1180	SensorDataService.exe
2576	snmptrap.exe
3148	spectrum.exe
3544	ssh-agent.exe
3336	TieringEngineService.exe
1560	AgentService.exe
3668	vds.exe
3864	vssvc.exe
2692	wbengine.exe
4232	WmiApSrv.exe
436	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\system32\spectrum.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1ecbbffa13edbe94.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\system32\AgentService.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\system32\locator.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\system32\msiexec.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\system32\vssvc.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\System32\msdtc.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3364.tmp\goopdateres_zh-TW.dll	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM3364.tmp\GoogleCrashHandler.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3364.tmp\goopdateres_mr.dll	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3364.tmp\psuser.dll	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3364.tmp\goopdateres_no.dll	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3364.tmp\GoogleUpdateBroker.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000169e97b2d02cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ceca5b2d02cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e28b84b2d02cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025b1aab2d02cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019a159b2d02cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f289a3b2d02cda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009713adb2d02cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
440	DiagnosticsHub.StandardCollector.Service.exe
440	DiagnosticsHub.StandardCollector.Service.exe
440	DiagnosticsHub.StandardCollector.Service.exe
440	DiagnosticsHub.StandardCollector.Service.exe
440	DiagnosticsHub.StandardCollector.Service.exe
440	DiagnosticsHub.StandardCollector.Service.exe
440	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1472	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
Token: SeAuditPrivilege	2992	fxssvc.exe
Token: SeRestorePrivilege	3336	TieringEngineService.exe
Token: SeManageVolumePrivilege	3336	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1560	AgentService.exe
Token: SeBackupPrivilege	3864	vssvc.exe
Token: SeRestorePrivilege	3864	vssvc.exe
Token: SeAuditPrivilege	3864	vssvc.exe
Token: SeBackupPrivilege	2692	wbengine.exe
Token: SeRestorePrivilege	2692	wbengine.exe
Token: SeSecurityPrivilege	2692	wbengine.exe
Token: 33	436	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeDebugPrivilege	760	alg.exe
Token: SeDebugPrivilege	760	alg.exe
Token: SeDebugPrivilege	760	alg.exe
Token: SeDebugPrivilege	440	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 4856	436	SearchIndexer.exe	114
PID 436 wrote to memory of 4856	436	SearchIndexer.exe	114
PID 436 wrote to memory of 1776	436	SearchIndexer.exe	115
PID 436 wrote to memory of 1776	436	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
"C:\Users\Admin\AppData\Local\Temp\06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1580

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2624

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1516

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:532

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4340

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2280

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3408

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1180

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4232

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4856
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1776

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2516

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3544

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3148

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2576

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
58KB

MD5
3f159a85b20c330cc501e3aefedfa3e4

SHA1
aa6a6fa949bbd514b4d7d740dde5208d85d7287e

SHA256
bb6611ad85b37febfacc40b5a849c4ea5366a66940f923f05ebcb65982d3ab10

SHA512
fa555273355616a498c94c1ef59eff9d943d1bf8e985b62238ca4bf1b542f95c307560a3769de3565e4d07f84fbdae86f3b69bd2cce39e3dbec823e4ad687810

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
57KB

MD5
ef82fb7ff90deb9e82efe6a6e92963e1

SHA1
123a7d863f2cc5fa27caf7232f6a1f822489a427

SHA256
90bb81b5a7ce1abbeaef073b2c66c8217e0fcb8cdb994c904fa37a9df70010dc

SHA512
1e7049fedbf04da8095558fd59606c223c8f678ef7608e5af0d3dad8f3b54bfdbc4df4b27b312b3384a13c96dd1b5336c1399442c620b1cf2703a8eae7a93a9c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
65KB

MD5
f27a51d3c2281e46c53d6cee8d2cab03

SHA1
fc9514a9767351d3e2fb7e9f072feaaa728c031f

SHA256
88c7ddccbccb1337a518ec37e4a3f3153cb93da6973810bc8450fdcfd0932fe1

SHA512
b4dc2386c6ecc13faf07c934a296df0322d5514d6677fb3c892c3ac33d33e43a4789c6dd214d1233e356bc200fd3cb53a0add4b6427ddb76c33d4ddfab3c2006

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
95KB

MD5
b6a0101df93f348124f0f838834e4ede

SHA1
3ee25a78911f1009e1d3829b0cbe20a74ef75fb7

SHA256
4afc509e0feea268b0ac9275edf3af9ff118472c329924ff5c0d8df018ae7825

SHA512
a756746aa68383a448cbf0a1d7b8e77a815205fbb428929a96a77418895b5c6d6cbcf90b75a2c49892dccc13ddd61eecd3a3cc2a4f6a6edccdca8fbc3e03a275

