2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
Size

1.8MB
MD5

b0056c5294557411f20ec8b2886f9b7a
SHA1

3da71558d8eba05a1c42326159045f3e929d36ce
SHA256

2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00
SHA512

7804dd2006f154f7f5e4b7278aa76d55f5d55da9a65bb1f7aee26c12dfc8afab816d82f40a3e1e5d24a70d414d717decb85032ef92ae0532f92b4eeac91fef6c
SSDEEP

49152:wKJ0WR7AFPyyiSruXKpk3WFDL9zxnSM/snji6attJM:wKlBAFPydSS6W6X9lnLEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2396	alg.exe
2112	DiagnosticsHub.StandardCollector.Service.exe
5096	fxssvc.exe
2728	elevation_service.exe
1804	elevation_service.exe
1740	maintenanceservice.exe
1548	msdtc.exe
1208	OSE.EXE
3252	PerceptionSimulationService.exe
4528	perfhost.exe
3908	locator.exe
3156	SensorDataService.exe
1476	snmptrap.exe
264	spectrum.exe
4584	ssh-agent.exe
4648	TieringEngineService.exe
2636	AgentService.exe
980	vds.exe
812	vssvc.exe
1052	wbengine.exe
2068	WmiApSrv.exe
1540	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Windows\system32\locator.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\969234dc7c1fafa7.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4631.tmp\goopdateres_et.dll	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4631.tmp\GoogleUpdate.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4631.tmp\goopdateres_zh-TW.dll	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4631.tmp\goopdateres_te.dll	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM4631.tmp\GoogleUpdateCore.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76828\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4631.tmp\goopdateres_bn.dll	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4631.tmp\goopdateres_hi.dll	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM4631.tmp\GoogleUpdateSetup.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ddfa305ec36da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eee24605ec36da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b74cae04ec36da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000431af03ec36da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2112	DiagnosticsHub.StandardCollector.Service.exe
2112	DiagnosticsHub.StandardCollector.Service.exe
2112	DiagnosticsHub.StandardCollector.Service.exe
2112	DiagnosticsHub.StandardCollector.Service.exe
2112	DiagnosticsHub.StandardCollector.Service.exe
2112	DiagnosticsHub.StandardCollector.Service.exe
2112	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	400	2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
Token: SeAuditPrivilege	5096	fxssvc.exe
Token: SeRestorePrivilege	4648	TieringEngineService.exe
Token: SeManageVolumePrivilege	4648	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2636	AgentService.exe
Token: SeBackupPrivilege	812	vssvc.exe
Token: SeRestorePrivilege	812	vssvc.exe
Token: SeAuditPrivilege	812	vssvc.exe
Token: SeBackupPrivilege	1052	wbengine.exe
Token: SeRestorePrivilege	1052	wbengine.exe
Token: SeSecurityPrivilege	1052	wbengine.exe
Token: 33	1540	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeDebugPrivilege	2396	alg.exe
Token: SeDebugPrivilege	2396	alg.exe
Token: SeDebugPrivilege	2396	alg.exe
Token: SeDebugPrivilege	2112	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 3728	1540	SearchIndexer.exe	110
PID 1540 wrote to memory of 3728	1540	SearchIndexer.exe	110
PID 1540 wrote to memory of 4424	1540	SearchIndexer.exe	109
PID 1540 wrote to memory of 4424	1540	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe
"C:\Users\Admin\AppData\Local\Temp\2c3c9bbba8603ed851851d5c7b21b298d25ee936b686d1816e80aeaea0143f00.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2888

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2728

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1740

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3908

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3740

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:980

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4424
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3728

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2068

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4584

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:264

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3156

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4528

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3252

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1208

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1548

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
68KB

MD5
ebdbbe40d9ad15118bad7f19dc68b8a6

SHA1
5cca2b34f290a71b8ecc9f4bd1e2ebfe2d857967

SHA256
4a408ec5f94c5c715dc9bf92d937564150a0646a4fd7bd403affd0aff4751282

SHA512
1aa32b8b281a79d621726271b24cae3913fd52580a1874b48cae6ccff69c5fcfb13cc03e06a69ca4a398db44b86dc654d81baa85c9e7dc88c9203c58f101e381

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
48KB

MD5
05a6677381a524032133e20816ca228f

SHA1
debf5c2e6c46b1e61aca921444682dea842cab62

SHA256
eb2be74ef938909090b820b99aab80b208e76b292a159671d91a01799d373dc7

SHA512
0c274b5cc686353b688c6d685e9522d5f1aa45af8a545b85006582319f8d5ddaeee1c280b255b9ea30730bc626292542ea7ad3ea577b37812b37aa2b8f26760e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
58KB

