8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15/01/2024, 04:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
Size

1.8MB
MD5

1d56154cf164bc163012c64913b9f309
SHA1

c22694d0e1640eeaddbf695c36362a20aa7c1f90
SHA256

8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4
SHA512

2bd9cbfae33ce0d2d7b9122d915dd63500c723e29d09b11fc072f0f46f33ba3685bf0ee950dfe53d14bd7cc5bf9f5088bd4d7376397cb3017b18693fa14aef2f
SSDEEP

49152:Hx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAmbV2TOiwo6:HvbjVkjjCAzJYOi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3160	alg.exe
1596	DiagnosticsHub.StandardCollector.Service.exe
5044	fxssvc.exe
408	elevation_service.exe
3200	elevation_service.exe
4188	maintenanceservice.exe
2132	msdtc.exe
4536	OSE.EXE
3572	PerceptionSimulationService.exe
3768	perfhost.exe
2680	locator.exe
2068	SensorDataService.exe
4860	snmptrap.exe
5020	spectrum.exe
2948	ssh-agent.exe
2028	TieringEngineService.exe
2812	AgentService.exe
1408	vds.exe
5096	vssvc.exe
4944	wbengine.exe
3916	WmiApSrv.exe
1164	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e1e3ea7a7c1fafa7.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Windows\System32\vds.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Windows\system32\AgentService.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Windows\system32\wbengine.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Windows\system32\spectrum.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Windows\system32\locator.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3BFF.tmp\goopdateres_am.dll	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3BFF.tmp\goopdateres_hr.dll	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3BFF.tmp\goopdateres_bg.dll	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3BFF.tmp\goopdate.dll	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76828\javaws.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3BFF.tmp\psmachine.dll	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3BFF.tmp\goopdateres_da.dll	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3BFF.tmp\goopdateres_zh-TW.dll	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc4ab0b56b47da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a6085b56b47da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa07aab46b47da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b2dd0b46b47da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a168cbb46b47da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e36bcb56b47da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000efaaf0b56b47da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab1abdb46b47da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c0f3b5b46b47da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009da6a7b46b47da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1596	DiagnosticsHub.StandardCollector.Service.exe
1596	DiagnosticsHub.StandardCollector.Service.exe
1596	DiagnosticsHub.StandardCollector.Service.exe
1596	DiagnosticsHub.StandardCollector.Service.exe
1596	DiagnosticsHub.StandardCollector.Service.exe
1596	DiagnosticsHub.StandardCollector.Service.exe
1596	DiagnosticsHub.StandardCollector.Service.exe
408	elevation_service.exe
408	elevation_service.exe
408	elevation_service.exe
408	elevation_service.exe
408	elevation_service.exe
408	elevation_service.exe
408	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	740	8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
Token: SeAuditPrivilege	5044	fxssvc.exe
Token: SeRestorePrivilege	2028	TieringEngineService.exe
Token: SeManageVolumePrivilege	2028	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2812	AgentService.exe
Token: SeBackupPrivilege	5096	vssvc.exe
Token: SeRestorePrivilege	5096	vssvc.exe
Token: SeAuditPrivilege	5096	vssvc.exe
Token: SeBackupPrivilege	4944	wbengine.exe
Token: SeRestorePrivilege	4944	wbengine.exe
Token: SeSecurityPrivilege	4944	wbengine.exe
Token: 33	1164	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeDebugPrivilege	1596	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	408	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 1656	1164	SearchIndexer.exe	117
PID 1164 wrote to memory of 1656	1164	SearchIndexer.exe	117
PID 1164 wrote to memory of 2836	1164	SearchIndexer.exe	118
PID 1164 wrote to memory of 2836	1164	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe
"C:\Users\Admin\AppData\Local\Temp\8e51781a36e4a65c2aefc25e07b95ba1695b3aa0becc299f08e53eb2f8d9c5c4.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3160

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4380

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3200

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4188

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2132

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3572

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3768

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2680

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2068

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4860

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4276

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2948

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1408

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3916

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1656
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d7f15b5d03e57d860cc8ae3b8e081c4c