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
76KB

MD5
fd21e98e46b419304e3f2a3ea19441fe

SHA1
77feac3e4090af2167ea55a5ecd2c0b7e3c88e9c

SHA256
2fb6bfce9b7c825f1b722137edbca42836644b679d245fdf3ea4e10a52295827

SHA512
bb620a2d33b1ff1085105fa720dc7b4f3df29e457e6fd8b7e401bdb65694bee0ec2ffe8227f4b2d10f7ff85b8f787f9f8254b682404f1326647ed2781454753b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
108KB

MD5
8e954bcb41d3f5c31ee9742f605481c2

SHA1
e3b3b75ab7cfeadb6589609e2d3921df5093693e

SHA256
17dc6b4c7ee021d8f58b901f82583803fa46ca3d75018de5914c0c6145e7f728

SHA512
b882e503dd6848ee5f4fdbd8207506e526778d65d0019c003bd2c0f59dad1240bdad28f1d4dfb31cb95a8f937973dbb93458ccbf597b45ee3100a91734be12dd

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
47KB

MD5
a8f88b091854cf826a6d7438be178738

SHA1
10f82d9b8af0357c7c5c4ea8f10e232bfe733b20

SHA256
0932fa117eb88afd9d8bd969641edc3018ebde10b486ebcc6f328934eb7d56f2

SHA512
646e00518186c4f8529c3eb0e022ff751c78af2308dbbd46d04cab613ff94e69a065c83e98346b1d506f7a4053ee9dc45f6cbe309767458cbb793899cd568463

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
114KB

MD5
7e8fd18808212408a534bbd46cb397b1

SHA1
e508676fffd565330a26816704657ff29fccee1b

SHA256
aba5f90f0d0e87448aaa226c0686cff88ed91b4ff1a7e9637acb9a8fcd09311f

SHA512
4666e49609899f97467d2c6fb8d9ed08d55330517c319e8775918a3cc2b1a38894534d9dbdddd1d9cd6a55ff0a1deb4cfc57bb7a5d7398203eb0ee6dc262ba7d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
94KB

MD5
857a8ce742840c7ade0c02563f149a4a

SHA1
62f8736e684df40bb26a4852f3ad2867d4726297

SHA256
15bc1e2d2fb1a08ac248cfef6b5af08d48c82dc8346e01c4d785d062d702f414

SHA512
eda5b489fba3e3d7346b5be254267e8af851ed860432a493fad5964e37eedf547ef5d0a64158d04f5422cd8fa64b4f003ec943d5d535e2482d92fbfcef63aaa2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
116KB

MD5
585c3d0950954aa63546c9da313c8d74

SHA1
f5f8648b96de51b4eb585bbdd4d92256a83b611d

SHA256
265fb2b9f1f90e447a4bd7c43cdc318eea7a8adc19fc73e0c1dad19f4d9231f4

SHA512
620842ff153921ce1dad02db42c11afeacbc1c36e9815f816b61e36512afded23be5d3e1e9ff1ef873f2e0bacdaa15aec4e96d6fe4d99cebfbdd50c98a497aaa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
129KB

MD5
89caa4c9fb0adc991815d3ac6432e242

SHA1
c3572eea28da592539d5c4f758c0577f1c7760ad

SHA256
0a9eb92e4c3cc66137db99af5b94398626c9c11d48746406ae4acc8cc6aaf6fa

SHA512
b8834cd91f0d368699cc3000ef1fd66df94756cefbe215fae2d3d6ade21d1f4972b056313db7b57cab232d8f705b567e5088631b83fb7c1d6d4310cca366d33e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
94KB

MD5
deadc430341df013d5b6d7755b59673b

SHA1
9a9cd505361d18776e01394347239e2a959cc419

SHA256
f0a1fe05d9960daaabbe8582f5ae66b77b605d79112f3c4d80d24184fba1a5ef

SHA512
900efcfeccd93e17646dcb1d9feff9ae14fed6d56ec966a2803b8cecba705719c59e136d2584930747f5c844b6b136d8c7cf0ce9878e4599e5feb618294afae4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
64KB

MD5
4445e51e547447ed01539c6ecaede351

SHA1
1da641c1e06d6d44c388bb4f3de95d90f918694e

SHA256
ddcd13499a8f6b3d9088fcda41781ab5f0e26890d5c34632a100a9123a2f6938

SHA512
3bbd559daa9bc7717a36687b14d08daddeb2f4b257e57bf3050399a1059076c891fcc54eb24f5faffe7595f7ad68e8290c8fa3b09938e779c6617b89044daa49