MD5
91a376875c85f745549025b363d6c64c

SHA1
76b25df36bdcfa50859db6915980f6f46b9c9d36

SHA256
ead7e9fabd4a6161aa88d7f080f49c2a67f2c0f4b1543d5718a129268bf99f44

SHA512
43d2aa554ef414b24c022b43646afe8a663a8a328f4a39916643299e749f7a010af1f0cf4967e2d8290580515d8114127e0fbe1e9b8d16d9efb79e1521c2d4a7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
48KB

MD5
67df3db8177b0748f659c7a1282c0313

SHA1
1932151ed1fc75e166a9a86b722a719de04ac7b9

SHA256
8030940726010e133129916c6bc3f7ed5d4ca768ea9df79c2fc7eb3744177f12

SHA512
086300e674636d8950ae431d57fdf47c5e95f8607143ef3cbff5514d4da7d39ab4a15592de1b5816f5891a405764250ddff8c4a5f9a6b7e954ebbaa5d6eb9611

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
36KB

MD5
c5696349d43832b37b7b6dadb35f85d4

SHA1
c40058e4cc61651eeafae3deb2927e8df53684c8

SHA256
b242c091f1ba8ec4fc4afe555f1cbed0e259db62495ffe5bbe7a08e565909c1a

SHA512
6b72b0160fdbc3d4475bdb98d4c7d4ae9676aff63d59b7a79c112a4c5456e6bd16ba9df1e76a7bb5da2e44a01a118a0bdfa51d96d9ea2f7658da957fa1e7c454

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
29KB

MD5
a2e082c9301df6bb7c98292cec39e104

SHA1
6158c8b96c24633a509382144f4b1ccfe0ed6f81

SHA256
ac1cb50febff29f6091a489a9b44b3b51bb327d3d096d5d849b1c834324a63cc

SHA512
dca92ed2e7ed3bdd66bc1d781917d6fc96abd528d99664df3dbf5c327dc0a1284df2397507c58da3da8df3a369134f1280c1bc75f7875a6b98133d56a6512f3b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
58KB

MD5
fc65284446400e6b0c95e4d5a733fb8e

SHA1
fa818bac38cc5bbdd4dfdcd50d4ca5dcf8c3cd5d

SHA256
1e52a1f5b26620a3f879d461c2e9edd9ff7c7bf384f1d999755a0fc1b1a2f16f

SHA512
98e74b9c91573688e5f38abec99adda7b8f8770a0703068a8efe408d6b07c8ec5a33ef52eadf80ff92d68deebda3384a8b3d4f4bcddda7249a3c8d3cd0a56d5f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
27KB

MD5
146d141da4d1b19c3a72947347414769

SHA1
089449819dd6be410e664ef47402c8dd652dbdb6

SHA256
ef52864d1b70720af8b84882c6d7c417471eb01f1fbd7bfdb4a486f9d2f31299

SHA512
03811baf9be8fc97fc96f8e45216b7fc99466786bec1fe61bd39be4acb3e51b44cf035feb4f5d0d451c70b2f4d70974ea0da802810c3391da96d458658d42fcc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
51KB

MD5
abe573a6ccc0c22a23e5b561261aad59

SHA1
5d69a0d63900f18b9ec095257a1b5ee56f64946b

SHA256
0393ee0055f0895732170e8e002432ef91abcef5fc348fdf505aca9cf47809be

SHA512
3206905a5b709c06386b2785e11b14d7a7e16573aa70b0332996ea3fed802bb215d7bd9c5003d8d31765ee94c74bda6ead6780065d89aa17e099e18d4dbe59dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
20KB

MD5
6da6a975dfd7a20b6d12a29a76a70de0

SHA1
2f1dbbf8c2ff00f9748d005ae34aea7ff10764a4

SHA256
26a39ced4f2fda19ed9efe771c35df9ac15511882293100e083be5d2c3e151ae

SHA512
d363f8922531bb164e6027a5a67a5067f2e1712b56401e40047b29a7fc0cf3211229f9c2871a19dfe65a702a0a51cc077f37da7ddd63cbf9549df650c8ecf776

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
6KB

MD5
58a324b512740495beb9ce7048a03805

SHA1
2eae0f26bd9dc911a41f36338df771b0120baa36

SHA256
3f24b5fde660e92a4a3b3f7a6b563746abbe1040528720068d92e103d644dd9c

SHA512
d4608514e4c74f25ae2fbef3f2725e7fd64841cad568f90bf027922d9125bd72ece8d41ca754d6106f5f6d0140a644f200e14a53570690999acd9bb618373ecb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
21KB

