8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2023 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
Size

1.8MB
MD5

1d11d8f4fe1eb214c58c190b3b371053
SHA1

91ce7878d66154011dd4ca602b3729ee551349f7
SHA256

8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb
SHA512

10bc3a7e16cd23b3204032aa53e0baa681346acac4a4afb16c1853e5ca28fb15b097e85cbe8dde333ddedb5acf0e35872885c19be276694d91ce885c32d0b4da
SSDEEP

49152:nx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAsgDUYmvFur31yAipQCtXxc0H:nvbjVkjjCAzJWU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
972	alg.exe
208	DiagnosticsHub.StandardCollector.Service.exe
3224	fxssvc.exe
4592	elevation_service.exe
4108	elevation_service.exe
1728	maintenanceservice.exe
5040	msdtc.exe
1004	OSE.EXE
3708	PerceptionSimulationService.exe
4440	perfhost.exe
2644	locator.exe
5016	SensorDataService.exe
3784	snmptrap.exe
4552	spectrum.exe
1972	ssh-agent.exe
4492	TieringEngineService.exe
2796	AgentService.exe
3728	vds.exe
2996	vssvc.exe
60	wbengine.exe
4348	WmiApSrv.exe
3140	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\system32\spectrum.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\system32\wbengine.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\system32\AgentService.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\934763f78ed1090.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM49BB.tmp\goopdateres_it.dll	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM49BB.tmp\goopdateres_fil.dll	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM49BB.tmp\goopdateres_ko.dll	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM49BB.tmp\goopdateres_sv.dll	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM49BB.tmp\goopdateres_te.dll	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM49BB.tmp\goopdateres_es-419.dll	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM49BB.tmp\goopdateres_de.dll	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM49BB.tmp\goopdateres_cs.dll	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM49BB.tmp\goopdateres_fi.dll	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd5ce5d2fc32da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f8c2a9d2fc32da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e5580d3fc32da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d80cf6d2fc32da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001321cd3fc32da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
208	DiagnosticsHub.StandardCollector.Service.exe
208	DiagnosticsHub.StandardCollector.Service.exe
208	DiagnosticsHub.StandardCollector.Service.exe
208	DiagnosticsHub.StandardCollector.Service.exe
208	DiagnosticsHub.StandardCollector.Service.exe
208	DiagnosticsHub.StandardCollector.Service.exe
208	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
644	Process not Found
644	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1444	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
Token: SeAuditPrivilege	3224	fxssvc.exe
Token: SeRestorePrivilege	4492	TieringEngineService.exe
Token: SeManageVolumePrivilege	4492	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2796	AgentService.exe
Token: SeBackupPrivilege	2996	vssvc.exe
Token: SeRestorePrivilege	2996	vssvc.exe
Token: SeAuditPrivilege	2996	vssvc.exe
Token: SeBackupPrivilege	60	wbengine.exe
Token: SeRestorePrivilege	60	wbengine.exe
Token: SeSecurityPrivilege	60	wbengine.exe
Token: 33	3140	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeDebugPrivilege	972	alg.exe
Token: SeDebugPrivilege	972	alg.exe
Token: SeDebugPrivilege	972	alg.exe
Token: SeDebugPrivilege	208	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 5136	3140	SearchIndexer.exe	114
PID 3140 wrote to memory of 5136	3140	SearchIndexer.exe	114
PID 3140 wrote to memory of 5164	3140	SearchIndexer.exe	113
PID 3140 wrote to memory of 5164	3140	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
"C:\Users\Admin\AppData\Local\Temp\8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3904

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4108

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1728

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5040

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1004

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3708

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4440

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2644

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5016

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3784

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4348

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:5164
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5136

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:60

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3728

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2452

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4552

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
104KB

MD5
1d3d98732c0ac8a801c9eddb833bcb27

SHA1
7dacc43eb40fce6ae87c3258edac3e64f6dff9a6

SHA256
fdbe6f87cc4ae74ee0543391ac365de535577758d7722a10ebf89d4826b0d2c1

SHA512
f1f5883a1d93886c499727007ceead2c088878715f1455f6edf4a19ba50c99ea50c46ce6b10d89e677255aec42afe61835190442a63cd01b721fedb7440c7963

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
107KB

MD5
94dd5196b073bc7d8a3f47bd5517accf

SHA1
c9f7c466025da477c8ab45c8872136123a55e299

SHA256
fcdb6baf6b01292e2eb3f4fe8339097a3fcb3c5da23cbef189dc99a8d3c993be

SHA512
153f0fc34987cbea1ccc9dd86dedece9625dddd5c8d295c6b83e0e3c5690f0ca73a125b38244f049b51478d9e1f2eae3d2c6d3d5d5064f79e1b35a61924c7b18