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
89KB

MD5
97b6686a3a93eadd5f61078b32eb9155

SHA1
3353be52bd2b73eca9adb810a95643b6de14a872

SHA256
e67109c6efd6c0099ef7ef80dd23f410593071e1e00190f5524317cfd1bab5f1

SHA512
ab00cd3f0b7454f233716eda146e4fc515c767e7e01c105751ab9cbf1d68a6e6b7e5366b12ed75e62c5eeee0c39665aaa912fee2f7708ff8ca4a4858fcde47d3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
47KB

MD5
705bd99862a6405b27de903ec2482d0d

SHA1
b0c2acf9bd1b69cc6eef4c4de59ed9d1283dada2

SHA256
c773bdf7c96465319f294baab31212f63f77ee1341a1769cf5c1ba4817e5d05e

SHA512
bffb0a3d356a2145d789531d3b3fec18e6384185723312fa62b7c9794aecfed57efeaf121ee228535f017f3dc83613858960dcc71dbb5aebfd927780784e2b58

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
102KB

MD5
1dca6f1bf68517057f7aac3e2e92d36a

SHA1
4ab926f0e2618607736c3dba1276c623686ee61b

SHA256
1ad251bd86073a687b7c5fde4a01dcb8f465035ce3f5f687277fe0d30961e02d

SHA512
743078781dee39ed7918102869e49a0cc6eece53f5a7876f1b56a3de9f875a766f3e7ae0c96e18f70904a290b312f51b4da226ac17cad8a38b24dd900b2eb25b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
165KB

MD5
0728a2d1fd8c63216e1bb5c5e1c72a80

SHA1
0dd85dd8f17f1a1ccfcd3cea7733536f750719e3

SHA256
09faf1954ab5eef22257242251cbc2b8e6c4c15b0d63b3e5c57bf4de0c8155e8

SHA512
744f93fc1653b107bfe0b861f7bd9cec03d2f4b9f53781b6cbed3c1abed31e58880d7b437a3c9cfcbc3d7e07f8c0b3adb10a3b0d44eadc702e9e9a5fbd19542c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
92KB

MD5
4a36a7a7b7e977e7e876d222ad05faf2

SHA1
559c3280e9afca4a41f9df415734c6e19ea0a214

SHA256
bc262abe01ecbfeb0f9a3e4351628538fb9644d05e1f865ab9c2de9ae6fa206b

SHA512
d356456502450b861dd86bd618fd0b5723a0b2cc95c723999bf7678c83446e56caeae1ec0eb63bef574131bd009a150d0b5e44919943475de8d6a51c2e5c4b82

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
116KB

MD5
571d58e1b930156f8e3c058b459e72a3

SHA1
383317189a8807ee981ef2c1b6d9d55993de673e

SHA256
1236af37ff8912138e116e957460dcfbc848095dd6b9e2194f0ea7d82d21c5ff

SHA512
c183c468f0b896b15b9412fe1606c5d87e077d4ce687b526c7debfbb4f28fee2a0151582bdc52711d29e391a59b6a7413f1db5e6416b93dab3c108253e481144

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
133KB

MD5
3da0826c8708ee7621cdd1e4941774ea

SHA1
4dfb40c5b694365d0d1ff8dc04757c8f035f7485

SHA256
fe21d60f559d8307f7fd408990f43eee593d1230278874f16beeae5a26fab891

SHA512
041b79592a2d6cf950b2f3d98a8497afff42c09f893e20a787ffe1c0ff31105a98324344571b3c861942148b4baef3ab8157c92dfecf283851b8afac7036b143

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
101KB

MD5
861772ad94988687e2c2a80520ca2aac

SHA1
14b16361bc001adc9eb173a595a3e345ac0faf8a

SHA256
cb7b2b853f26781ed8950c1501abb7b9bcfdcf3fab98f23a42f6c2e632ec00b2

SHA512
ae5a32388363ee1fc472bd4744ec170f7d61ffc0bbf6e7ba1a50e9556b2bd407f5b9c61b771892fbd062061096236fc8df525143c05987e609a2731ce398301d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
84KB

MD5
2707ce35366a5f81acbf506fb0fb356c

SHA1
9710c59ee33f9b66ebd4468f5a5445a29febc71e

SHA256
0c131ea792739a748c822d8cb75798487fa5d891d9d8a9992249ac4085eb6bbf

SHA512
5f0b652469c1a7cef3d95ad657d2353dfbde07f5e544a9c0681fc8ef6be9e69576e4f3efdb8194cceb932c57ad643b2a5ef2caa736111e68c271ecaadfae8d0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
109KB

