8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 02:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
Size

1.8MB
MD5

c164260da3db912f4c2958be242d9842
SHA1

8f96cd09836e235c48c623f7e04af69b60391341
SHA256

8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3
SHA512

dd9d53d134085ec143659f63b6c58d7b623ff5ee920e8c514ca5d352b067c808ef2dcedd6df6f7724992369ab97309f484abf42b84dc618381a26243dbd49b20
SSDEEP

49152:zKJ0WR7AFPyyiSruXKpk3WFDL9zxnSCisGcnlQHPxi:zKlBAFPydSS6W6X9lnLnlS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3060	alg.exe
2268	DiagnosticsHub.StandardCollector.Service.exe
368	fxssvc.exe
3656	elevation_service.exe
4876	elevation_service.exe
812	maintenanceservice.exe
3552	msdtc.exe
4244	OSE.EXE
4060	PerceptionSimulationService.exe
4288	perfhost.exe
4444	locator.exe
4836	SensorDataService.exe
3724	snmptrap.exe
4136	spectrum.exe
3560	ssh-agent.exe
3288	TieringEngineService.exe
4412	AgentService.exe
1848	vds.exe
4860	vssvc.exe
3144	wbengine.exe
960	WmiApSrv.exe
4496	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Windows\system32\locator.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c0ae4a5d1f063bd9.bin	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Windows\system32\AgentService.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Windows\System32\vds.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4853.tmp\goopdateres_fil.dll	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4853.tmp\goopdateres_kn.dll	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{A187A4B0-CF7C-45E5-A279-8E9315C5F33D}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4853.tmp\GoogleUpdate.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77703\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4853.tmp\GoogleCrashHandler.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4853.tmp\goopdateres_fr.dll	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4853.tmp\goopdateres_mr.dll	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4853.tmp\goopdateres_lt.dll	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005eeced741336da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2df04761336da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037cb10761336da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d16641751336da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc2265751336da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2268	DiagnosticsHub.StandardCollector.Service.exe
2268	DiagnosticsHub.StandardCollector.Service.exe
2268	DiagnosticsHub.StandardCollector.Service.exe
2268	DiagnosticsHub.StandardCollector.Service.exe
2268	DiagnosticsHub.StandardCollector.Service.exe
2268	DiagnosticsHub.StandardCollector.Service.exe
2268	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3696	8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
Token: SeAuditPrivilege	368	fxssvc.exe
Token: SeRestorePrivilege	3288	TieringEngineService.exe
Token: SeManageVolumePrivilege	3288	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4412	AgentService.exe
Token: SeBackupPrivilege	4860	vssvc.exe
Token: SeRestorePrivilege	4860	vssvc.exe
Token: SeAuditPrivilege	4860	vssvc.exe
Token: SeBackupPrivilege	3144	wbengine.exe
Token: SeRestorePrivilege	3144	wbengine.exe
Token: SeSecurityPrivilege	3144	wbengine.exe
Token: 33	4496	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeDebugPrivilege	3060	alg.exe
Token: SeDebugPrivilege	3060	alg.exe
Token: SeDebugPrivilege	3060	alg.exe
Token: SeDebugPrivilege	2268	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 3812	4496	SearchIndexer.exe	35
PID 4496 wrote to memory of 3812	4496	SearchIndexer.exe	35
PID 4496 wrote to memory of 2752	4496	SearchIndexer.exe	34
PID 4496 wrote to memory of 2752	4496	SearchIndexer.exe	34

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe
"C:\Users\Admin\AppData\Local\Temp\8266f332ab4224b65ee1f43ea788ff3d2e63eef3bb6ea22ed6cb1c2fd6f7ccb3.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2148

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:812

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4136

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3560

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3288

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2752
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3812

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:960

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4676

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3724

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4836

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4444

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4288

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4060

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4244

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3552

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4876

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3656

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:368

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
38KB

MD5
d6c70f28318846070f602ae46f5ad715

SHA1
fc095ecbcb2fe3d8889ad787a65239917be7282c

SHA256
b4603ab3aaed8f3b213e658882c38366456a58c0a067fd75d055ad399e037e87

SHA512
e6147ee356afba927c904b6fea178d8b4ec6f04199376a1798129f176b7bd7dd1375a6443c65db8daa7785df3c6e9316c86f5eecee2e1d1a1bcb0b1eb545e4a7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
54KB

MD5
d78242227d4a11ca274d506568bd059f

SHA1
0ea6a1b85c5b11804bf18830a8aa63e7ff8d5fa6

SHA256
1a3edebb1c449f5aa1238164422beef8fe632cdcf497caaf490e8f4677c614a1

SHA512
ddb5d7d30e64ced118f539cf0b81e077d0364ec09d395ef8af1b707a60d1de9a8c1682b172abab04872232da5c8f9d60630f6876108b7789bf2cdc805209d8cf