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
67KB

MD5
ffd12736ea10a147a2522f6d7400684f

SHA1
0681aacb52cd4b6ff88ebcf03cb8eb48b58935c6

SHA256
1dd4e4632c0e48897c775ee112a4394ce7d71d031a341a5f959129c156460414

SHA512
f0b11bb4ac537c466964a416ef6d803ddee1f2836e654361e4c6f7326da73671c8689dbee0af41459d3f058d94cfcbf6ec174a7c4d74cbe0332de01e292badb9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
92KB

MD5
fc83730987d0d3aa3b85ba9ad7bec8a8

SHA1
d43cf7417dbb27399bd47f5ba15e4eee1defab5f

SHA256
057a85fecdd5cabb002b353ca125567ad9798f11da53ae24126a16713771a3ba

SHA512
8e0b08e4f5ad21659daac92085cf2979360a171f46d399abe2253d16026d6c197e63627374077a2e2b410192549591366002ccd8b66cb75bdb4fda2dc89d4d52

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
63KB

MD5
5fc3c0554915769504a3b78d8efa13de

SHA1
9d1c775341e66708a51ffb661f1087cd86c543c0

SHA256
2b5dfed736d2e7d0fa9fc0dc1c5bc4c870130f33dfbe7034221fcc9dec03bade

SHA512
533bcda56b1a07bdb217705713b96cac4bc2320024d4dd924d4b11d689932772df7052c716c8688f2c6f6fc73db8cc5f5021e4f54c51d39e15c1983653a45177

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
51KB

MD5
a53167115d938c879fd81b1cdca032e2

SHA1
39e99f0e16d20d74cd173bcc56b6791a15e205e8

SHA256
02886def806dfee3e8aa4e979254b57f811069aeb0444d4ed2c608b18f7ebd0a

SHA512
3d1063fd3c34a50fdb968c7db2d20926724a98e510b321404fb30e7641daa4ef123484c0aad7d57a28cf9fbf1f860799f451b78817ded4a495fa5f539cb2804b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
88KB

MD5
b5c306a492eb4bee89de6e9aaf3e3309

SHA1
b0b9232d88ce71271f66d47ff9d4a16a0615bffb

SHA256
df8bf9fb9aeaa9d7094cc058af612fdb9accb69c5bd95e489fdb5eb0e3d1d157

SHA512
88f1280c37a15c05e3e31beb2dfb5e468ea42895ffd5a139fb83d51ab8837075feadc5f3fa8f9eba88996139920ccf8cb1ef59be696c323ffbdea21a34507979

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
88KB

MD5
c5e3e8cde9d64b30386d431f2e30171e

SHA1
dc1346ef90d942bf0ba68bad5edea566892ed4e4

SHA256
f14c4d81d560ba66214fd3deee803619b67a325daff0d1bd0290bb148c5ff1ae

SHA512
28f8013c19653b7d7703f9d835f94e3162eab964c3e0791fb3d977e1a80ab5d58ab3f620ac5a863dbc41d26ca73d63188d22fecd0890fbc8623d535fe7900e4a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
78KB

MD5
56c59b392e181fc567b5cc4338392a6f

SHA1
7e9bcff2e36218e4f43bb0f4bdc50debe8b8ea38

SHA256
ff3211d100313d98e5c8dbb69f9fa499e5a0589e7a7f47a59ac4a5790817496c

SHA512
9e791f2a81b4219225e029f1850630832150ea4b2f67c38725eb0771057455fc56f7fa007747f7ddc1e4fb3305622d6e3b926244054a9231e9c995c7cedb1e8d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
79KB

MD5
aa97d869d330f96d92a1bbacd9acac46

SHA1
e14a3d3e4f8a426b345297fcc2cecb2d8f16453f

SHA256
403d9fbac469c1ae0b94e30ad788ff9d2f2f08dd68e07bf9e2198c5f2ec72a13

SHA512
a63ca6a0b21e814c9c632b1697b370f823ad29bda9e744ca7d86b31b34911a369affd4556f0c46711bc2f096a319d9271465bb9d95ef74a096a4282de9777e79

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
32KB

MD5
5b17b6519543148f30cc30fcbc11b2ee

SHA1
fdc3f2ca951cfa50008496bb124e355992f57af9

SHA256
32e98fb056efe3ffc367d87d94a73af011e3c941dcdb28dffae0edc14655ce5f

SHA512
bb45f6d2e280b96ad0df4fbc757e1783732304eacf74ba26474ec3422103b22dfaacb5451026996c0859c8124201a4c118a6286c2c5c74c3fce2241df5693814