SHA1
751b4d249a69319cc349b344933ffdaf74e974dd

SHA256
33e07c909a11a892315510c9d1e540f91e88c8a947e22005bd8e80e9403d1e79

SHA512
d4521a6aec86c9bdd79893dd0aff88a2e4319143f26ab82cfdadc5bf47acfacb01f52499a0148ccc302ee17cb486f9f453e5ee89da7fb89c1eb40a95e4a06f93

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
512KB

MD5
43c65f8942f1216e7b18e40d943da451

SHA1
5516ddc51b29f684fb4a953805cdbc08ec2d09fe

SHA256
defe7f9838ec06b565440f6db0dcac2c45597cef04021146c502cb50fdc851b1

SHA512
c3657d1c8476722b73c1833ff0a245217c78a3d45f9c3b84da5f397316ac90809cddd34e35013449a3e3db9edee8bd29c2abed1f4588401f426d5c06357e8716

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
334KB

MD5
74f3269740e96aa97d0b468b2e5c9cd6

SHA1
e5726e24087acb89755278c5c37a183260aabe10

SHA256
e38d20add1ff92d643629a7d22faa8f0856f4388da86b48bfa9454313101dd2e

SHA512
0aa02a4b98d12da3d0b61956e403eacd8ef27920761d4bde2c9652d1906f04ea3d490317c02a478b6c5d4d369cce99ea6754f4bfbe80afbecee1de31a3d64e61

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
377KB

MD5
6104ff9e5709126f01a6e6c497c2530d

SHA1
2a98ce0cf0c77e2ce458cd3aa398061428216128

SHA256
fcea4214316d855150835ec166bdc8af453f95b6713d8a9963dae35672bffcd2

SHA512
38bfcad875f10e1a1ff80c80d337debe1139a218a592fd1226f16cf308beddd952402374f2df573f54ebf2fd4e320798d74976ef6798ec92345e9ce2c6044b96

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
314KB

MD5
4b70386b9d27a1242dd869c22f897993

SHA1
45e55a3fdacda93bb5c7959851e7890b89fe04c0

SHA256
77543ac3e6cebebf8b0d9c26caec5da4ddbbe618bd7f76a8ebcd15aaf2bda059

SHA512
fa3f9dcb0accff6e9473ae03ef5e11065873bce3feb2e1c0f2466b6d945a93e5e7c5a2bd32b0b45ca1b62375693eaf3e89535fe8b1dd109177342463c662d395

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
417KB

MD5
7c25ed013aa42da6a922b864f0231771

SHA1
fb23ce6fd75e9172cb6c23fe756cd530e7284d6e

SHA256
afc073a7693620a463529924799c59d09a31aa2473b08790df5da0836d9b9117

SHA512
5ea387b5b7b05f2a82b0d92a1b60787db811fc485864f0ff4f3c2ddb0fdaa9798492256a29577a0e75afb9ccb8b90e0e0720393ec0b8460e1794c5c79780e5e9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
291KB

MD5
0e5aaacdfd3e12c2ae7372d55f9c53c7

SHA1
1dcd12a294fe2370f30671edb991b96aa31198ea

SHA256
d2ade89872e0d81d90c70fbe9b57da4430485d21dc09b41efff1fda5fc1de878

SHA512
ce7d9d3a1d6c479f06d54bc91af87c5232faf229f9f4977335495be0686d94a399d316d538fb72f4e4053345cee811d61acee563bc22455759671c2ffb75c2a6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
180KB

MD5
fe2a244ff3426eca1f4c35f7f9616342

SHA1
2906d015f8f783d6024ecc485212c8d112ed8f20

SHA256
5d2f3b9dd748333ca64c451f100999255e77ac3448a6d0812e8364b361604e25

SHA512
a9cd27273113b6781945f6be1bfa2f0b9f7410bf7e23919d03f495b81aafc76b280e7b743953ab75129c942fb11bff826aa1fefaf11d057561dc9ca250f5fa3e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
302KB

MD5
b14a3de20aca756c6e6065352f022a62

SHA1
cf430b31ba10dad1a82216345f48dc78d261c73f

SHA256
e2928eac7228191e095d852b2bf234c6eb7f4e8c08f4100e49d1c7aa824b1aa5

SHA512
96e9e722646387381264e70d5d10a95bb454f6f0d0e2b9aef5ac6a5aa9545075e299ef65a60808d195ddbeab4baa2c8d64128171049b98c7ceff393e2be05e95