MD5
148aa7dfcad76ab75463b18a5873c2bf

SHA1
adf6ad3f2d87bc0f8f359ed9837901af797325ea

SHA256
358f143cec5c3569c9b2fd0cdff86e3e12cecc9c1d83f2ed0a6c7899bf6951b8

SHA512
f31c12ae7a7f13b157aadfb1e0b40104abc3e655b43ee5bed7b0160141b259fc75769bd1cc39412d75320fff1e26af22650d9015b13e42a3ebdcf584d7d264f5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
37KB

MD5
e1e5f2a405044226467e09f102975d91

SHA1
e1c367daf15af353b8e0dd4a770ad692e9dc5b11

SHA256
0cce7f49e061e223619df8c8212ca485e1cea8697e16563a4b66a7d7b186ecf6

SHA512
cda9de81ef26435d07fea1f32dbc6483240846c490ad6a35e5a43a2c84b1508a55b9c807d4d0ff3dcb098f98dcbd8f8f79e6d88e52043244fd012ec3d50c5bf0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
134KB

MD5
c70d9fc5beb47e604f17465d32d5df6b

SHA1
9fe3b05ebd230e594b959c11c061a1d6f741628a

SHA256
b4ddced220e4a32f44267775ac97976f27516a95d379691e442c624490b69ab9

SHA512
405eabe771b93594edd152dd78da05eba304d542a6d100e6dbc56f690ecedd0a921ed54e9c2909e43407d687ae0af5a7096797eb69ff3a961c6d0bc6bdacff46

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
22KB

MD5
598505d7856759e54bcf1e7144b80c0b

SHA1
6b32d6acd71b3aec9264a19aeb4786327b9312b4

SHA256
395ea519ba474a178e9485d25b40d710fe2f0e241a935c30782d1f13dbf23dbd

SHA512
ed83da2a555e3e286a4becba8ad1b27f5d5c8ce5e5952b73233e5cf1c9de032dc2f258c68e87c888231478eaaff5b87c1c983fa54b5b2f2338fdfeb21e354318

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
61KB

MD5
d84d2fadd0e84e8b8a419b7dcb624929

SHA1
b9d65f384dfedde07ef3cca7253acce5f8252575

SHA256
808468961858cf1b27240386b279a1f518fe8a707d98e1b1fc47477ac91489fc

SHA512
910f9b201042e203a067b5230b26c2246c3453729ee2e32977844fc9661e9245aa7b485478631b969ef61394e2f662c6ba83b4cf2048543814bd9fb07cba659f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
29KB

MD5
d8e0444b5bf7ac6106d15eb0ee150d12

SHA1
fd6e793a2c3477c7753c4a4cf075d0e05af807d4

SHA256
903e2f7fe821bcdc2b83d5770c58d54c838880a977623af8e9c00dd0cb89becf

SHA512
a33b692e8a6f56474e4cae07c138f7815e373f59192f10c10582ea456dd2ddc15d7485b19f2315a4274cd53a352914ec5333b2f103c4da93456525717fc0ac37

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
59KB

MD5
b0e7cbeebe86f3b5c39b88a48a6ba907

SHA1
cde6cb2d56a3f07ea239ab9d2001e3817609115e

SHA256
91f6dd6c19963e9f6d431ea41533c23379b0898dcd26d92a268eedeefd633b87

SHA512
b7f7259ae25ab2ee0e592af0857b555f2982101c76b11ed73d72ef5ab168712b66853bc774a59841f7b07399047f443ffdd8dbd1559cd101684b5d5a0c82e81b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
90KB

MD5
c0a39434377b5acb795db52007815d1b

SHA1
95552507e40efa9be8a4a047c5f5235a4bec03b2

SHA256
777fa8f53aa4542c537d0b6925209a6742e773ba37fd904c3c9a9c6bc2e6e334

SHA512
6e08458c553cd804240b8f02930655357dd2a29997e4eee1ce3be99a9790761bc564389b8fc8b49d9d4c6ff4b0e4fbce84ceb5ffbac68d4d536da8d6d604871b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
60KB

MD5
fdbe5b722c2118429251d110b34741eb

SHA1
a4cb701988d924c58ad39a26dd9727d22b7a624d

SHA256
a527c2ab80d07e7abf3a78f5754df30ec802037c4a7fcf0a1628caf26cbb9254

SHA512
9b085f72fbc14531eed3e53a0660253852d67ad84130e4588ad2654af716c4dc598c26770faad8c83306b1eef402253adb55345c0cf0979f15fbc1d8cc460880