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
59KB

MD5
1a738e17fd6dd363a5a16ad994434fc9

SHA1
25763609a3fa6b73dc4dc61c1f2986e37605a370

SHA256
eb3f9c5887052ad6f114d6bf693a834c1bd5953088e707666cb21675537cc33f

SHA512
fc001a683ec9c1a1e0e92a809f112027c3e56e331b02f39a771f253843a00035226465fa6db13223d452cfd2927081dd9b2966018ea8fa8d7a1f069455d92fcd

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
64KB

MD5
adf987f8086d37457ac4fe7599101bdc

SHA1
e22f6b447070feee72badb6412c9f6e8a93a582e

SHA256
79657042d10ddd9b54b91892c3b5d5df845b6bde2e74652ea2e7028bb17be749

SHA512
7a1c5461537c1ee9a4aff73036848d85d8c3e6eb205965d799261444cab8a781f02fdc04514f1ac53127fe71729466f8e62d94a732e7782a78b88a22f553faaf

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
57KB

MD5
b467ac93e9729e499d5fdb177f353e2a

SHA1
c0b5fd138e5c5a1543bbf6ca01dc6904bb8f5a7a

SHA256
e2e70b18b491409ce1e140f387c651a4172e30852c5b220ef003129ba0140efa

SHA512
7e3eaab7b89f4aa5561d4e661739428376c2b3d62e0a61a1e8bbfdb9b03de965705b6c3b8e17883be888c3417e267cbda4c5361cef4d115a386aab5fd12a13cd

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
69KB

MD5
a26d49cff2e2e875d1a398f578df2ce5

SHA1
d385b5cff1735e8251c2563418c006baddff313c

SHA256
3ad65876b213b09410c0cd016dfd378fe0b4524b3e50c24e0f7eab63ee0cb5e2

SHA512
730cc80cc5459753d984e83e6e7728fe841b4d574b9667c31ea70534371cc68908d1c027712d1b73fafb6b99d10382a1e256bf731b5838a5986d9fdff63ca682

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
92KB

MD5
4df9cc31e6f6b3550964064d5f4501b9

SHA1
1e192ac03c98b54bb8fbda09c95aabbcb9fa0a29

SHA256
91ecd8ac949df533ab2faa5afeba47c5da908c4a930bc2dab5ba5a6e6c3ba1d7

SHA512
9d1f53f3ded4c021cec57f0409ad07ad6807674a5a82de8dd91fdf15e696fd9147b279dd2c6cdabf50630f8a46aab31f1db9b212bcd308e8f2e2c6b379acdd5f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
56KB

MD5
b56599d0a60428a72e1c16a25a226533

SHA1
cc1dac7e2dc1ab61f8a61aafe59d212c5898c3b3

SHA256
b29a2fb2de43fc91fb15e5222d7bc4779495899f922d95456c913b0f432abef9

SHA512
bce892d0fe4cb88d0c74c039579a17c18f3ea3813add61208ce4133762ed9ecf3b3f03954f934e7982d4edbabd0d8111eca2920a77bdf1aa1d41eda354968b94

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
54KB

MD5
2b66845e1edd0bf907efe37937835fdb

SHA1
f82789bb9d5a7f90aed49485fbe7d8c52e817d71

SHA256
df00a8ea4317db9274bfb517b4574d255de8cab1d8cddd1a78fd63378064881c

SHA512
429f2f233063a9b61809a9a7b1c294b32a39478773734cb1b7df75991a0ffaf11bcf3f995a6d51b15e3422cdc1ca88b43dce8b9a5bc795cd41d0c472c98317d8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
123KB

MD5
880768d139b797e75839dd9458aa0fe6

SHA1
3ed62a562e6c4e66c5e9b1d6bb6234621496ded3

SHA256
a55c8faa07912a2bbca8801dcb1a9475c5d959568aad75a6dadf187a2c2aad12

SHA512
200a7db557043bb3970d656f1c16e3a363387ae00676719cd92137766fb3cd96a633b357acf9e5ea99d8e154dbe64216e3410ddbb42bdfdbfec55e3861484c29

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
91KB

MD5
4de3812319ce9c07a7c3272d0d1d4012

SHA1
efb3588e6739949a0155ac714d01cdf8d445d728

SHA256
9461a8505441cee56125469bd2548ecf973d5b2d619401bdd743f679edb07c6d

SHA512
ab9bc13bbdcfdb2b8635a5c8db09ccc5a20925e47e805dfe42a6c81b2f66b95f027fe7b641a4f2ded6d0ca486487782b04e192856d05356678b2e9a8589f1d91

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
69KB

MD5
339cf6798aaa0b528d2580dd0110e059

SHA1
a5e27e46519f13663ecb351a2f56862d7601b191

SHA256
4bba4e0cd890b016b900283a1e59fad71dadaa2f5c8dcce2256ff71f3d8b5051

SHA512
cfcc15ec2e5b251ddaece9a5e027acc9dc0875bb1d947a5f3b289f8a4cc734fe278343b2305bd612638788d24100435b0d49c0e66b287668623020ab89b8f144