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
379KB

MD5
a9a915302b04688b69abb2fa5366aa66

SHA1
148836c07692e0801ef5ecc4eb2256b3ab2fd6f8

SHA256
f2789d45a02eae503b2f2a4c027dd323703c328cbf8d40d618618e5a6c33efad

SHA512
33cad03b3f0c0fb508e263faecf96506b56655c6ddd7e4b2e3ddfd46ab0b41e24d10999532e06c3a0a3693ccf194cf04180d239ef0ee29156216748d5ccb4790

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
255KB

MD5
fba179708f8bdb94d62371f0ba6ff167

SHA1
d39ddc74ba9bbfb48af0e8f39468a255137eed9d

SHA256
f55aec9193ba4bd0242497d3226ffbfac14936df82ffd114fe44512c6fd332d0

SHA512
2d57813c20ec8689bb28b6848eb130c85d1a5618e7dc84bba92c38eb5cbac76094245027704fc9bd9412fa0b890d27c9ccd69d04248e6351841e26883e16676f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
346KB

MD5
f36547e30360bd97471375a3d64d1713

SHA1
b394ecab3bc34b32755a0d3ac65bc02fdc9dc3c0

SHA256
828028c45a3ddc139017f0cc2f1b617b0bec3678feed3a67db1278f1ff78b108

SHA512
9cd094a90849d70e8a9ce879e090e30851a71bdbfa7a40bcad73003460234741ac3db4f88bcd7d25e41d256adf2b801a68c513f9d5244d785157d7f922e40a62

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
332KB

MD5
68e25b71e8c35da4dddca4ff79cea0ce

SHA1
d2088bf23a25e55c142768251f1f7d2c047467cf

SHA256
248a57849e09ba9a82a69d51d7b7c4133ed1564d67be834d250c7979eb0b9414

SHA512
d4ace0340373b40c9f4fdae83ed2f25a612b30fa8c65d6d0ce6e6c6b43367847744390f1f9f8ec6401869d1ea7ac8837ac9641705c1e253a870160fbd2dbece1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
dde9b110ba42f01a03fda03077ea565e

SHA1
8abe69586304ad4c0659fc6acd936b23c4cc8a83

SHA256
bb244e05e05b07a910736f3fd778ede2d62ce36d354e587796ed97acd19f8de2

SHA512
6ba8d105018e327aabe9f3825a7d345a51ad7fb02127b251195a9c51d2fa685a18756587fb0f3ea1e980b13a1c9fcc41099fcb7f5303983904c0534b58de386d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
81KB

MD5
95b0e7f8a207b0c97480c6dd81469134

SHA1
c54759e8b1c3611cde87dc4f6ccc850a71ed79f5

SHA256
9451d0553b12030c0c16ade0e636d74ef341d080cde71a0d1bc152991e4ff5ee

SHA512
e0db03284da3d90ffaf3f1063011d688f11a9785e2c57d1d3a860dd47619451f1670c7328b407290e33ad2733e986358e99617d47227d7d20c19c00ef36c99f9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
339KB

MD5
848bf1f91db5ca2c759b8131bad48663

SHA1
6be247222b1184930180c8967bb8ea94f468ea86

SHA256
81ca9fcac8257fa51b18207f9706ec3d6b4061da6ebde363d7351c7c9ab61e47

SHA512
74688080f317f416aaa26b58814f94996ff0fe212b3811f2881b621cee8ba31e3f0858e38bfea58615c9b7ad076cbb696ae016ec533c194125704e30abf0ca80

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
307KB

MD5
a6aea0f8d178c4bcf9217da8241f0812

SHA1
e6acfd66359c7352ee853dd48b9c6955fad70596

SHA256
2a6550ab0efa0d4d0bf4ed35bb80c8f27f9f6056be590bf5ed3a5a1c2e29fcb5

SHA512
091d69575e6f708bf416aaaf7f7d5d93727f6d24c8d45dc3af9e17682f0cd3e1801d7ec9e107021950637c2dfe6a0b955592f69063b3a97166e80153f3fff0ad