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
96KB

MD5
7eb10294f80c76f7deee51dfc9acda7a

SHA1
af9e754df7a2db6c0746e0a9b368e01b74811434

SHA256
7880e9f7f0546cecea35a57b1be3b3e217f4528157ae023eb7a8faddfd81d15f

SHA512
4dafd09d717f27bbd77235b3c9e38666d7022ae2f5837edbfc84faf49d734f05a6fea6c2c57e21a63121002a0daa3be337d309d6c2be435a6da0e49bab62ce03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
62KB

MD5
7ae7eb2e6ec0703c2f803ca44175a3ff

SHA1
0512c544541b5fb2d0b491d054d17cf35bab5455

SHA256
39b4709098a3dde56e3b489a0b87ea25d0c42ac09998d1068052b6f7b49bd724

SHA512
12f2f197ce8a5f163c9a3934565d09e3d126484069f2d93be04724ff17dcc0ebe3f7c32af3392c473ff64ceee77c91d0b8cbe95cdc9fdc86a04a7166e0d3f40b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
30KB

MD5
e7f893dbc46c52b8ebcf031a627835e5

SHA1
9bea8181a31b92981c768cfa997ffb2823b14847

SHA256
8c5522f38b4930e461f95f84fe16475b46823ce67e1a591a8423013bc4f37d3d

SHA512
d58e6d8aa7eecc4610d07b0c0e67e891a0006c2bf300fc007371ea12162ecbd3f6f24245821f0150202acb4f3d85230c04bacb31a03c05308b11e517d779eeea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
31KB

MD5
390e7239e9be50b3d7c1278863f7a47a

SHA1
c6546fd0f8c8959fce715eab12303aa260ea96b2

SHA256
213dbc01b202d8da0cb123dde2d84de0f6f5a8f6d3dca50ea86443be1d7190bf

SHA512
96ea1d4aff25e9af588c22533972dc3639515548fc6d8b643e2a5a46b088ff9ae3803e56cd47b5bc441bf9bc22162eb457fb342a32c3afbb0e85686d1fa7273b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
58KB

MD5
cef83340d548d3e727f762ee8b69ffaf

SHA1
5a1e0242d280bc5552b501ae03964719e9a8d9b5

SHA256
e759d660c9dc45af2d6b1c9c11f1f52f863a8449225bb117ff5e81480d8ba6a8

SHA512
546b1d5a016e4ae404b422a515e693501dd1ae9b8f401b2e4253063911ccb3a0f67a355f5986caf1189a63f2cc6ff873205ba3280f533ce9109239530f54aef8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
29KB

MD5
e78a8f52d2376e28470d591e63205d8f

SHA1
b3082f5a5cb9022523ed1f7263f1e5de01a56595

SHA256
13c25d03b15439ac3b1030138b66155c8290ab82bf2333204c4c1a54db7704ae

SHA512
9b2397553041d37ee60a7718f1d30a2f4f0e4d5144a1372ef3481eff7e8533d5480847b02e09ef87d185edb64cf1dcc69bc7c6439d19494d7883a2c1341d9728

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
46KB

MD5
707256ab7c7c0ebde201024f07253fcc

SHA1
8eb73953cfc24f71539409075266d32072598b81

SHA256
01a72f1639dbfc0b70b544c1e87e1994ef2751177ba8c4f51cd1158748a0147c

SHA512
f5204e9dfb69a5023235c53ff3bcb97699892f617cf14cd839bd4ca0f561bee2d294469225f746e4d1603ea69b5da17ea1205faebe09dbe22e374548d6af6c4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
6KB

MD5
2fd2f2986c0119c407d79817b330737e

SHA1
8ada0f483757fa0de7840e1092f6cb07483fdfc6

SHA256
19eca57cc089649222d5ae3e027a8436f5d71aff101e92cb2725c0fa8d00dec6

SHA512
e5c30567c2bc5245893eee733790c0b1195c8b4cc6954756313cda4f9119e910d3c64c9ade096c641c79a468aeee2a320e395ce6e08cbac963b269dd11b478f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
9KB

MD5
0e0cd9fc5f49141f9fa64110461b15a4

SHA1
37385288a53c7dad7750704580faaff9f82eb93b

SHA256
052e888adcd91a5ac12116932c4a3fa34d99b8b8255fddbf056ad4dfc342f1eb

SHA512
25e1e6f568726a290189b5002afdf38ae85ffde8df79f3857a5fa7c49eb1ef97c5a40afd5783c109185495f11f02fe74230dc61d3569d23ccd9be910c1999afa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
20KB

MD5
11f79bef402403ac760e9ec4d2887ff2

SHA1
50dfe8514fb8234d8bac0d90c87eed88a0c352a6

SHA256
9a900464aae41555c0b99d0a9ab08d4ed2d882d23b0f73236ad07ba62f0d182f

SHA512
10a64255db1085361ca785815cc79482bf80b26e06c4559e66fc68ee1615bb6370b9e8eadd5831f4cb59275046fefdc54c65ceef32c192a7c3eb930c2907ac9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
24KB