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
82KB

MD5
7a53c5a1502c0f82bef2383b5530eddf

SHA1
25c77d8e09a150dbf269b5b365d7a0d95af58c42

SHA256
27328e817f49b4ae3b4befa1b35d706c2463b154527ba83ab95214ae7c74905a

SHA512
fe6541cf77627c7b3e26f0ebb4a655bd936bf64465e245ec78708cff4f30d0547b179383a535b57cd991cca689d84f244791cf015d203501c9e17ccbaeb90c02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
50KB

MD5
c78d169db2456d3eb008a13edfcf68b7

SHA1
292d761eaeb39422caa7ccc9da36e2732ca50f02

SHA256
7001c61398589e2ba305fdcef4afa6b5fba356437cb882cfc78c7468f1f8c978

SHA512
7c492ed3ad86fb815fe6178a4b19dd3d901c5072b1bb9f075b5732e56576153151c12e7ac54f44c32b0ca4c46f9496e2901b88e3345b16641cdb9f114777e4a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
60KB

MD5
d0028cd1396b9d56b46b0338afea9aaf

SHA1
f4217620f6988cadc17ad569e243f3ffebb9ad77

SHA256
e910eafae2599da617a8fed4f7eef3890fe5ed5edeb52dac174b9b9de534b415

SHA512
cb0826ecb0ceb51a4a5344135cfd3f566da919df99bbeb536cab11ddb0863c5e49b8a6ac652bd76e370b2d14ed38b7e460ed70e843c392304ba457c16ebf47d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
63KB

MD5
4205271ce886663b1f756123e9f721ba

SHA1
486c3f7f6b8df64dcce1b71b7430ecf8a0bfea88

SHA256
a302ff0c0208646287024f0ed5079c8c46f391c0397eeb725b102833def33fe5

SHA512
f4b6216af35af1812db6632fdaf9ba37e7c0090327d50eb6089e228e5ab9fa0c740f24136fe079ed98142d8e780c9cb5e6c31adef8e67439478850cde50cc302

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
35KB

MD5
e225c779a85535a96668abe5eb4a1ec2

SHA1
df0484fa7829889c8b6d08f715dcfdf6a76595f1

SHA256
ffb81c5ea31d2c7126e5f8bbdd9bd37d28b584f480b4c32d6540e784d6996242

SHA512
2231901b9ae3bd4fea6d4de3df1b2ceda2b1a11507970b7a99d1d22971639372f31b758539e9cb70a87b76f3e264e64a31318f098936b7e90eacac845c96e022

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
45KB

MD5
d2d2d3ddc2b9455c28ca3c431b158fac

SHA1
80f5760c712717dab44ee8d8f0cec92ed6fae4cd

SHA256
c402c532059f68427c2c54535f922b54ec24868909ad3297a41c9e6406142011

SHA512
9f37e28e845c678acec990592328861791d860e1e551fe4eb4ed1006eb3127fe11cbe4258b3cf8842e6a4dcabc8d00208ade5c77845a2027a147a781dec13f2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
92KB

MD5
12f1f893a08d1112867158ff6fcbad36

SHA1
67465adcd953297911b3d37b89b3d3f2b4b0f92d

SHA256
0a3bded08e0e2cc44ea2ed6007ea0485d09364ffc74f65b7e9ceb179eb57eb29

SHA512
1bbfa24997dedd61fce9ddb6c1d54532ba7cfc96ce7205d4990b18d08790d1f4317581fb029c0fb912563b42db448a08a52048f130e8e498c443bc11db9d4fa6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
55KB

MD5
43cb16eedb7d2c7e3a6a8f7a6f29fbe5

SHA1
0fc05498547a18ff54ad95f1131032d558174654

SHA256
d0bbee0896d952c3a21706c44bea08dbec396b24787786583b16b8be3a79eafa

SHA512
832292a1fed84ede10dc68483c6f66f818f48e2b692480ad0015cda0b8afe7d246d0fe117a5ba6a176f5e1e644bd6a3b99ff1fa53c629dc6245b01d5325c4fef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
43KB

MD5
ed076cf3745d7eed49c51a55f7f93a12

SHA1
903035b2487838a54af97c4b318e3e2d6fe94cb2

SHA256
7c11c996c74c4bdfe6789ef23b07388e768f294e83f6211e193497a494dd2b05

SHA512
669d7a891a7c312249db32b5df7479bb185ec7f0b3d1ec5c002b4d6ece395c026850bfeaedf537bd7e920d9ccca964212964db876511ac528f8a25e4507df674