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
284KB

MD5
1ff75606e2e43a28f39768cde27fb0f1

SHA1
31cb61fa4bf403d0fc0d465791fcd924463ec05f

SHA256
0ef251b85e67bb84c6d55f46c37c441c2b0f3587a0bec2a6e9d62b12f6e017a2

SHA512
e69602d08dc11390579e098d3fbae61f64341df919beec6aa6eb001f0c0b2d5b709e2e854d42839317d15628dd5f535eb5f3268a4aac1471021bab95e7e0543b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
185KB

MD5
92551947979e8b94e917e83d5050f88d

SHA1
3fd0f649e588c5a0e0c4c2aa0d7c26fd2120ed6f

SHA256
5fe5f3d8afcba4b442ed94cb2a413f670c9549d9f2b4d1448526f6a7c821f3ca

SHA512
62952267706456257a63b330fcd7a1b4f7e7d9c28e3e20ffb67704487f46f9ac810dcbd6f065720cdf4934c10d98a00df78db0595011518649a21bb75ef541c7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
242KB

MD5
607436545ea356be1c271f7971e2eae1

SHA1
5a3dcb997c81363dbac301aff33765f150383fce

SHA256
411920c61d0909ed68c004b5f3a30274425ee98fa527afd57cdc98230e955236

SHA512
3b42f9845dcba636014ceea3b764423dcbd67693f64873ba275ebe7318b00b50776209de058e898dbaba0ef34a85a5bbb09f9df8218be11eb279fd39b9c32016

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
204KB

MD5
e766c32d35941408ed669f50930f39cc

SHA1
0fad227494ba3722622a26997508b471adc9e78c

SHA256
ea7065f2f9ed7cc1b4c7b16a7a88698b64d5a34c538c6190f361bad1bff3995f

SHA512
15403f44581741dc6b70280cc8a58ac63b2f64f213ee4c7328bdaf31f2aaf7ab3a840cb8be93378d10d968186ea285bd23f1787b1e177a4f8cd77bf1005e23ae

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
166KB

MD5
5fd63000cda284fb022c6eb9ad2f16df

SHA1
7e156295cf124984922ed94261f5e5cbf8ea65e7

SHA256
712255cda4af26aa81760318db48b9ec6cdd76987ac5fa0279226e7f22f9632f

SHA512
42ffcb452b87dcffdd195cb928266f317000fc9e83e866c195a675596775e368181249cbd53f228fe78f7a201730ea3ca398a6664dd5b0e7764709927e64b275

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
161KB

MD5
be2d6296e005f87881b77ad69e4fa7d3

SHA1
71c75034481744dab5d257e969e909f511faa475

SHA256
8b690fb3a375c25db9218b74ca06c42b12e1a8143f1e6f15fa738773647d75e1

SHA512
a30d718fd22ffd18830795b490a3e198fa2f51f571c0ebebe9cc25f41b0661424da81633024b660cc23815aa6ee3e339fe20470d80808e439ba04a1cb2425113

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
206KB

MD5
d28086773475d6246d3cde431d46ca03

SHA1
552fe58e4bd807bc2a3c460860e0b5f0f6d04905

SHA256
591493521d312aa99f41a5c862ed3fe3e38c365da62a0762fd3df9ec855e14ee

SHA512
43a23b875e857d4a66850bd6c7226d6280d50f2aa286229c5d403d5c40cf45a83869b4e3a792cd19ecb68182976965fea9afbec5b3caa0dff2e424283a414aca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
120KB

MD5
a30b92bb3c527cd2f92384b2b0b4e22d

SHA1
ba61a4986a44379085809ecab44a94d8fdfd6225

SHA256
4124f62de41dbe48c418383c1a9ae1c2b7b6912be9af8279fde005f12444f349

SHA512
5ea2114b4ed51b123183c3af958da114405dd0ac74e6c0a7b4562708dacafc58991770ab04c95fade1672507e25599abb2047b59405e06f40222fe57bcd5193b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
129KB

MD5
a01b2def25c7967fdd5dea59602fbf23

SHA1
240c82325db8a776a77f54963248d9e5b9d53f36

SHA256
6f46dec4071771169fc9f4c7e3a838445c4466fa83d5b6a29de5ed05ff7bb1a0

SHA512
1126eae195e7116ec2690a076aea6838045a207d02b5623a8ee2d85c1fff459a6f0b69b678c59770ca8d8377d2ddf86eac7f52960405a2822ec7f73fec69d2c5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
119KB