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
287KB

MD5
2099f5df864e67cca7573735022fedec

SHA1
ec9b2c389d0e9dd5a95db846e5d7eca44acd2594

SHA256
17e758630417135885e2aad1006d296ee6af3d0499acbe20ea137fb6a636740b

SHA512
f570e98328fd6fbeba2f8fbd6b434666265f945272ebc60517b859eb6292ce40caf53f6cf2bf5c1a16493e930a901a28c5a8b46c1b8cf5a3fc9a4103f5cae9e4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.9MB

MD5
9430ed26e321e763915357c99ef2d936

SHA1
1107fb1c29aab89184df795805f379906279c51b

SHA256
9e546aca20cbd18dce06a7573a8d71c3de74c999ade587cdfffc440bad96a0f0

SHA512
e28dd27b4cfb5b60e3e01515b53e8407ea4d52a780ade87a20464df06ff5a477785889af02fab1da7c8be8b22f4f36f932911d97a9de41563eab27ee60e6098c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
249KB

MD5
93589bc46ad0a5cbc37b8a8c6d1edb55

SHA1
000ccd5f07630ae21fbf08b19c87fa7d28ac6aa8

SHA256
411751129feebb477445092a8e5379be7b7cf851e00c6ffa30db55f1964f95e3

SHA512
80138680bd280a7cffb393c73de814c26649359cd5e11db26b42f1f6740a31fa6116a90322ce817f3fa580c6da36a0243c97fdcf0cb178abc44c025b6f041f67

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
319KB

MD5
e8d0a7e034687e9b7f654a5b59ffe268

SHA1
9f1670c8cefc712ac83886fd7748047e07bd6382

SHA256
7d8757fac56e73907c507bc1aa8e543bc46922c60d94fda6d073ddd97cc780c6

SHA512
f54549c3f795fea1cd6f3b9ea2cffd85af57115a10aba51f9a130ad138e65a2a23142981e81cf5c145054459d8329afc70b80d9b7faca51614920659ab14e6de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
334KB

MD5
14e81ea472d1cdcd8d098410050ae835

SHA1
6556cf3bb359ec8e8071875c23d8b1ffcfb7946b

SHA256
79140270d3b74a70f097088a4232c9883be1435ecec75431a50df98ada96fb42

SHA512
db8632f45fb790eb0532da4fc502a45ff668ecb300ababeb408cb1cc7e6d75dba2248ccdc66cf06125159afbac66dd891b58a9f2b3b2b96d4b608f6d6518dec7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
240KB

MD5
387fff8a9ccccd8892d509771ec09175

SHA1
29216706d994eb5caef4fcbe2d4b24c946f2e25a

SHA256
11443610f89f9f79ba54f82f1feb0e2db40ed796e4cd7d16f8114549e74587f7

SHA512
52428f6c1b0afe32e72e8640d54f9022e5aca93c06016c898b6862ced419eb2412d0894261da84ea23ccfa6a350704a6af212d315f71e85face5ad94603e5e75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
318KB

MD5
a43fa26f5d546b88f69cdf6e2729bf02

SHA1
045803991a0b46f2ec9d9a0e57c9ef88a4fe791e

SHA256
5e918a22b3b195f2fdf94372d734464ee6a63a408f96e5af3bd2387436ed2fae

SHA512
fd7151714d674230cfa3f415bebd815111faebe4a86033ddcd29ec04eb3722068994342cf0817a36d7ac2c2a3c58d92292fd20ceb792314cfc630a1f6e94ccab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
254KB

MD5
d946d3950cf0ee7c59b9f9f9d3dd83cc

SHA1
8b6434560414c29082f512abc207efacf5125f39

SHA256
f72e6680444fca9bb1f6a021fdd15bf9e29e1a5ff9d6a2d93a3027e55a5acb32

SHA512
17bb996c8d83cac4b0cb429b9e6907a3ed5342b36048a5af497cae1372cd50294ab9bbe181aadc5a038af6896695125ca9fc3a2a2e00e83a04cf73394bd74068

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
270KB

MD5
2b67c7f961a4df947976d91834f6361d

SHA1
69da34665127082c1d4cbb662e4b04056e5c6707

SHA256
78062115c1ae782093396596b551c5c21ea035fab4ee02ca8202a63290331b38

SHA512
e17f37714ebc167c58a5c37d91747d68fcff7a20a7d4f973578a0409096951aed924b08687db31729d6a673fe3e8430436ce273ac4486cf028affb647aa83dd2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
301KB