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
64KB

MD5
4c3d5bd69afe1a56439d31ae55065916

SHA1
d7ca5fc773b0d0ef64f41d06c48069974d68678c

SHA256
116940bba3826a87f9064ed99565fbbb7e5a6ee295c55716fb94ac920562c752

SHA512
578f12b5cba732b2497c7ebbe0a295d7defe721290a80707c355cc1d5528a41452c5a89cc96801cabf5f5b895c969eed2dddf5f9e37202c3c9f7b1223bdc7174

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1KB

MD5
ff99abf962535104e9899c382904103f

SHA1
17d5eda2e0a9aea611976a74cba0a8c916056096

SHA256
3a6e7027171df9a818c9d383a4b1e3615e9affa703325151e38f5629174b7e41

SHA512
f425377a67e47ff753535c9ad7a3a50513951c665d8a4e0c3b12494f64de470c49db3289a6d862e11f287c7957384e9f1a93837aba86d90d0ee24a04934baa4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
79KB

MD5
fe2cbce8f4fa2ea0c75cc1f40cefe42f

SHA1
f43d14630eaeab278992dd06104812de72917c6a

SHA256
15f723c4e547e3e9f04184b215f83b8368afbcb9864aaed9e5fbff224ed3b69d

SHA512
72d537f544771dc37e7f00951ec0047f732cddd4db844b4cd7ec39406c483ff4b7b97da8e0e86b6d177e81a0c16d4de89d78ee80256cef8544041dad04b23d43

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
63KB

MD5
49a4f6e7b63be88461fc29f2ba302d30

SHA1
301b1bb816eee5904a2d68c92f43d24925051b7a

SHA256
1e2afd427b94a750ff2a52741106a4e7967b9217d59be6c9bc6afad7676032c6

SHA512
2d3211278919ab225be8b42a685ee87e87c381d7161f80902d704367968564427b64ed61fb088490bc045b6cd0748c30bf1b84a97a76fd1c91f32a610bd1b959

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
63KB

MD5
64525f5703e22998f04685fbef838e05

SHA1
f2c3f85ee065ca1c67e9eae13500651c9671d8b6

SHA256
2dcfcdad5827a9561cec0430f91a7501960639f25853add6f7811a2784e770a5

SHA512
488ad93fb5fbf5365f274d28def3c8593d2165317a79fee1f66eb01cbfa352ec38554def2cb781bc66857e06c23aed25261cbaade8c7a7cf96cf21f5a5ff9e16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
57KB

MD5
c05eb32f8ead6837b6620ad0e2f50d07

SHA1
ca853b9821d8dd1c1ab75b07c67257c8b4603e77

SHA256
5ff4937870111bc1790d1ff9ad6ba4d8c9b9e1021090073bb7fc82d4393b0e4e

SHA512
abac37a625f5b8ce3f9db53038a40ef273d30445036d329eff35c5181495393d9f68f5b7a584b55e3f68d9a3f1560201f69ba561a72c13b22154eece6c3b3f29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
67KB

MD5
6fedd16e4dd5845aa2e947465c938827

SHA1
6cc6931eaad54e39dfb38b0141a15264077ab6a6

SHA256
ca2e1574e194bb9aaa35cdf27f2108318d8d86a78cf7e9555bda89762d481db3

SHA512
a2bf9ddd41fb38ae0b9b0ffcfcf7db8f30f899afadb22e6892426ce7877992642cc4670446639c4f25181e111426203a68d8db34794076a630e670a3bb4f5ada

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
21KB

MD5
1bc4f72b362a042b95b87d07be44c4d7

SHA1
5e661c2f70febe70941642afe256c107955964cc

SHA256
d8fb4371004ae7cd3a0a96f86a8a6e6a40d7823df67751a2c6f8e363a4db4378

SHA512
958da98f0a7118ca7f732eb5bd6e934b53f1f0df7193368cde57061f7db0f020559defa2a195785c1b9e98266d4e9e184ca877153d5a419b08016cfa47388521

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
59KB

MD5
aeeedde29d3e11d4700d158c0ba10175

SHA1
aedc94af8c884f075aaf683cce1f6820cb0cbe85

SHA256
bd5558e0efbafaef0d9ad124b0db97ecda6f14f9bda10152cc30c54a86eb11f9

SHA512
020c95a3c66d7f629162fdb3f3c94d4aafec3aacc20a003e87504cedba71bc95240e098c1a6943697027a631bfb4dd8a342ff137b957e67168bf3c68aad5bfd6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
9KB

MD5
399a4bd1f9a93c084d72fe3fc313fc91

SHA1
23ad4f4cb414695a755052074ee63756669a0fee

SHA256
e8b84349291485911e8f60d949fa3e3038025c662e4bee436c46e92a0d261891

SHA512
13bbf19de3eddb34029b847be09242c5de5db18a98ef64bb347991036b6bcd8e37f98439608e94070d943bb81dd477d2018abd03acd9dd47c79e59e994914073