MD5
45c0e3fd1b391599169b35f1c5f14761

SHA1
ccc69eceacf2b76211f2155c538087584bdb18da

SHA256
d0ca8e6ada87acaf2641c87df27fd1eff4d6873a1c2490424f2952c88daf3d73

SHA512
e8c0b7df73a876de25bf3d39994b60b551dca57d4f42167b65789ad758b5706a467627be420ba4909414c68361f15e16c46721598f3558a95ba2cb5955e108fc

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
254KB

MD5
646cabdb072432b94a75e734ed1f4d17

SHA1
4474b62ea7101558bfc8b41a44d809f5653c0d76

SHA256
acb631b2871ce1d01746d4c68187a147cdee2394f2a408c3a9fc8d568b7dbc8f

SHA512
751dc641bd688703cfde2067bf25cd4d863649e0c40e8a758378b4a837fd066322545608917bd33470a4e727326af1ff4b1a6160e4083d111206c479b50c5d38

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
37KB

MD5
98f2f697c18f2ee8435e6b7f27cbe3da

SHA1
444c7b50d6cda0020fff497262e9e3befbbcbcfb

SHA256
a5ab569bdeb9d9cea7c3f4c30c1d1014710f50fe120948edcdc75dd931246728

SHA512
1650673c081903e73abb5973d2f772f9df146fe224bae5c4664de2433f94bf268a3222d209aaccefff277ddf70c23b7b72dccf564fd940dccbd13138a860bfd2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
246KB

MD5
4ca09c52c52a614dd1321421f9274201

SHA1
baa2b85da848285ab44978c709c3fd02973a1721

SHA256
3ae89a5ff7f032a6c0d0f4460a053ac0d727abe55b9e8097ae7b697e8aec16cd

SHA512
c14c5f078fae4fedf68669131f153cf0db9194e1e3edd904bc25e244c742e0497639aedc654727c448bc62ce68c16f765219a5c0a7110a436655fc5986a5e00d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
163KB

MD5
6c0c825667a90686253cec38b4cf8899

SHA1
bc1f69f576d3c850c212acbd1181a0215604b670

SHA256
1c506ccc6c572aabd503c9e729164f0ed756238d3d74f883072ab5d00d6987f0

SHA512
bfd472b2ec58ec89dd8887b27095475b5986f4432c56ec03f15cfe9c632155e790bed10e22256e0e5186dd20056b5390ac5d2d79e581342508b417c958e1d8ab

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
88KB

MD5
3c8ff515146b234498ead09460f7659e

SHA1
7f18dfd058c3a506ed6e8300e6b220b985e1d437

SHA256
0d92cabb24ce11003c1655402cf6b28185b84b29b535805044ba3f627faf4982

SHA512
cc1915f004bce7b7e5d612837f24312337c58106589dc572618270510e66c9f71fea7d55394035cae3b31d15795cccfa1b1be26f1d18b348bc4aa4e8dede49ac

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
231KB

MD5
2c878e18377767aa648a069b1fe0747f

SHA1
e9b9d8fed48cbd2b3edd1df958d23226bb54bbef

SHA256
c64d712c31f463fa95a137e9582cf8e6a36f79bd802c58636b59b5b5e385d01a

SHA512
4565977b781dc10af7d32259325abacd65bb6ee4ed80a7033d1d39cf9428ab51cc6aabd4044e78c23b1b796c9ae5147fbc7986e762e666b209e0ae90b232dc48

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
187KB

MD5
51f94d20cc27beb0c7049a373261c683

SHA1
c5dad81f1fca9d01177554ed1c48be2de825fabd

SHA256
710a0c5bfd685298507e9814ca8017568d81e1665434a6c6acffdc10b42ce8b9

SHA512
c6ffa738ba185f945e6dab9714f77fbfaf85a8727f484c3f2618ac63d136eee9c0cbc876bc9e4c2fbd85ccfb274886a43ddc2bfdcef325a7a8595c537be9616b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
95KB

MD5
b752217f05a93a1a9386c614b773509a

SHA1
7565f29ae7e1b71263114dc79ea9d5e99c328fef

SHA256
d87a5fab0e76c66a473d8de6f8058f2fdd7c33147db28639bd1707e2bd724cc4

SHA512
d3c37c3de7c5d701cd06c4daf8ed6eb784c0a44861b1abebc0e387c88ad7a98863bd100db45ef46caa86e6720a43f15f040c64f1091e14e0636e4b7a95199ce3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
108KB

MD5
16c7cacc2099e2a3649c29a2253478c5

SHA1
c41ddf1ba8769a8f9c3cb8361c0628d79bad9547

SHA256
d185483ef16c6ef57b7dd64bb14139015e8f85879ea48c19739157f360e90382

SHA512
3c00b4720286016a7663284a8e733dc401d2e1f1fd10c028b1aeb523ad7df8126a3efafaafc0943fc7084944b50585fe52161eb2cf5f7278f0f690fd56c2ba64