MD5
a5cc26c2fa01d8d40c7b7b2e91a7bd44

SHA1
bd124d1ca371f30615094eb5b85bbfcb3acc684e

SHA256
11c6ad4110e91b67b2d4b7fa43d43e78d7d5d3617077c1053e060cdff3fc5961

SHA512
d8dd5b148e580fd111513b697360d68a544ebc125815acd2a06ee0781fa8f6ebdc880b8568c70df8a15f504d0f6678ef925da67ff9c4a4761bf51951eae9a6c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
96KB

MD5
3f8040a28eb8591472d65976026ed22c

SHA1
dec34762efe9c600ae85b4d8b1a85ba0c2f266fd

SHA256
a15e73f09c27b4d1f6a1eb6a5510dcedd3bb06ff682cfb5697a9ce8f25dfbab6

SHA512
16fdb4326346cda1ceeecdcf0559424e0324a8482fbca97c31889ab00987efbe105618953b08c4a5a45a0b05b7ddf411740b9cccb5f403892e0ed95068a69cd8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
112KB

MD5
494adc44f431eee79f0940e908a135b3

SHA1
6a9b58aba0a6e03345d146e94e4d94fbb336d2b1

SHA256
809cadf5474c73571bdaec3091988189691eea78d56071f3b4cff1595d6e7a70

SHA512
6cf009e0121ab826a6d386a001fbe6408348fb7c3bdc513f79c01c6be7ce47edb7f85a923d97c949a0d0da7e9ccd9ad3b033e64af7f0ec565ac48aafdd7a3314

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
101KB

MD5
4f955e046e4375f53c78a19d63272ac5

SHA1
d28b926a592bf947c056a338d00c844b98dcd733

SHA256
31af6c636df00fa491c5a9607b06fc25f0aad03a52abd8cda4397430e7257a25

SHA512
4cd237b622e1e2a53dae2020188600ff02fb50e45eaa8bdf8adf7e27fae3360752253a0ad198afa2e3ca374cad0e7792f4537f10e75fed8a77b99ee43eae7736

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
69KB

MD5
d244623e3349053c2f2674b3f2ee8425

SHA1
40cd3f7ae48df44fc8b5cbef6db1b280b5689573

SHA256
0f7b3f9310b742a812048ebe699f1e9fd9b7c1e238e1acf04c149bf4eb874c85

SHA512
c1297fa69c3ff8a73ac26a404c5375bf1f06f41821aabb34664b96f5b38039d1e6d406e76a9f770f66f8f4a6ae3f6a81fc3b134ebb2965b94dc788c4e32795a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
23KB

MD5
de0131f90718fdea4c0de723938e5cb3

SHA1
16b605cd95fd0fb8200f32a2794b445e201a5282

SHA256
b733a0738b73ba14281651a43daa916433d51bcce692108091c7b9a5ed15345b

SHA512
1993d33aa342de0dee1db0d0e1aac17d2c2a40302ca791bf7f86df423b399065d40016187ea2b3e4ce7a9c9d9121a5533f5f38b4121588356bb5793aab706ef9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
34KB

MD5
e8eb96ef14231630bc2608a2b410bae8

SHA1
084f58ad5f89f3810995a13dd248db1d5896d335

SHA256
4593cdaaf7a41ac71ec5b1192df6dd6122a062ea9c89a215f1a79a2e648e2fae

SHA512
25f20bef98dd39c5702f1f42fe2a6b36bf1048ca2d4cf41c488f382e23aa7d1bc07f1ff8d724535dfdcd6ee9e0e6cb59c700645749fc57d7f38b4e49340ac272

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
91KB

MD5
56d442462e07457d74395d6d7674adb6

SHA1
3b5bd1fe918525aae94bc99b5563a2ead59caddb

SHA256
eb530d3d3734c78bb9e9d2cb0d0cdce32c29483c351c04b8905e89b52d2c04c4

SHA512
d3ee426357fe2a2f5d70e600e2afdf3d0e40e760b9caa8a1890a0fb341e9da704af16f9e90f21a4a66b861607b93a3038186487f8170994235f6be58d5c360e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
61KB

MD5
813459479dd7edcb74c9235a0f2e15b1

SHA1
143cf648f9c29d49de4a0e5c71ff6d1ebe66066a

SHA256
d97fe1c47eb67738bd8fa137e9d0337d112f44868214c9e057438539e11a1149

SHA512
976513336672897fd8d722d37eb1e2d2d74cba0c39cb15e80ef85508fbd6a6df7c2e91d77a8c784af99b6c0821212f919915b82985babe21d33a56562e931767