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
94KB

MD5
cc7f616ebbfe9f9aaf66e2bdef8810c0

SHA1
a779b9a5c6121b55d818fbe5d8d6ee2bc334a4ed

SHA256
044f1353e94b109ad52d4d9613f69256c3b85af88f8996aaf62709ca683d4e18

SHA512
6fabcf728d803f21b058310c0e80a4a871fde1d49f6e7856310acae74d6ea5f2a9c87ac2cadbf79429db8ebae84a105daebbeaf0da56328c3360f4e4ab6052a5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
212KB

MD5
82b91763e8bca8110f6fc543d1a59340

SHA1
96507922d432df23b41f10ab37230cefd3ada5b5

SHA256
d746d04def2c2c7643d8a32e20ec2ad6159a6c84facebcaab0f63c0cb8461a08

SHA512
97babc87ccc177f301543100733e8f40b3c781bb684ec478ffa90108e212ef235b60a4b0493edd0bca357651d1f5f48a2b02b69bf6c8562f7c7a4d708fb505d9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
168KB

MD5
3b43e62efc4ce16f3cc8b74e36a41081

SHA1
cb033a310bdf2201db236c88ef079dd9f56625f7

SHA256
0ff5e7bcce03eaf6a0ff9816d3b8001d407ff4fca5520894e676d1bb0c9d4d10

SHA512
c0bd0b93b912ede0054719b7a1f1bc974a56b9a96e68e5c2ac1a3c769ef6945a407486971ae81c819ccad8b410160f1cbded224d74a9100abd5edb62931cd872

Download Submit
C:\Windows\System32\Locator.exe

Filesize
83KB

MD5
22006349e02e2e6f017efef3ea1fcd47

SHA1
ad91d83ce3350d19ab9d6d9c36f6723711d75eff

SHA256
c63d3db2769fda87fb26b40a2b826b8be5930061ba25ff2899f3ed59ab9fecb7

SHA512
1355bac3dae6e09323bdb2ba324bc0f1bf92a6a1518d6204b7f680c03c9dda7da222ec828db71762e4627330b15365e553188936ac0383e86e45f51e563a623f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
120KB

MD5
9433ba2259a27cb8ca0ae788c8a61113

SHA1
da40e93591b7dc6b59be41ed12e91d90df4ca02d

SHA256
e51977436635faee656a489415b4b117ecc228ad9c51e76f8866cca1d5c12c88

SHA512
59987bf10cb62e69cec3537deeedf15683deb22cf3c200363d758bf9ceb818298b8daa61f7dc40634e700bdaa84e557bbb75ea1e1ccce5c7887f1efadfcc2263

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
40KB

MD5
ae7b399773dfed130bf552b517144938

SHA1
7aacb0f450b5ed5c26728ec6adf1cb59f406c23a

SHA256
6dc216448359994af3817273b392cf7d79c3823c521feb52e984ba60c4dc4b6b

SHA512
7c6a100a9f9b9cf6a584031588f2edccf8bf75ca57cad3661f2aa8c0dd53a87ae2760271a7d268a701492cee577bc361f3f262afc46eacf0ec7d6e6237c1bdfc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
46KB

MD5
3f45a01e2d686e3164c92c1b65890507

SHA1
94ef0984da078f6db290fc8643ec757b1a5d4b35

SHA256
3610fe53d6d9a13e7fc2f438e30d54d2db424dfea7b4de4852b9f0da01788aa6

SHA512
9cea14388d35824a14866fa77806e326022933a0844f4de92b106c3ab01cdb843d8958404412c07bb7aa6c93c2c1b166db640d1b06a9be864c0bf220b4ac0b98

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
92KB

MD5
dd455e83607a190b1a20a14a6f584bf7

SHA1
ee4e5478cfa1fd1460f3a49920a147824e50168f

SHA256
8bd5afc37a4f9600eecad3d4b25b580533568fabd0b9b93087b15f402dd0a46c

SHA512
6be6033b362174d5c84f699f92b9887de2f99cedd2f9bd41f5f0d2bdbed1f847fb30c1962be83d2b7b90877a4fdffcdb6f09b31bca6b76489ef313062b6e2bdf

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
46KB

MD5
3ca4456538b53c6e68fc6037411aa933

SHA1
4f89225e9690c92e6775cefdcb395375e2bc0db9

SHA256
17a2cd03832147f249ada241a25eee6d2940a3864f51cedd62834cdee7ff6fea

SHA512
fcce39e0d87ee1dd34889f236edd42946ecc79e8a9951226e984c3abb551c4e6aa988476ccefc82368de2ac621f5f30f125404010c6fa28fd6a582a7cdfd7b46