MD5
e008c5e7c53789dcfd76f82a958fc306

SHA1
14b596de6b1192b1ae571894caf7071ac56e9a83

SHA256
a8a2495118c6d1c3bbb7700b6e841b2938f56ee0adede2a81e60b9b57c25c9c4

SHA512
e003a0e8c0e58a6b602157e802e8537b131ccaa89eeb7daea7bcb3741a4f56e0b32ad1a141b35e757b8013438d786438e3b0e47557257ab5282b3700e55f64eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
132KB

MD5
28381f8c271e82d04c7f8a96b7cfad69

SHA1
204e50c90d4ff5fe3eadb0d44b2bf1f650f29ac8

SHA256
e50e8001d9b730b1314371c5434bfcb8529a15cf67b674c481e23bd764bbbfb3

SHA512
38312e2405406af0439d0531f300a07c753b33ca7ce290a57d110c91f85e3c4a038badf75d7ef9e1c1b4650f3aacd77ecd3e7cd78eebdc57b40ee3b5a8e9ee4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
46KB

MD5
8016ae8a54b96e45cdde567f8167c5e9

SHA1
f3783b78c0de5716d8ba1da8997ed59cec09a14e

SHA256
8f59d18b9f8215552b338c7a6698dc4a4716dc83453a468dede87d320d06be9a

SHA512
6d474513d5b10b7d5a9d19293c18255b4f94256efc8fcb05a0e46e40f9db6385b69d5390d19bfc6b5d2cd5bbd9f61261fff7f46782daf8a1d870b0000c5d08fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
128KB

MD5
d123b6db94dc0ddf4df42f76a99e82c6

SHA1
7516a856b0628acc476de45c350a922145a561b0

SHA256
38b61e56947caf476ade459cdaa7477a1faa43c06a66a8d1839ad1cb92f2da4a

SHA512
dd4a9166d2358c87ab79a9d1cdac64dd179437034990ad0e7db51f181d1f2bc468e46f5251c31dd0dbe7bed76736bc254d1fa42188224417db93f8c5858f96fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
125KB

MD5
b5230c597d98e877f006ae83e313433a

SHA1
862d004ed860eb0d43d92cb2bb39ede9e72e90c4

SHA256
cf7f803691a3631f65f05fe15dc625a71deb151581f1ba7ef892b336b18f7c21

SHA512
ed952c291ccba122e21433bb83015e8b629a210ea7ea2b02b005a6c25de91ee940578baa6c6950463becbf735cbd252bd785a3795671dab307b7998b4b3b2390

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
74KB

MD5
9ea8fc38e6fd9c5657349d7a662ca5ec

SHA1
051beaed90e24dde923d250dfabdc4bb42797e30

SHA256
c387e209ef92a54c0f4f5da5f6f2d6b1bfd982e979c3fd360981d4b35cd57504

SHA512
33acd27fae413838ea8d46e2fbeebc1d0a23b0c792c2587a5e4954acf97a4953cf67d4767673517a9f4dcbfadebf7bc0135dc05e707f57e44a982fbea2fe11db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
83KB

MD5
0cd1bb21f2ad2c32f6e6f4fed62ef211

SHA1
c4b7bfd60c5a0705032e9a33d22998e293a4f029

SHA256
7f4c78cf6b47c1f65c379e74251570ca908155c24801b34f652979f9b4a6779d

SHA512
4a0f40b894492e8c11dd511969601ead2454c7faddc800cd599385c238f2ebeb64ce05615d363589fa5264bbef56ccaa17e127a41c3e57b96ce7d8b22dc1e0dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
51KB

MD5
027b299b0cfee8bc2fa598cb8bf9f8c6

SHA1
4eec0b6b0e54afe585ed1bacfcdec0d79eefd4b2

SHA256
2aafb3a816e0964a1705cae73eb11bf6f14b6d05347c25ba54051f144532fb5b

SHA512
720a571c6b651199a360c08a06c315da0b7fb7fda6dfb0ea46a5fcc882384f203c7b5abd40bf783ac33d93cc9d80e9e11175b2e0fd14524f8a3cf4804a002632