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
122KB

MD5
1f67eb94f1eadee8c6489666b5ba0139

SHA1
e23d4467be3a33bb2b616a9feff6bf53629bdeda

SHA256
6e0fe84208648474ab695f2c0465b09ff722d987512f0db178f5779c7c1c28fb

SHA512
80523db77349be4576b0238b35d0cf1e6b6f8e3ff1ca33d8d2044f30d0b02e553f33f670ae0dc984f8305889f99dcb7941b52cb59fe295792fa0010051330eb9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
93KB

MD5
b8be0a64f3fe4d7b1a23c5c1d4f94456

SHA1
a18692d0399e2a7ad573100aae4fe9957a5d9dbe

SHA256
0f2ffafff718dd425befd9731dcaeaeb603f4b4740c9e3c10e9c3ecbb72dc3e1

SHA512
78b87db33e8933d0cff510fb8f75e68e8262164bbc6ab0b5c9b76fa1e10e46ae9da62ad857f504908a5dff9720670bb1d2af3bf84661c75a34b5fac0f56d4418

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
122KB

MD5
1028ebe8591e193ecc1d942caa03ddfd

SHA1
1e15169e9f642883dbb7e2d62ee82be271d87798

SHA256
d8bb34f6b7b5cedb56a56201ce084e16186b2777aeec881a0dce9b0e1e372a5d

SHA512
9e9876c4e0f27efb2b038650c02b345d9f38f9fa38c12be69ed9d96b56a1cf761e6d2c24a97514d3cdd73d942bca4833af66a6a37ed88a4e3a27364c04fc5b79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
212KB

MD5
71171880a5362987c85d058deb1f2906

SHA1
2982355aee64c122a0d3082760a18ffa2120c8c0

SHA256
3f72f8007a9e220d6ce77c690c7cad1cb17b32ec1569cde60cb1407fca569389

SHA512
2aaa220e131d6f629b8a5ddba6f47b3396c5c9c2150f15fc7a94c9379bed8c6867a29ecd0d69cc79402aa345aea3e3401f90e589dd728c86554c5b1c23dda28a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
65KB

MD5
76a2562171d724946c43a62008c8dfd9

SHA1
24b8d4f5f73a24f9736e09f4effc29cf7958c0d5

SHA256
28575cd34c6e415cd0f8dab04af647de338babce6b02f9cad15d6d9b5856cb81

SHA512
715a3143d7c2d6839eabd0fb126192f0dc628da857eb2dcc98b1361e18a369233ff8ff3fe4c86a42c7e59a90985a289dc24342138438f68f325d7c6cf300e617

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
174KB

MD5
115b77ad6277b99cb765fb8355782d1d

SHA1
b536174ade02fdc2e17513f17c37b471bd923ab3

SHA256
42a4419c1a7229c41cbaf338b4eef601dfa42f967a6f1ce9f1157a01459b8d7f

SHA512
a51bc374160677de95fa192b19885adeaa54ab697c900c049ad2f2b6352470b59fcf699491489e7ce55e0648a3b05e1183fc725011b9f0518b76f938209c0675

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
234KB

MD5
86c97e98d365b90734be21a84e14199c

SHA1
e1a6d71dbbd6733bcfd1cba247229700e39037bd

SHA256
9ae5169679d45117b84a589603cb950404231a7a178eb9682fd62c26fd387656

SHA512
f1ee25c401286d91323f73182175fd1feaf67bd82eacee40b7fb0391428b806e4f13a3f094bae61c9a439e6b2150950f81d3d5dc1807a68eb6accfa5a9c69d42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
199KB

MD5
7dc2de480a3fdedf6508d78beab1eab4

SHA1
4d2ae7634db678488d8f4a811453c4cda00f929f

SHA256
72e3d4c5990bfdd76555c3c1652501ca45a1e6533ccf2018a1650da2711c2c81

SHA512
d2bb384fb93e3d8e7fa96dc64b25b75248d010d81245e8b3a542478a65bb6cd035ab77e146e0059f78cbd05626bfbefb0a27050c77e4507d7a289ddb9238bee8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
118KB

MD5
1224a375c65ad4bb9de6411660a223bf

SHA1
b622eed2bb81b5338716a2e1cdcb9e0b42000616

SHA256
98e086c14da50520fabb51aaf03671a5deac7f2ced671fa271a669a7f9942c4c

SHA512
5d8333cd6941d16cc0b73dae2212785dc9117a99f37990ca0fb16b017873a76b571734ea933be67cc06446ba834a5b33c404e65152b5b11c138c9d463cf11e21