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
67KB

MD5
4ab175f168cf69dde27b7d6e23d4cdbe

SHA1
2d27baab3f2fb1d8f78dce556ad25d491ad07881

SHA256
0bfc7a953de41d09267deb389e743a3743c744e563ae17cb7a2691603a8ef669

SHA512
4d7b605e5e2464cdffeba7e94f39f55720337dc2664b1f479b2fa0dcbe6e9a2393264eca79a0c2d161f09558047d5e717c41782438f320d87471daf6a4f278b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
82KB

MD5
6b8cf21e590bbecf9a9f007f6f093097

SHA1
6bb1b69877732da0527791d0be013c27159d3550

SHA256
53178293117a4455b46327725d89bd2708af03087a56e44068fbd7c6482fecb0

SHA512
bcbc6d6ce3df1ac8ed723846af5d7d42b5ad97d7acdd82edf2d0b205dec92e684e54e636e80058408d6bfec1cf8db1ae42d2063dbe0095400a0239fc6e443511

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
40KB

MD5
3c191f4eb2c3c7747af80111ca52fde9

SHA1
17ed2ea1849b49a7b7bccf6a8115a118950c805a

SHA256
156f96726b09c3dfcc97a7becda4b01f363894024dcbe1c23d50e9d3521b44bd

SHA512
25acb55aa7bd79738d063563d2b04043ace1f138d82c232cffc8cd6e038bc9d175134f747ce04e8ee7608db0741ddb0ce513e0a4857af9b1f4cb1e286d630aa0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
81KB

MD5
5423267f94b8fee371536a464a00c7f7

SHA1
cdf1051b8a772762791d3a33b2732c80dc2e5556

SHA256
3e25359b335e40411561cc5762a3bdb229ce785cd02fc60ffb2abcc169317c3a

SHA512
3c87d73217270604823403a84852cbca5000df509423261bedda4107394ee4f9cd7cb188a940ae6f9d60ba7c367c77c66cceef08f3623cc7c1a7ab1faa5c2cde

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
83KB

MD5
70055d7e0c590379d2bfd8c979d7fe91

SHA1
dd1d6801492c236bc3fefc8bd00ee5f9e0062f97

SHA256
1701cbd65ae57e42de68d3c87dff531ae49459919e0f41890cfe1747fb2ba92e

SHA512
d4fa3b662c29f6ea5dffb9486c9c411edf1c1c71e280cdb06cabc2f02086ab1930af83b45f77742262efb818c6dea26b25469fe1593d8a70f3c376a046fc6c0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
98KB

MD5
c80661d81115724a5463e080cae11e97

SHA1
30ed5af0088f7ca5ed76482c678089dbc0b6c169

SHA256
ee0127385ab675cb156c64af1ea3e4eff7ae0db3da25c598393cd563964a3068

SHA512
e9a6c1e30df8f6fea60f1c06a8123a9acad35920cf17c114c62b2b3fc47ac718c0652f7cb8fbf7e15e422561e1d21ea48a26f5d9299b3ed4432cc36eb129194f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
108KB

MD5
fc58007184bf18a2749c6ba3bc665361

SHA1
e15c290cebb084cd4a9f68ecb0fd6b37581c761b

SHA256
aa16115568a9df57ae7f0ea69e4ae3e76180db3201b3036ea15ed490f14d7385

SHA512
8b351d56199166d23252685e6df824475bbd04ee8391514974d74f64366085e051a62254fa1572e0cbe928f6d4ed52eea1208f39be0de84a7e0437218c33d0d9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
57KB

MD5
bd163aa9ae6f0e980aef532f6b363b24

SHA1
34bac81cd3e5b6f77cb7b13d32efe1412b6f692f

SHA256
b668ec7cbbaa292ecc053a8142302a5a3609c0e7922f160bd14e117265628594

SHA512
6a85007fe393652bc2705f858a3d1b429790fa221d6d1c2c87652b217cf5a8388554f35c3627eb8474647531a93dc4763b738e36a26ece5d290789e35fe802c5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
57KB

MD5
7ea800ed882323da99d747cda40fa4e8

SHA1
6dd3d07cae79ae0bdc3a6be11f2db07426200afd

SHA256
7cc2346f460c83a51de2a1192bb318dec8ca5d675cbc02e7a4b799eda292a74f

SHA512
5e064ce378ba32b16d6fdce0b7835621f80a5740f33f35912b91f8ccb9f537b8d8bd76b76d2564642741cf41f3ff04f510cc00c941f7169befb14126a4c55671