MD5
b624874e77313c1631055ab3e98187b0

SHA1
fbb2aa64feba9fa65e5afb04719c243f33729537

SHA256
cfe3cce96da946ce6aa3b5611c3ebd7c8faae6cfb5d2d26329c5944ef75b50df

SHA512
b7d781b890ba1ff209de0573faa0b099b1609b93cbc50f903efa4f7d4b10b702095f54a76208275d40009f4bafa47af01d517ef7e7a358a599823b4d223eb78d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
686B

MD5
c561add21b76f00866bc66f878910561

SHA1
74278dcce9235362a81911484e544ac2c097b526

SHA256
8744fdbe7c10f2b7f5844c5601074ad32f4e85b2c2f4a0eef929de306710509b

SHA512
2ecbb851b1d2ea315fe1a589401e497f79b82e516a52050aa48cbfd64aaca7b9cde73b92370a3ac26b0e83a156890f9adf062bcf62291b97eab4dbfd637ae052

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1KB

MD5
c5b5f1f8319f1c9c266b3826aeb75aa1

SHA1
091edcb10f71bfbfc85684a03bba6ba9823f8648

SHA256
2ad24ef8d57402f5cbdb3e1f52438834c644b5a114421d432b034b32d298be5a

SHA512
1378b23164e382a9b3434227042c97babdf364b9f5670c9baa1293b71535a18a9b0218f9838547a2e9e52ab6c575ddb4f3ab20c87dc6186d56de7b601820b266

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
10KB

MD5
ff936befef86c4e6dab095c470d6eb10

SHA1
62628374c837162b3b06151511a0fcd961b83116

SHA256
7cd89a443b7bd497498e4b9753c1112388aec3be227dbc14e9c1f89a55f5fdff

SHA512
e44033d038e078a70de0aeadac116f4918dbdb699179532fb9adc601fd446d00121a1ed79c8f95601980420b23d0f657510211b7e37e0b3e788aa4d56d2cdf73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
5KB

MD5
63a2c14294ace285aeba6f343b2dfc6a

SHA1
56316a30d03e029a5389a8091bf93a2cfe587b46

SHA256
14ef8401e5b05d591bec0bc1294662804f62facb542d9cb7d06f7f4ee24f3cc5

SHA512
e837c12476924e2c009b1dda2f33d687e3a6c000639496ecbb890dcbdf3469bb382683ab9b1b704b6b222baf82f06af1745f66d4f19e0b92e4f89c4e24516dc5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
23KB

MD5
6c6078eb7a9944936e3ec2378b36344a

SHA1
908d673056d83c6b5cf08e07a8d8d603d9547112

SHA256
b2454735b46be8dd06472a82315aecbe2e3f231339848d7be759c553caefb2e1

SHA512
0fa63f116198b02d24e5616ce207d4887240c493eeb5afa12efb169064696ceb4631b5e14ed794e03eabccc823208e42801e3073a2e6f2f5a0524277b2b00b8b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
64KB

MD5
3ab09aaad5c7761ea2d5fcaa17af19fc

SHA1
82b591cb9016c64b1a77f40c56453ade77897181

SHA256
c7da5d37f3f0bf11fd9ea182034a8baa6430e71a373b6fd1787aba342e879b16

SHA512
05ccfeb96c312f99224cf555cfbffea610e373811b0505cdacd2c044b7a00709cc01af83dd08ebb131280566f14458d57e6027f9a2746a977eb0e1a1ce0a6a52

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
19KB

MD5
4b1f5844574e31f004c8f85990963fc5

SHA1
4c7f0b335ce20fa7e160a63bfd18142b54d0ed98

SHA256
9bfb58cdcb8043ceca4483829f40da48f9ba9dbaaa477705521b9be7588ab421

SHA512
7bacf6b6b06d89320a76625d2cb372c905757b2d8a8424d8a293847b9bce5fb1ed69411239c65ec3c2c26ce4489fb9176968d6c7116f2c3df3fc7cf92f336746

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
160KB

MD5
a0ce661a891a42da8a61bf8b1161260d

SHA1
3ba76e7e00e0261c3025b12d44668c26055632d3

SHA256
3238047e7002455d3b86ec4f46fcc6c8353bf5bee8b8e83501db785c9f24777a

SHA512
c90a795dab4a874562c4124f360d411a84cd17613919e7ee747dc634223931bfa953e80302eeac8ad6cbf60893e70f53c4ed100bd6fc354760212f8b83c76a8f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
32KB