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
82KB

MD5
b4e6300a6445aeb46b7085631e0b9e9d

SHA1
0f38f0372556c8525d654fd9ca83480a3dd966b9

SHA256
2d0c0b60d6b68ce346ec37bc3972cc55b2aa67764961da801c6fc98ce3e4f79e

SHA512
134831a1bfbd5dab215fe94bd2b7904e00fbc456b9af4a191139051d015b387de4fc372c4f6fd313057467b919465faac175aea596886679d1649bb1ea67abf9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
134KB

MD5
1822676181700893b4fc36e7b7e89baf

SHA1
83a88a4ec0eee2653605a099035abc46da71d459

SHA256
565c47908b008a6006f150b0ce09212baf9941bd4c1baa51ed6d7798fc0aff29

SHA512
dc773f9d3d8c90bd20b8f90d8414e91af1871fc4552227f7af7d77f595b04cde60ede74ca8f1fda9b798ba7e204fa4a331b3e9497761706a3a3b03433dcf6879

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
192KB

MD5
0758e8bd0df4cf3e83b66cd3c794e9ca

SHA1
653ea0020149fe1cd7322bef480d395e914884f6

SHA256
5d974a9fa3c947965d64c610718a29902ffb7a9baa99edabf11db7d5fc67066a

SHA512
6b7765b44b739855ec3517195ad0f2c69ab37ceab37e7bb471d5893d75a9895febfd4eadf05b311578d781d4c22c1008cddf18ae71640e9203a397995d336a20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
182KB

MD5
8c739aaf853dfc5cc6f28bd3630da33a

SHA1
57049abdf9ba55da6ba6a67baf9fc92c70d4cbfa

SHA256
f0a72efe19095422870d747d3bf95f2dc827f1d6594594e4df4827abcf320eec

SHA512
a032d8ffa0019e5eaf4702654a75425a4e1cdd9fe171e3e9d91336244ceb3d285dd082f96e5ec7601b9b71d9b3948fa2795ada65331600b7b51b1f64239b9958

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
193KB

MD5
629d18fab69719006d0721a20a70381b

SHA1
6056f6e18c69ff92aa654c03918af5d7c2a11cb9

SHA256
60fad5fef4baa125e82636408e07a2148719d12c35323b16f613a35b4cd169f5

SHA512
0ca4982b2d3462027b7387df17ed77cf4beb56bdc9c52c9f7a806cdf7b26c64353b2ac482aa2412d07c32722ff27fdca99ea16eeb1c3fb61e22b941f3d0b6e2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
131KB

MD5
9cd9150d1f91b1ffdaca46e02663c5fb

SHA1
1b80f3f0ab30ce9c7e270dbcfa1afaf02316419e

SHA256
bd29df8cfd7a9b8fbcce8384e7383f87bef7255893a76474abbcd4c3d22343c1

SHA512
02f5a581fb05d4fa238d75427c667850b59bc41f4a068dba8d743f2e922eaa4b9036e77cef76f000dc518b50cddc9ac101a9f4fbeb65aaa23ae343606f032b52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
141KB

MD5
21f595b57bc455f820532707e27b02e3

SHA1
48282a81e68cad4b18894acc2bf267adce4059bc

SHA256
dd8ad5dc6ac12cc99be16d1168be5d51e652a8b280cfecea5dbc72e6ec23e4fa

SHA512
94224e0f47c3aa37c003828876ecd1e598e56db568a78b57ad382900836539a77240352f62f6333aed3bcb487d716e679f4652db33e56db678a6edae8c20d6a0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
185KB

MD5
b5454547496e316baf0386fe845024bb

SHA1
738872ca26ba40742d006cb54b8e1b8f42532aab

SHA256
b41977fd33be81fa9e30b4822db2d8335b6423acd8001eb90eb00487f4c2fc0c

SHA512
4db5fa72831d8d651ef0bd1f169b390b45021d153fa62e419635225c91f897543a792ec209cccbe00b09ef9792accd64ae19cc04a7562fe41e330726ee8487b8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
320KB

MD5
b95844a7753f6071efcb0ac75032f3e5

SHA1
a4ee9c9d18f1c12ce56259d03b935b73dba7b74d

SHA256
5999e6c0820c20bb302458ca04ebc6168a3e86c83bd0acb3551a3ed597f88b0d

SHA512
8dcf08eb6c3a31b9bea16f673e205d5b8544d852b295ff827b994eba97db6ce0fd7da459e5ff81df49317a9b75e9520aa4b4d137c8e3816c7afe6a9cc7c31daf

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
2KB

MD5
6c20da1b09d440571f5e5580e4aedfe3

SHA1
68b49fa451871501e56976e4ed9e8226bc68b264

SHA256
ee51af00f9bdd14dd668cc9a83a07a7ed014b1d86bd2d76025aa35cc275b59ee

SHA512
949672eacff5827c9c0a91a15021ad2a06f641cbd6ccf4706cdcc694df57be48757aff893c44cdf27a28f6f3ae2c6a3394afce438bc705940ff0172d12a7f2fe