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
29KB

MD5
43e967a9feed0ae88afe272e0f2f4e25

SHA1
625bae5bb28ace9c0cb33a857d25e6252e802ece

SHA256
2fc3dfdc8cc15b3f231233db1ef6c4470d917b51b24d4f41217e473993caee99

SHA512
dde12a8032152b707188603f127788ab7b626ac9774e49af28481269edcbd71438687bfbc08041c5d9811941c3716963ce74680a0f5df4dcf8ec6059d80d1f74

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
192KB

MD5
7add1568deff6455cef45fbc166e7c95

SHA1
f4db467a4f14d768a142a8d052fff45603f1189d

SHA256
ca6aadfc8bd495db7ab82d36d8606ac89f865c0daa0c2ede70125f043387f451

SHA512
ce6be727c3a533a509eb3c2dea7aa992210a2ccc1079c2d5c1255df486f618daf7ec15d8498bf0b7a55c5db39c91ee75b71a759e925dce6d50c7764db24b2bd2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
186KB

MD5
8d9300384aa25ccf2ee0a2c2ef2ef8d3

SHA1
c13c1528855f27ba75cad8bce56d0044febdb385

SHA256
51aa15ca7be8cadf81954d45729e8ab7cae98c56565a445b2d5780515c192598

SHA512
6306ed9252a36fa665a4747e15a65b3bf388655652e62eb34e8a6874d0b99afa06a073960597725cd18983b859d9a3be8a0eb13c3c65a82b005e04e98436d847

Download Submit
C:\Windows\System32\Locator.exe

Filesize
150KB

MD5
abafed48d0d49016f1ff000eebfdcc9a

SHA1
2b673d773d54d96114456b4e93885412e2873600

SHA256
70b9536d2eac303f07f5e220a16b5c30970ee3175db389390cd164b90db880bb

SHA512
9d75be913fb2e352a5d08129d0ace662d8b98f87689446d438f2286af722387844d783d305443b22a024408b40ceae6f069a46b2a9055890ef42088f8c67888d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
77KB

MD5
aee87e22aa761446b75335f96b985e69

SHA1
e8410573d5f2d8201ff9e88b0ffef2da49c498eb

SHA256
4fa2199dfb6af8f640feed370bf14981d277a0b47a3074b8599a628e759848b5

SHA512
7a03b579d84ee90e6c49ee99b554047ab2ce7522d922d67ca9f62c9a8255b6f592215862952078c5c8a20fd687b706c059f4ae4f87a7d9e537fad7221d9f221b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
46KB

MD5
a9e17116c882eae3d167f4f82e0677fe

SHA1
5f0533427ea09f6d89b5acaaeae689bfe2494a1e

SHA256
d872def181f6ef11e0becf4e5151ccafef602d49d89e69861c870f4d00c98c6d

SHA512
207b2dfbb9bb766192b811e8e49a9c0cc5ba40344fd38e8ef1ff37ba406603608836f2f30c58eacb661b636427114e0e9c9485cb8bdc5b40dbfaced85e8fa073

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
127KB

MD5
8bd36fde4aa1f8348367c11e2649036e

SHA1
154266f750a2a9cbcf2466f4220c0dc2a7f01f8d

SHA256
db05aa55384cd7fcbbadc3c23f8f00754bb4998501394bf49bebcecf762f9741

SHA512
082eeb86d2ead7e605bc7634856c0491634e74b4d2bd304a41bcf5321b17db3e4b7e99563babbf5f5ca8aab5d04cf4076f948b29e6683f2f30881e8c3b181a8d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
38KB

MD5
ccfa435b31e35a104c81492a0a4eb840

SHA1
301f3371bf4d4e4d8dcfc2c60ccf8e8949781f30

SHA256
d9deb31ee4da4a8b1bb027acd33418ba84376a1c3dd2a3c1678d6f2186862d38

SHA512
cabbb660d639c373d993b019eaee8ba0da55e781f1429c18fcb38b7ef62e8e5b2e6cdaf6de0a712f2b51b891cb726f9f7247862e3ea7d10e46754605dc13d5ff

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
143KB

MD5
08566b8a1543abe41e7e4eb845104a6e

SHA1
94877a8e184622ea698cbfae8384e5296f4626bd

SHA256
1c0faff1c615383e02c9152ef67044592ef15bc9ef0d72a39b574beb38bc54de

SHA512
d286bb76104fbaa8f11848e30c8e824624a920bcbc22b25be838cdb546c66b72ac896e79e5ad7ea26e4fb50349fff32047dc0177c51eaf278046aef9641cc890