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
26KB

MD5
e820b451c139dd6d91fdf5078fded18b

SHA1
71b7264369bc7470f4069f0abd080ea6e736b5dd

SHA256
66a866fb32c508aff1a80b3c7d0c4158e50911a47d2f9ff783b56de4fe896c90

SHA512
c4522a54a9656ffbdc2415484171b10b76aad3d78feb2939ddc5fdc26c44cfda604c75e5a9fb6b4f9f0b4c18c7c0b65a3ab1b7befda759a54fd3cacdaa6edcdb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
57KB

MD5
fb9c05067a759ae20a06d317a46bc6b2

SHA1
91d744e705a111147543cca93b74b7924ef58b8a

SHA256
6086defe74612ccb61fdb22a4d49dba5e75019185e11a2530acdc2973c0eb973

SHA512
b606ed216bef3933349394926fa12406c12b85c74bafaab2ef8907b7fb5c24929a4484c75d5a76de9ac2a0a5a6e33c3fdfa492bdef1edcf7a9be53b0a2883ec7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
91KB

MD5
7d619474669876a60c28b384eb059237

SHA1
70b0a3ecd1f359ac850ce2cc24c3e1e81fbc5275

SHA256
1a13b112e3af16f525680f892ceeb95c4cfa1ff520a369c219b51a8a844eb9d7

SHA512
479773d29b6547bc2e70008bb0dc8164d9d552bd56ca481b01c4a4aee9fe13c332563aa95a3fba47779d5561f49844be1632f2fc0974d12d2d308f80b36b414b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
116KB

MD5
5dccfada977550f135fea69578f5dd0f

SHA1
8fc93872acae784ce9ca95e2047e73d830f4fa3e

SHA256
3b6cbe33bae4e90b0185024fcaf49f3276bb668403aa0ba1e44d5bf4afa1760e

SHA512
f61c17bd785d0cd92beb4b4d649249b325f5575f51bf9947d80c01f579a2ee4038974e1658ae52c32d7e8ec9fc859ec0ea63c41139cfdd7d3f9cbc4b8b311347

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
324KB

MD5
9ae3df6848b3cb5805515d809799d93b

SHA1
b4c8f9fbe58845a988322d633538b50a2ea9fff3

SHA256
23595c9a5e0bbd6fa1c1c4ff35472fca85a9e1e7cf1cdc760adc0b5e90b161e1

SHA512
c54c17e5a62cbdde92d81930ccb5dfeeea7d1a438c395c2cb9e2eefac7db5b978be218a0eb8a6245548ae3b317840557b3b4d6a4b02d87e7a808a0dfc01e3efa

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
a3d199536a2b44b523814b90d3811db4

SHA1
60f3d9bb0774a708d9f5b6bfc9ed823a9e72a45e

SHA256
e421b66e4cc501c82d24e6fd9934a19f32dd7ad29bdffd7dfe6e38eb9002b909

SHA512
d321414589646c04b5fafa5e7de9321ec5edf0f279be3f09d68ccb5dd26ab058b2f5ea8ca44f85343d6cd48bd6b6b7d168a5b15d6eca2f1f834469fccb21adf3

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
416KB

MD5
5454a1408226f54df4c5a6428e81b59b

SHA1
8c5c8f5400656fbc4ae5e299725f7714438853af

SHA256
f09d809e96855d683e41779c4a00c6f1facada1f92bd82a699dd7a407903eb70

SHA512
3074abb64d876a57f3b7737f16edac2cfa6ac58fa880499b4b242c397eb72d57598cc57634e878d54caf9faf8a197e8da00afe201ae0dcd7524aebfbce9f59d1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
750743949e09b677db788e712504a95f

SHA1
d29752a2329bdfc84774a449c74b932273133ad0

SHA256
5eade752eb709a3229011ce9845a4db2e93bb616dca85365cfb04b0123b353a3

SHA512
b8042467c4fbf1c0642df7fbc7d9e3ae241bf7478b246105fead94c4279fca568d0022bdce04d4c2baecc7266ad5971eeb6fb87237cabef7dd5047ab411eedb9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
bd0d480af60e0ae521170adb32dfe757

SHA1
c43699c09a6871be549052c2deb51e4993f77546

SHA256
0525a1889e58f3355998cb664e556f475851699f1b768611fc49b63335023fb4

SHA512
431afe1e5fbf7d3196599a8fb286f9b4171850eedd236c309f3fa79c3e3d27fcf0ce9d77ece58c6eafdd2870463a3e124c5e7a99c3dad05e12e21fbdc54f11c7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
2c066a12ca0f1c406151a7566302f792