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
56KB

MD5
4d2c3c335cc60ecd511705d7a2f189a9

SHA1
38c577cb8e8d85adb320600104f82f3245a43381

SHA256
5c9c9c82b26e24800f2903608521f368260fed4b3834176c1844b7021607b080

SHA512
3b6b298424855c7faf7c39aff4c68accb5f89609261cf21e0d4665a6cdbc5633b9b966b2f243aeb59289a26621a006114fa9992fc2535987835ee6cd0af6b1f5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
85KB

MD5
168569baedd1a8b50af85a20a462279a

SHA1
a13482bc16edda0db6ae8755d976a5fd756bb400

SHA256
c9d5607268176ab59719c9b8e6585dab661a423bc9940c69560b5dc5c8ea1e40

SHA512
ad57579ae4764f0a84f497cde45316192a4482d628d44a79b98c5de10c3467513d3d0a47ab6f2d65ae59d1daa214e402d522f2c85ab40880489964205654a2ff

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
140KB

MD5
a82ff7e8f2f121fdb1efe3e3eb2cb979

SHA1
da26ba7d5a26dca4a6a9866a99daad2b36c05d0a

SHA256
5344ee2229a87115f3588b103b482bccd5891c2aaf5655c51993a970f35f421c

SHA512
f9130e9aac5fefdb4ad505af8589ac322e6485b7d8c78be498ee2666d56c8782a47596813c9b0479f2cc29c7f5ca0301c0dc60561d9737c7af6bb5c425ce541b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
16KB

MD5
f6bfb1c72742b9aac6674eb40e2975f9

SHA1
0ebafff8e366ab48830006a3b351c15e9b8559e5

SHA256
9cb3492fb52d2ff1cb7acb5667c8a18bce7823c4011a460dd4b28ce903f1cbc4

SHA512
e50fd93125e2a8d6af8fd3e86ece15660117d9a230a9c0b6dd493fa37e77e1d97e1927f2b21cd9a54d8045e1b81f26f23fd20c1b08cd4413a0cc1ab69e87d23b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
54KB

MD5
bb427ab8c876d77fa60cb219f58b9601

SHA1
ea6616344cb709e0ac6c76c3a427cb0efe6cd1ea

SHA256
67c30d14a3a4591526e5d034ec007f38c1736c200a5f82b1c7529760f65387e4

SHA512
a972615087a93a2085610e25013776efdd525405e06e1c1146f185b437529de0e220427a2470a19670daa3477432fb189b20cf9f30f062d36fbf9357cd9bb733

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
86KB

MD5
a208f5494d22407916af109c3ba84c96

SHA1
c917ad4563a5249c8856f5dc885b40c00055a055

SHA256
918f924a9e43980d5b8a5a7cc6be2d79cae48b7ff5643da06e2001eef965a954

SHA512
b66a198fe334ca07edfcd3b5e4454d40243abd790929e97c8e2d63fd92c5895ae24c92ba386c2ada335533c3308b95b90796920b8a3dc8400b11eaab99d5d087

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
54KB

MD5
219af5ca80d5e5ca03e244edf8d44de3

SHA1
71f9402fa7395a8c27ea54dbe9a4fc84ca4acc1a

SHA256
3d1a090d123dab9b8b509b47530dfa903e3ecffb9dec97bfa7ca4bbba995900d

SHA512
bdb7e2010f98e89fcab047c99238e1c107e9bd6d5997bbe4e11574961014a308b56cc76c0d7ea83269e586197591a29c6de7173f8208dd03de7deee22deef74e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
59KB

MD5
586a1eb24297c496c777ac2147177dfc

SHA1
53c81cbe1478e1ec7756f93baa17c13bad160112

SHA256
3e78f40eca9eb370199f82c2027135c2d336680b713a7bc3c8d0e67a0426c2ba

SHA512
47704184c5299d719d54e512253c553805a61e1a32b7a5e5ef202092b077abd8b0e360e8d40f4d2e0dc7d1a3d07b82d455b34f87e405a7a700bed21fb1ea4c31

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
2KB

MD5
2bfe329e39b0b81da0b232437f87349a

SHA1
cc50e4d885ef2b6a9fa2a606cc931c1e8ce1e6df

SHA256
e3276e55e62f9164a0b13351be9601e4dc25073da48c4d41c5653ba1336e0f82

SHA512
565ccff1b807284b3db234af00ab9e69f44b9d1b8255ba4bccd5e3854bb1440f5869cc5da1d1d0ef15c5289aae4d3fb4c4a3c8042193c9bf477849abae797501