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
183KB

MD5
766b1141b883e5e1646f887363c1c280

SHA1
5b2f331b1f8c3a1bf6acd968402b405e4c1d32e4

SHA256
88454082a967d757811ec4a122a909228860d28a820809965c5ec50b6ce54c35

SHA512
5fd1df9a0358f89a5975b9cffa762508618d21a3b4c00108cd953c3a0176449e753f97bee8dc8eb41afb4a83a7a174190fefdbe8091fdda2c5502a68ce19406c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
2KB

MD5
482363930fd3f14f06b3306037dde4f9

SHA1
2867d487884266e2cc8ac141ff281a5c1f43c5e3

SHA256
5677ae6341f191b7a318eb9353d2a108ad7fda62b9cd0e2d35af9b45fce860d3

SHA512
ccb4ec18ef575d539b738011740101cf0948b4250392e4774f2e782cdd2c7669987c78be15bd22b38effc6f459c14c4d7a6133c450b431118c5897b169d8a96f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
68KB

MD5
c473a80123fd68c7d08c460df3deeb11

SHA1
c9f45873108a8e14a1139572d5cfc5812235af9d

SHA256
7c3a3e13d0887ff558eee85e441dfcfaf28bf7cefaf52581ab216c88b6dbe076

SHA512
3055fd3106c480453881e3ec92d12698c23cb8a4468d559acd91c105128a2bbe1d52408985c5d4533ebdc471640440c4d733169bebef08e5015336d3fad55473

Download Submit
C:\Windows\System32\alg.exe

Filesize
527KB

MD5
95f8c8f22fb69a50418e6d4519112f19

SHA1
331d4ecd97fbf1348d4eebb6fee59e3598fabb70

SHA256
8622277f586128dfd3947b33e281b11411767efa664744580982e2eb83124794

SHA512
109fc8dbf44925961948c34992c3174c7560ae600a5c5a28efebacf6e66bbe3a9ab3558e433e509a81549a34e00fe61983dcf3d7dc7c2321cb59c0ae2523fc69

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
51KB

MD5
c90101dab44d70478bf39e4ace647ab2

SHA1
3a088abba88c152bd30f044f5107eda5d171f382

SHA256
75958352dc0a1193553e35b72151eb1442cb2de94b0372dbf627cee91f728181

SHA512
27b6a01158cc4ad919dc1c558cf6d21478395fb2866e5f8985b25c56da89dafc03e854b597bb1521992cace4297ea3b3bcc69f67681a4a3e34bc53cd53ab76bb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
32KB

MD5
cfc508bf1e7eb6ad6d6637b4346d503c

SHA1
81d3adf9d10a0ec423d63c0749eefee6a14d392d

SHA256
d021a9814b710ead392c6471e793f6ad55ef6c02974d63ab6dc4cf60e94f121b

SHA512
1f01301e0e50c0073cf3d49a2115f5607551320255bb9a2d17413dbb9f2f9b9ac5defc0c8245ed69af44830cb37e909844217f2f4767e94eb77ae6454395c1a3

Download Submit
C:\Windows\System32\vds.exe

Filesize
88KB

MD5
6a0f0e115c93183b01fbbc0768e1a32c

SHA1
a17793a4a4ac54e11184ef234fe318a228a313a2

SHA256
b58af49e04e0501a6ddd1c2ec1c8ef72b69466cbf8b89f292edd605a21219bcf

SHA512
3e1058aed7551e64851a444462081220153637dad4ee160aacdff5cc964cd9c64b8546e51967840410c97ac604705309af17f3b3f9d54b0b6c96ffeb278c65d2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
169KB

MD5
2ec66cc2fdd49bc74b1d00917e598853

SHA1
d066b02028bcacb646d1f5b95afb63cf4eba6215

SHA256
2a4775bec3079ff1288be27700b3cc54d97ba9124d9a9d1caf9c3a46678ed97d

SHA512
92db81f7936f6bb94ca7c687acb127025c494c7f422fa152ddf34211c00433e9b47eb00b5e0026070522c00793b807b853ee65aada3862b50ca606fed92ffc76

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
243KB

MD5
a904f1b5d18538eeeeb409c9c6361c1d

SHA1
c358470ad5b250ad644f867c1ab16bc14a064fb2

SHA256
c30bf025e05eb845994f135b804bd34cf587fb2944ba1cd8fb4303a75c68c8bb

SHA512
c8354beea6bcbc344ffc8c71e46b3105e9650ade7988bc928fce31e2ae8e7921298606e69b7bcf4679c416bca19acea258fb2e761954374f35a3ed57e7d6e520