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
5KB

MD5
3fa2ded4eb0aa6851bc46eee90db9fde

SHA1
048184ecdba89c23433657efa5a73b0ed2202912

SHA256
767fe6be771323c92c5b0888d18d9d4912eebee6126bcd1b1b5b2c8b3ad4eadf

SHA512
3aa136cae8a409ad007cf12c14dcf98c2fa1e5117554d765229fc58d3f79b5c5bfffd57e22c72113c435468adfe1632c678238a79ec5fbd61b4ddd2719cc1dcd

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
115KB

MD5
3a2e0c5a4cbcbf7c1a65b578b573863f

SHA1
3dc3720f6acffd42e1198931e57914c46b67fc41

SHA256
2aef436d32de6f8459184c5224b899d7329f049295389c89debc5d1832e79f50

SHA512
31196598670ea7c5312b9ae9fdc79be5ab2032f0fd519818e962636578687a22b6d69ebfff1c4742bdc25d4083d4940383a29b9dce96ef2138cafa0e85ad7d2e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
130KB

MD5
faec9499a755517e314f39c20c11809c

SHA1
0ad07be792b2c77d8a075770afcfd3eed8e5cb73

SHA256
d05c1f953330e786be8e019480975b71b4705112b44cca26da5c0e9234d2de8a

SHA512
23f960af18f7d5102eaf9b70daf051b37300a7280dc99ca0da5817b24023aa8b88808ccbe137c793f04c50e778267cc6f9abc9f509c590594be0ddbbba4f306b

Download Submit
C:\Windows\System32\alg.exe

Filesize
323KB

MD5
e327a61c4082310c391cd923928b0fe3

SHA1
b21bac202f43abc377f92c55b7b6f5d8bcdc6ad8

SHA256
14a20ee1a85eb31cce8c57747e5e04aefb67e07b22daa1e8e0014c6447908aa4

SHA512
3d65cbf8690d475cdcffd8baeb1fcdf80fb91b4ec6b615b35bc5c9128008084774ee2db987cd11a7cd34abd6a9be9f233bdb61b042872fad224a24e64a373077

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
22KB

MD5
a196752555957d3e326ee14bc4e43141

SHA1
875b2164e954f942bce1a49c567c4331659f3247

SHA256
89acbb26e4f7c29b2bb6c02c942c6db18e70d1a0d17eb04f5472acc78323b91a

SHA512
1c87d8008a7903e8dac627fb0498758e5e480c236103f9423a1c96cf5f6c36ef015bb9a4b6933fe79d1bd7ba5f304361c204ff0bd8458cb556d582354309796f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
126KB

MD5
e703dca09746cf96a038af00ca8dc3c3

SHA1
df3e10a8a2419beeb6240bcd2dadaad1b535ff99

SHA256
9bae65e0b04b73fc8acda5030195215f05113d225d1db202667a21742e0d6d62

SHA512
e31068e8ab8d2ccf07d7c57a8766f9aed0cd29f8a5bfa742ee5795a2ff585bc9830e872e7491fa9d20e5409bc055dd1417b3dde23bb34f47927466113a1be62e

Download Submit
C:\Windows\System32\vds.exe

Filesize
114KB

MD5
11556c0e7fedee81c422aa031c917dc1

SHA1
b903b80a76b1cae06debdc41699dda9db2cbcb6d

SHA256
cf3df44b2fc064fc9e92e8d664424f4974ff2705964f6af012d46e01ab60308b

SHA512
06b03d9a50c75e936c1e0c80bda645a7ea3c02466d00308a697871ef2941073e80688f1ec35873a718d39c34bc00e0fe61013e999abffbc32b58c299e4b071ef

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
39KB

MD5
715c4f8d135fa909ab3e87a916463f6c

SHA1
5c77376faedf6a1f6fe27d867f97ff3d57318082

SHA256
dfbd2f9c917fe29becbc5413e1d40a27ebbb64bd73a004a6e678a3770a4c8060

SHA512
05d5575403720e7e793e398ee9ca2247264a4e8e1994f33e2d3436b0ea233fae8e2d8d742b9bcf82d7d35928a9996c1aec714ec06a2d43302c175cf1501e1160

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
23KB

MD5
c1c5d342685d42adb7cf0bfbf0a221fd

SHA1
24f96719c634031b77e87d834ddb6aff8ed18120

SHA256
cdce0c3a849881866906438eab903149d365995ab105e6329167a9ca76977788

SHA512
be5b41ca3e27bf365952454cb6d483552fa216e97f5861393e8e807f9457d2311b7549558bdd7751d6f583344d419a3d4fdcf53aed5f20c32d3dc87911ebcc24