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
56KB

MD5
588f3d6dfe92dcd66b443e59d7f62828

SHA1
d05583cb79dea1ce07684ebbf21d6403da4e8c81

SHA256
fd997635ca5492597c9c187e2c740c8dc0eea27448e020db12733b071f2f7c0c

SHA512
f090c22fda7129f6252d1bcf4ecafde960a210590d947138e0f4e88127b3fc985a1798c68344343d6d7093f01fdd34653386e84727d8c8a5f3ae85be62e3f966

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
30KB

MD5
619d1c4af7b071996d980f5ff781e1bb

SHA1
8ead5d9a11a44b01a073262b5551eb17d60933fe

SHA256
bcca890e87e0257d63c1624b412a44a9dc8318c1c2c803a1fb5ca8ee85d5d98a

SHA512
2de230ec86c727dec2e6b3db3c97f9706920bd8f17748fcdbd5e0bc96d6581c707889d99f516b9d16f54e538d710cb9b3cb7a61180270234f4840aeeedd0fb23

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
6KB

MD5
a5bb2d88d483f4c6a8c286247fe98b94

SHA1
753a505b43cb9d78b980c68ed2269283763f7159

SHA256
48442dde9c235a80b778214db1f86c4ac3a0012cf06ab657646bb8e59b5e015f

SHA512
ef49772e3e4c6edecc632d8845f6f34726bb95b5186980b56a3bb5b98f249369c8c95f377e00cdf045a046fa03368cfa6ce5e4681822e9bac8ae6864b1cdc240

Download Submit
C:\Windows\System32\alg.exe

Filesize
69KB

MD5
eff27dee62d7a497ec6afb8616a3cb5b

SHA1
70e01eb8344ea4e4879a019fad003096bb9375af

SHA256
a1a2d7f6fdd7a88015dcdbb94e29d3f2b5d28b150f4f6194d79b2bc96b191da7

SHA512
30c8656f83beee5ca325e2d408bd98369a9a121f9cacd9f5aada78f42b794cb659dc571e194b05da51a4d7bbd03fea326b5c2a6afbdf78565236a425bff7050e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
134KB

MD5
d00bf5ba5d0f5f1abf44d13b0d1b4361

SHA1
2674b7fdce5cb17b2c4054667fab0992e2684cac

SHA256
250932e99f91e62e5e677be885b7a471f31e7f1bc540ace5b7264aaa3c64e936

SHA512
b3e3b9be406b73958bc662e329f19c3bd37463c6c3c9d149b0dd8a8ba8d1c909304362c18abbcc3c061268f10da38c7db3c04d4fc8a7aae512dfb87979c23e7e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1KB

MD5
0be600653a56a7c9513b19ae56b0fb27

SHA1
a2bb799bae3a5491561e853f6c43cd09f1375f1a

SHA256
012eff916412f3511bc52fd43d013438ba0910161e653f692e054ebd0985d1e7

SHA512
2963d038b329e448c365572fdd751a765a5c6b4ba228c7085c40a71b6c98f3e7e31d3a62feddfcfeb7d57011d10d148832a3a177c83a177f4e729abc3ceac350

Download Submit
C:\Windows\System32\vds.exe

Filesize
41KB

MD5
9fbfc161a84198eb9e4b8cc71528b2b9

SHA1
7ebcc7b0bf494bd8407e6f6b3480d8e5b0b10a41

SHA256
5c72e404a1fb8603ebbfbee27dc27ef894f0f1c6399c9c1766f7cb8daf1687c1

SHA512
cb49a9d3c22e2b98620a6e0d83e9f2b66c2f48e7b0fe67760e3fbc2220096c370ca6a4a0237189ff3913632f6091f9d739048fc0ddbacf92a1a509013b16384a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
31KB

MD5
a568525536deb1c29bdb4b2c8a1f670b

SHA1
ff948f5fd18773c4a0b280b62ecd8a3f628856cd

SHA256
4b1968518e009e7ec784eb8a51e854ff21a865c87f2817bb702399d84ae02e75

SHA512
2196d7f1e1a7d57d4d5b7d64f3b18a853da67752bdcef5a8c046d3967cc0f2ea33004e453cdafc5fc09aa03de7abbb6ec2d8fac14a98deb673139977bfdd2206

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
58KB

MD5
c1f34afecdb7ba6fbef8794593647b6b

SHA1
b2ce099405b7d22a8f1a3518d2085d22e49728b3

SHA256
133d8ffc7cb893c49b7cbbf9239ddeaf23e3db63f9e7c04a6afc69c4f64041d5

SHA512
f607cd787a6d136d36fa8b251a25788bf27797f7b16407b1673a0e1f6c85e758f15484f7c37f2828c24ef3173c629d2612d28f73160a73ef10aabb9af7386467