MD5
92f01e89d3ebefe2a0577396f19c0bed

SHA1
582fd96488ace88bbb69c746b329da5b80b4ed61

SHA256
a419bff4f7c3945ee56321897c315d439a64f296434b67e8f7f89b4aff6f6cd1

SHA512
ef173b2e0cc1f4aa2633096c5d36af2bb3ad7fd23558ae368f92f0bf36e19548ff64c7e152b95a81cdb82ce775aced084404cfd65c9d933a664332ba3954494b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
76KB

MD5
9d0d638da5219b34706b7eace52e4761

SHA1
99e5af50f239d933ba9d2fc97e831d8ef58eb1e2

SHA256
96539c26435bbb36549655eb1b45471ca03778a3ac9703b812e91b05ca80ad89

SHA512
c25e92e2c70942bb24b52cc2dd76cd41133ce62c616202fee4147b3437c281af96de90c6fcf773267b92bbbe29a0748151d2f6c396e7dc5d7bf0eb45efdedf40

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
119KB

MD5
8c3aa99ad1aebb0a411331b1432f5a7d

SHA1
8fc2b32b022eb3195318e2da252d9924867bd8c8

SHA256
9aed8e7fd12c0bf870e601ab10fb54b1e67f65f9edd2b648340b3e2a1fbf2966

SHA512
6a1f6ce9f632ee5e22d0678b87bfc4de1d49016a82566f1ce69ba7e6607497960486d455a5b4371748e872d0a9e8ec168f633c5616a0f9ee35b19cce8fe9a6a0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
98KB

MD5
c1dfdd12ae5a3696f8b30e080b0b4178

SHA1
b857e8141feda87b5ec26df732457ec27d42cc06

SHA256
a4cf6f684a2586c1db3a75d979cd9e5b0b0b9d6391e564f61b18ac38126e6fe8

SHA512
0c75289bbe7f30e6eb9969e6d5f3986806c980a62121ba215372e3b0c43be35c5e145be6dc1a41f029f39fc86f80963f8da1f463449c905725c84ad052f4964d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
32KB

MD5
d02f4cfd21db1fd5db1a3b24b0b8adf2

SHA1
366e29e9a5edb2714bc84fd96fa366e395c25539

SHA256
f27e8404a00e52b222bb79eb896e3b1fce98679516b0f87df4b4ed668bf69511

SHA512
ef023d0d9b6e3b140542faf07e349536b9c85e220c9e0370a73587c1db2d381dd20abb17a3afda31775407fe6886643cb55918274723c5bcabb3b1d7f394d24e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
31KB

MD5
14907978120f0d4975486324a224094f

SHA1
7d52d1869826ca09c1ae56b48ab8761fe63116d0

SHA256
f4017be8e82a0ba3bc879dd2309b916e09e80dad45111fdef9532d89ebdcaeec

SHA512
f532f4c0821be9b8a97d7895f44e20dbae96ebd41c1d82683e76c6dc9c557cba20cd258eb354f7031edbcb98dd8f3322079f2b73f1635125382f25a5bcd3daba

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
168KB

MD5
c8502a2c3bf31724295845d6860257dd

SHA1
0dea604756d2bc3cce0487a86909539dd6ca9b27

SHA256
ca086dc9596b0057e1426e0f07ea280edfa30a149692f03a19f9a4267c8f9fc9

SHA512
0e1dd585460bcc193f1842dbed6c4d8bfda1acbf7f0c04f6cc52bec6326772ab8de95abc4a164788ef18ce25e04cea275897ed73828a664aa9a6555693c0ec05

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
16KB

MD5
a6e4db82933a3a9b99b94c639d379e6d

SHA1
efffc4fe4a3a6f4d8052dd56e0d8360363bce7fa

SHA256
7763e620bd0ef4c69a494b4e3ecfc0511ff17632e468161a8f10cac35365382d

SHA512
6db6a4a4ac9b961feaa8c9a4d816f7f283f5f6d47f72e0141f6b2843c6ea505fee31dd490252f06e0402abf0e36e30a38d5ee1af1a8d33556c1979ab06e49673

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
15KB

MD5
49a6a5f749bd97357a7877137d19e42a

SHA1
b17a79bec8bfe3a07bc0dcd66053d608d8d530ab

SHA256
6df0adc4b6c1d5efa07cbd0baf29cded781a789ffd3943b6d916564ea3e3d43e

SHA512
d2a55390f18331005e49b1736fe7562a5cc60ea7cbd6d3ced56b24f9a36038a4839703569497202114192b061063973122cac563f613bc9b4374cd1dddabb955