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
138KB

MD5
e5f49c3a3c271bcb03436d58d411da6f

SHA1
298189ece54fd3f5e1c373f68c782321163ca055

SHA256
11db532d3cc860865ecb90d950acd9d4b0656b892d4f077f6827797c7b6ceebc

SHA512
5690027efa1daf26079f089ddb4e669f1d92024edcee2e705438c79faaaa335edeaa8c826620cba35ae34460d75a34c5b1482c3aa134fe9e545e0d75b230a19a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
54KB

MD5
246d48ae435f92ee9e197a74dd877eb5

SHA1
24f9f6ca6ac088f6870a99ca9968069b25a1a9b0

SHA256
411e8228c02ab13eca7f3660cc8ec1b3d4b3e2ca7b940a512a3401de3bf30c66

SHA512
de3ff411197de78ee0f72e596d3c25f54076d3eefcbde7fdc4c8d7e08350f9e6308b183ef21f4167c8b48b5a6722e93930d5f202728f764114be41a09f1ccd73

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
73KB

MD5
f1e26984bde0a6ce512f8118fb5bf428

SHA1
4a5a7a9189af46692b66f3c391e3ac4346986d04

SHA256
1ba79cc04ec3980e171f9416ca4adac3b426af585ced5ab454ba8215bfb99684

SHA512
5b4382ce4d9a3c7044b9049182805e2ebaf091c2a60f0404b9825124836712750fe04b2d62d526b8cd94c6aecd24000cb16d375e3ff91c909ec595692500cd90

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
113KB

MD5
4af1893e0afe0065c7e0007428cb1666

SHA1
ad0952ae6df04c6d83df2652bff5d1bcc898245e

SHA256
4f50b130eeab4222c40a4cb64472eb27677ef801fc2d9c734e3b30e5c5673f6d

SHA512
a44623023fbe533bd3b15096413e4fad545f141e2d248b2032f6d7f89e8b00a0c7e8026fb97319e7a27ec3cab636575a93eaf414fca1102c9dab5f36b957787c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
89KB

MD5
dab1c499234a8b85d8931a40d9470b31

SHA1
36925d92113ae82bbbf7159176b96172f1bade4c

SHA256
878fff16b13e805e3b0529e1853779ad7ae2a333640ab374f302d65a2fd07761

SHA512
98258e68048cf3f04aabfd417bd4bec4eec08c4a78c0f50a720f1ed1d1e245a6a9b568266ebc3ab53d95b4d0aa8d4f7b37187c6c2fb6b5cde24d87c4111a114d

Download Submit
C:\odt\office2016setup.exe

Filesize
72KB

MD5
4ff238891a8fc2aacdd9d4a71cfa0abe

SHA1
62adebbcba1c2f09324c7cf2718cefda2e13861e

SHA256
2b49bdf08d98b9ed5e106857967835e75306ea16f7ff14583dfd8194b7e817b4

SHA512
eb599c5d5632fd3ec48083f1d23ad39a8d5021c1c281712e6443be6ffcdbdea46287b79d4e6cb15ff50c4c8a3f5990095c05196b0d32757c24e8867711d935aa

Download Submit
memory/60-335-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/60-341-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/208-100-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/208-93-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/208-94-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/208-157-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/972-142-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/972-87-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/972-12-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/972-11-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1004-175-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1004-183-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1004-237-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1444-130-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1444-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1444-6-0x0000000002470000-0x00000000024D7000-memory.dmp

Filesize
412KB

Download
memory/1444-1-0x0000000002470000-0x00000000024D7000-memory.dmp

Filesize
412KB

Download
memory/1444-573-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1728-144-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/1728-149-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/1728-155-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/1728-152-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/1728-141-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/1972-333-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1972-266-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1972-273-0x0000000000E50000-0x0000000000EB0000-memory.dmp

Filesize
384KB

Download
memory/2644-211-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2644-220-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2644-277-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2796-304-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2796-294-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2796-302-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2996-329-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2996-320-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2996-663-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3140-367-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/3140-362-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3224-105-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3224-111-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3224-118-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3224-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3224-114-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3708-190-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3708-250-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3708-196-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3728-316-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/3728-309-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3728-638-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3784-247-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3784-239-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3784-307-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4108-129-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4108-199-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4108-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4108-132-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4348-348-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4348-355-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4440-201-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4440-264-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4440-207-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/4492-286-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/4492-346-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4492-279-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4552-319-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4552-260-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/4552-252-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4592-119-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4592-117-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4592-125-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4592-187-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5016-233-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/5016-226-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5016-290-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5040-223-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5040-159-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/5040-167-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/5040-158-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5164-649-0x000001CD3F480000-0x000001CD3F490000-memory.dmp

Filesize
64KB

Download
memory/5164-652-0x000001CD3F4A0000-0x000001CD3F4B0000-memory.dmp

Filesize
64KB

Download
memory/5164-650-0x000001CD3F490000-0x000001CD3F4A0000-memory.dmp

Filesize
64KB

Download