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
172KB

MD5
58f860db76d76a6c7a515b9ad46fb46f

SHA1
8e999069544a1803a4f402d021da6a22f5d63f5d

SHA256
093a7fec77d3a41a0b2a5162f48cb167c494bb02d6281150bba434ab55b728d4

SHA512
ad83c483825502c955ca012141eda4370442bbdcd99faa74eb1fb090be3b6c141d6322f8310896ea638afdcd0fcece235207c593d85213fd1b96af44aa0353ff

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
199KB

MD5
8fcf39dff99baf08263d5fd0ef9a9a51

SHA1
166039adc8ab3bfcdba144ccb69307df2a675569

SHA256
df5e25de8e972910deba2f462e94a2b4d122b2b734b3ec3be0a911dba61c561d

SHA512
6468d0ab4f0096c269542b81d504d846dce5b04e33238447dba28f546ce94a178d23fc79043e6734c96dde3b54672acd0aece3cb6b82ddf559409e8ab49bc27e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
118KB

MD5
e238f4e7dac275112e7e019c39c9c72a

SHA1
2eac032f80f7cdfc4565879e426517300694fe8b

SHA256
afa24b74d06d9149482143a98783a2cd83171dc71d7f2add9a3a26dba3d13f3a

SHA512
b278e78fb1b6df00a293e3475df339cbc78fdaa757940cba5d80629e7c1c1f80568c6887e7aa519d03b3434c7a92059a67c5c0851ccdfe26740d3aacf0175498

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
260KB

MD5
a7019eba8063d040343fdb651d041dc3

SHA1
0d17732955194a329c98b6160b4c5339b0298059

SHA256
26684ec79f56307d19b2b57bd757ea9cd4367a01c86f8d3c63cf3c5bc44fb0d9

SHA512
a1ce1a67fe13528346bb48bf262cac934531b927e9546a4662b0ebb4b3b065bc7c2b545fa28c1c8dc3d91fcbcd3367ce81d1ac03f9d8076df06e6b5356a59fed

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
248KB

MD5
e7a71f4c418efde0e14305d138519d7c

SHA1
0f9c6b0de4c88f690e0b6b491148eed053e3db23

SHA256
cf56fc30a12fba35297059564e86e11d2f4ef56e539c7086b2f1ca34c1c3e52d

SHA512
260d35572c70ab948e9c8665d31808e496ff43b240a3331657c268b2203c00358f9b84e9651fd774d8be83d541c52a7cf2bd5698ee7df23d06b6d1e21fdc8898

Download Submit
C:\odt\office2016setup.exe

Filesize
231KB

MD5
4377343a2d982e8b71c1cceece4d08df

SHA1
05f38b12d814f1dc0db00231a0145bdca1cfa95d

SHA256
4c33855d108c16c5e12764a168ff6b5e4c8d18b48fc25b373a15e82e334c719f

SHA512
b5a77b3ac91d98e5d55621e9e7f6c5eaac3b11a3f0f5ebcee7389b9659d358aa2d2541ef4644e2485c19d6cfa3a5f4bd81a289380035dda959476292d9cb848d

Download Submit
memory/368-113-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/368-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/368-120-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/368-116-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/368-105-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/812-158-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/812-144-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/812-151-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/812-156-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/812-146-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/960-359-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/960-350-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1848-574-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1848-319-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1848-311-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2268-95-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2268-101-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2268-160-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2268-94-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2752-578-0x000001527D180000-0x000001527D190000-memory.dmp

Filesize
64KB

Download
memory/3060-143-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3060-87-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3060-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3060-12-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3144-338-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3144-347-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3288-349-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3288-290-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3288-283-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3552-171-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/3552-161-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3552-162-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/3552-226-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3560-336-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3560-276-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/3560-269-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3656-119-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3656-190-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3656-127-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3656-122-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3696-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3696-7-0x00000000024B0000-0x0000000002516000-memory.dmp

Filesize
408KB

Download
memory/3696-1-0x00000000024B0000-0x0000000002516000-memory.dmp

Filesize
408KB

Download
memory/3696-132-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3724-243-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3724-250-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3724-310-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4060-200-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4060-253-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4060-192-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4136-323-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4136-255-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4136-263-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4244-186-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4244-174-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4244-240-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4288-205-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4288-212-0x0000000000520000-0x0000000000586000-memory.dmp

Filesize
408KB

Download
memory/4288-267-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4412-296-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4412-308-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4412-307-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4412-302-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4444-214-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4444-280-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4444-222-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4496-371-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4496-364-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4836-293-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4836-236-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/4836-228-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4860-332-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4860-324-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4876-203-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4876-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4876-139-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4876-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download