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
69KB

MD5
54e259cb5b607479fa46bb8037352828

SHA1
13c22c60e699b88007718382b672d84e3cbb4a76

SHA256
a59596979a962ba6d5388b6d49bb438d1a4133cd44e71127f92059efd920f7aa

SHA512
19e5c524d14aa8aa74367fc1639fc67e5ba2158c60521f89446862773285d8f2aafa974f5ae8192f80d4d7309a41b83b79fb2c5110bd2817cb689d7c12237196

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
51KB

MD5
2075e1067b329672ee2ec2cd64fa78ea

SHA1
601131b00d0daf39e1b64d2f6587ad93c7356ee7

SHA256
00116a353531cace6590569c8b591344dd279ec3c7108a7c1c37d8a9ff5d5ecc

SHA512
c7abce1a7ccb8650705f40fdd7bb3fd9e83fc4e38fb0db75cd2258ad4f3a61e900712f12f1b29fc08712e59583e6520ef53bdfbc4c910968fd44f32e065bd6d5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
15KB

MD5
10b235bf8d5a31f939fe262a7e0d4e25

SHA1
cd291491441132665018d071af19466f0373212c

SHA256
fab0d3c84f17ed8a0cc6c19205cbd1a2a5cd68cfcfd0201f81d4b9eda21f1d52

SHA512
2b36496772dd23922cb1335ec028544fb710b6e14c1fd41fce2ed2d6b861fbb1aed4f945f8e8ca2f6b44a5db209beb65a462d5cdb2af59043ecb91a901ec8304

Download Submit
C:\Windows\System32\alg.exe

Filesize
253KB

MD5
2e5239767729d8fc4836549cbb78b229

SHA1
858759433bfbab1d106fc7d9d8f2e077ca1bf7b2

SHA256
6e9a2a4de83db77a855be943ad7f45d63781f9637bea810b410e082d320789fa

SHA512
6d6bc275c7831103245b31f3394f0292acbaaa1e5c2bb124422e68d7e2bb968a77868539cc5ee2571e3bea2d157717fdf193f632abeb298858fa4ce7f27359a8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
63KB

MD5
3841b90387e14b0dca0cb0ad41108f2f

SHA1
b6c80f27104f122e78a0f7cf1535011e8c61928e

SHA256
97547a439a27eea253ecd2eb4064996880d8facebb32b69c1bde638c886775b8

SHA512
a49edfd3859911af79025e97c00ea7cee3dc700fcdb6c485b86db08f39fa549c6df3fcf4fa1b7c206a96c88645c76de53b39f64e60416976666ad19bd124d8fa

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
34KB

MD5
4890b0dd3f6d6dee3a82c7f3563e8241

SHA1
947f4db0725604fc3dd8bc7b68b1a6f8d70145c8

SHA256
018fb57f16207a982973aeb99069178446d050a2912ea2d5dce304cf19e38dc5

SHA512
8a65fbffb47f34c1c245fd07f45cb3e00fd80d8e37deac3330218483d593000019fcc101dbf427e6e4f977c53a9a5c4be759c95eea69768f5c4eaa955e1206f3

Download Submit
C:\Windows\System32\vds.exe

Filesize
28KB

MD5
080a445ceaa6ed3ba46481d43c0cb748

SHA1
18e5ccedc8ce6f5cf8e7d8a0477ccad38e88ae7b

SHA256
b474bc972b039443f2381ca1bf9f258ef79765480cb8064694f947daa584c966

SHA512
8b4d3f604984b0a6021a26aecbe7cbea2d04ea6326b5de82179b3cfd7345c0a682fd8566facd5e9df1a003111c75862bb6e3b0bcba85d2cc11e711baeb8c1044

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
8KB

MD5
8d13f72aeadb0b60c37f25c9d0c5110f

SHA1
1d9d1d3d217ad2c8a47aa9320a9973e9f9f913be

SHA256
e3e7731754b14090f3132961a7953499f03a5c3070f516f9a048de505d95ae2e

SHA512
46fb36096d005d8960483aec44e0c0c9eab2fb8f8c34f5c7b8552b3d0c382e45995c8c4cc23fb4bb27b537130fe6b4c822e140692ccf330ba6c0916f7b203a24

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
62KB

MD5
8a4f60f72b5dc9b293f5605b0cfe2ed6

SHA1
3b962b6c9daa759b24f32d29d8094ddcc5468715

SHA256
45ec049d6abb35021015fa9364372a4fcc255f0bd79e52c631a6c2b07bec0f50

SHA512
d2f4fa44b700ebcfd09c6d0798f77653e2db98413d40a5a32ff8d5a8668711d6ce55aefbfc04123dfa4cd9e2713c7ea44ec238ef444dab68117dbdf2a6cdd1e4