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
98KB

MD5
bb4b39563d866bbb0403afb7a58558fc

SHA1
2e38b69c05282c9b8ad434e4055bdbbfe35c4690

SHA256
aa78275b17840ddcf5de2b7cb29619bfc001ae638e80eaa98bae3b77f6ca1028

SHA512
6f6d4def7f3db4481fc3a7ed20853f0f74b74d0e447e55ac0099aaa8d218f6fbad42ff0c02585dbd6b258770afe97dad401e7119c0e29e17fa1474f4629c134a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
141KB

MD5
0eba03336d503a620049ea1b6b04ef63

SHA1
da35963ade4102766b5c4b4f0c5703f90663dfea

SHA256
0c46775d756c2faab121331d53cbd2dd6aab0c848da2cb0ed681f19c7d48b898

SHA512
cf2351d47faecc636a6909124870aa8d9697e74bace1c1948370374747c84d56b0895b065c6f5de226c0a0bb05bc273e035f1ea65c35f29e1d7cb6fcf6d6d336

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
158KB

MD5
3da9a2310c8d12622971704f54dae9f0

SHA1
aa40fb50c86d600546cb55bfefd11e8fca9bf2e6

SHA256
0b8edd1555765e44c0bb972e30a04a3bf7398cbadd0ff1422e002209372f44ca

SHA512
10514bc3ebcf78845b8a828057056e062a820ad2155a4324513a33e107d2b28088ba2db04fffa349d38d87d904a2b9fd11d64bc17511eda2a39c8ae4db5d148f

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
85KB

MD5
855eb1f9e2bc96262b5b6a5483e7ddff

SHA1
f2c1d5c8e2e9b1b4186c1055d1ccc3ffb3096f70

SHA256
ba52d1586ff9b9278f4f0d04ff99003449e82ae8dc60b6ad858c3f0971dccf29

SHA512
8e00047392ea10303d3925249ba24ee77af29bf6745e6f7b6bdcc47fb7f8d470180e5c510ab7892cf25826164f56230c7cf179d9f7b14d23bbd016cf1c63a471

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
92KB

MD5
dfce6a5cf0c98e8459a14e352e9cfe61

SHA1
e739240bf6abcdda50bab30765eab7f6523da549

SHA256
0495bdfde24ba88c682b00aa21cb62a642742fac5873f82853b3419c6736a528

SHA512
017441a1ae0329007445798aab128c480c170cc57530115fc7304bcedc36426145e456070f88faeddd0b500424b8e3a65a60a9f8e0e6df45cb99114c3960b478

Download Submit
C:\odt\office2016setup.exe

Filesize
85KB

MD5
9bface4f84ee49a81446948a15187eb1

SHA1
dc4074b7349ab37032afb4fc205fc1d6eb4db20d

SHA256
c2abca46ce64b52a10e6fa52ede9bc107cc67d6aa1180f4d00cd4e0818ddee52

SHA512
12d09a981ec1ba71e158bba03edd1609894405ed3c5d1191e2e0caf505868aea2510826db07eaa952130c3f6cbf331cc4ded51eee265bf8c92beefcfdb491550

Download Submit
memory/436-363-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/436-370-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/440-93-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/440-100-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/440-159-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/440-94-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/532-161-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/532-225-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/532-160-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/532-169-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/760-11-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/760-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/760-143-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/760-87-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/760-86-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1180-226-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1180-293-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1180-235-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1472-649-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1472-129-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1472-1-0x0000000002310000-0x0000000002377000-memory.dmp

Filesize
412KB

Download
memory/1472-6-0x0000000002310000-0x0000000002377000-memory.dmp

Filesize
412KB

Download
memory/1472-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1516-202-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1516-138-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1516-132-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1516-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1548-189-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1548-198-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/1548-252-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1560-307-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1560-302-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1560-295-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1560-306-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1776-694-0x000001EF521D0000-0x000001EF521E0000-memory.dmp

Filesize
64KB

Download
memory/2280-241-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2280-185-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2280-174-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2576-249-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2576-309-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2576-243-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2624-188-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2624-117-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2624-125-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2624-118-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2692-337-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2692-346-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2896-142-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2896-150-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2896-145-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2896-153-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2896-157-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2992-114-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/2992-119-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2992-105-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/2992-111-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/2992-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3148-322-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3148-262-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3148-253-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3336-281-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3336-348-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3336-288-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/3408-222-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/3408-215-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3408-279-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3544-268-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3544-276-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3544-335-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3668-569-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3668-318-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3668-310-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3864-332-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3864-323-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4232-350-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4232-358-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4340-266-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4340-204-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4340-211-0x00000000007E0000-0x0000000000847000-memory.dmp

Filesize
412KB

Download