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
35KB

MD5
1b66faa503b3fd406864c7dc17be74ce

SHA1
284daba5563ec0d51fdef9bfb7a44b7c2b224d63

SHA256
4e937cae40391dabdafe1900dc0d423ff83bf5ce27ef380397c99f38b124b287

SHA512
46cd94f7ff6e8a13aa24e38e3bf7743b154f1dc4bfe7aec9b390400bb8be6f45e6cbc57e99f5a477b1b3638adcdb085924db77c614b303039e4752766b4723e9

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
38KB

MD5
5e75e0321efbea24efef0791eac4b939

SHA1
ce02753f39850fb1ace4fd7f17c905786b2c5b6a

SHA256
6efdbce43a84e3c3855ab1f7e51449a97b9a0f03015fb2d60da14216873c72ab

SHA512
642e0f86dd2357e238d32f02406c461788b00c524572b4d902efed62f9aef623fd2c1217e2d87c0d4ff6a04dd3a5073d6a1cac391fd8199aaf994d6b09bcddf4

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
32KB

MD5
29fbd60d610aa738d6b06418d0d2bc2b

SHA1
959537b9c6309cb363e0908aecc1ca30fcbc0778

SHA256
58b97e7ce61834e3b3a0c99eed35def80526ea8d36f6b9fcc21458e0b6db4116

SHA512
7b4c88aa6fc9dcc4444caa1dffb6f7af32c344c94ed44269c84c0f6ab7f1abfd595c7fcef149194f89cc1ac1e499f0af321eba8ec4b2c4213277f96afe398d68

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
50KB

MD5
0a7798c947b20f675e1c8364dd968f9e

SHA1
bf955c644dfb4471341f144a119b9e5295f79fb7

SHA256
62be914bafa9dc616363f2c5dae5bc6076b6af7a803a572ad2cb2b8e2cb9d695

SHA512
4d440d14183d56a59c9e4accd0155f67b67f38cd822c5536427fd73f46f6bdb6734d8f72c93e2e21cc117bea04c829653d2523c4f1c83c94b02115b8bfc4012e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
66KB

MD5
cf186d1a61ba8cd1d44cadc2bf9af398

SHA1
461fa429ad0d7ece3bff72e710bc90c640892f06

SHA256
52422bcb09d512f5655f19af819f6837519840d71362e8987607dffe8289bfa4

SHA512
48a55c2726f88e83510e2aa8cccd9625fd11f9a97d1efb45144f342d20ef6aef8d2feb6f8472cbbdbee106584946bb76f20eda6b9c016a31df373d937f4f6107

Download Submit
C:\odt\office2016setup.exe

Filesize
32KB

MD5
4e47675a3f1646e9fe25c90d05a3c5a1

SHA1
fa2357ed131813f9f64b645175550c54e26d4bb3

SHA256
e4ae21b06a9f8412e5ab65034398c525d234dfce33f18c011b7d8b631d333bed

SHA512
ebb3960cf796eff70e2a1b6413b90a4c3ca5501b8bcda8b8aaed4a3a191f7b9c1d6fd2019a7c4f265c4beeeb4e67c8e8e7c847889adaa721a3b57a876ce13b44

Download Submit
memory/264-253-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/264-243-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/264-313-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/400-6-0x0000000000B80000-0x0000000000BE7000-memory.dmp

Filesize
412KB

Download
memory/400-641-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/400-130-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/400-1-0x0000000000B80000-0x0000000000BE7000-memory.dmp

Filesize
412KB

Download
memory/400-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/812-322-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/812-314-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/812-683-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/980-533-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/980-301-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/980-310-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/1052-336-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/1052-328-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1208-183-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1208-172-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1476-241-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/1476-300-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1476-230-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1540-362-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1540-353-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1548-159-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1548-160-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1548-168-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1548-224-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1740-156-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1740-154-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1740-145-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1740-149-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1740-141-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1804-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1804-201-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1804-129-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1804-132-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2068-349-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2068-343-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2112-158-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2112-100-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2112-93-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2112-94-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2396-48-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2396-11-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2396-143-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2396-55-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2396-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2636-292-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2636-298-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2636-286-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2636-297-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2728-119-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2728-125-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2728-118-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2728-187-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3156-283-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3156-225-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/3156-217-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3252-252-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3252-189-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3252-197-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3908-204-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3908-212-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3908-269-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3908-277-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4424-685-0x000001F31EA90000-0x000001F31EAA0000-memory.dmp

Filesize
64KB

Download
memory/4424-684-0x000001F31EA80000-0x000001F31EA90000-memory.dmp

Filesize
64KB

Download
memory/4528-202-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4584-326-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4584-257-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4584-265-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4648-271-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4648-279-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4648-340-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5096-105-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/5096-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5096-116-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5096-114-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/5096-111-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download