SHA1
c16da3de56d6b1debf0d3de5e086a52b3fca7b62

SHA256
b9010932d4106ef24d9952031860d689996cd540ea42604360801c34bc9baf0c

SHA512
de03ed7bdc76a7e08657f350d4b088af737622263309169f1ab7fbb3c3dd4b59f776e70f8ec6cde3d379f455caa670678f97b63ffc1187dca497c3fada887205

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
900KB

MD5
e9480c1fd603c6d10f5a0df45c851d8c

SHA1
e8dd9cc1567c589173aba9b6291f157623c2cb1d

SHA256
0b2b9de44465f49737e62dcb3d0963756d1ccd197344ecdfb0143a8c1e4b30b0

SHA512
ecc2426af6569da0882d70010b1095c30f54742851f214973060bbf7626c95efd2580127fa24ebfe40f24ba3383a7875c1978209759f2c02944b97b75f3e89f7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
678KB

MD5
ab54ad0f110919b73bddd6adb07eac5d

SHA1
1aea82d2696422285bf3e2e1e7568368822e09db

SHA256
93f13bd955b9054701abe15c120b3f3d8d9c3e706bdfb29e111ec9aa2a881b8b

SHA512
0ce3c432dd91f4f17a57f71ff129c4c91336d069c708d0bc5453a8220007cd9c25b0a5d8e7e0346169a6876bb97756ca0e3dfe498b696a44855836a695b56e49

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
8cd5f6677008baa4106651c702ffdab2

SHA1
50d9707592c5cb158db1e50bac4967183b5cae2b

SHA256
2427258eece52cc96cea4e0d306e75e503494ea1080e0b2f21b762a90ffa98d7

SHA512
12cd356b0d8cbcea3a2991a5810a1777e9525569f6900392c2faac111169efd8eac4db20ef42aa246d435f548d8778808bf501e722332e982c2ba7fe701c141f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
18KB

MD5
64e85cc28444192adbdbd6f6d10e775b

SHA1
f445c1efc59faae84dc73e56b0569b21bd92acb2

SHA256
19b17dff5a613587a57693fe9cc1b5b15de45dbf71093e4626b6d823b9974b07

SHA512
81d21e546a8609a255324afce52410a8212c1aa8870ad965ba85d94fcd28a0f2c558d5c76206688b5f0015f231f9dae515ffbe2511c9e25f2a7b411b76d364d7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a8c62d7be23283b6d28a017567706b31

SHA1
c102219db3c89907682690f3f95236b3df448329

SHA256
1232f360b7480befab5958ece6531d276600639b6de25b23c141b2600e777cee

SHA512
d2c643ac582c72da367e788d26dc003a252228d2514c4fe8528d6698d6311b23b63639bcc0c50258bcafc2b816597e7ba4236651e51fc19bae897a2460c47ba5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6298e4bbda327b06206166457dd240b9

SHA1
58107c8bf367bb4e2eefabcca173c6c78fe0f62e

SHA256
00ea6e40ddf4041168e576d8877305ceb25167effcd9e19493dd162424c2056c

SHA512
3a720f893ff31f78912c374779e87328553a13f1da5acdfbe9c57abd2ca8e1bc51a3510bb5c8eb6bb0416a060e955c6fb85808ca32571faf9822d6bda5cf39e1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
438KB

MD5
b406fc3ee3d716f13b630fc87842872e

SHA1
fe547686ddc97158de518a2ca52c245c68846196

SHA256
0adaf1da5db356509797cfcf04b8ba1fa4f074c62e3ac9728a6cf6db23bdcffe

SHA512
47004dc55837bd6828fe89e86c1c2837b694bf3e5e719423e9af88bfcd312f9f8f52b98127176ce8d2bc8a2426a2745fffc3306f969225de6f4ae71a57b3d25d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
115KB

MD5
6e228a8e9664082d6742b1621c9f44d5

SHA1
6d9e970d6ccf73878a32ace23d614bdcb7469512

SHA256
65c5ae9035e761ed4da2a40ef1076e58dea4c32673f143397a17665502d0b230

SHA512
e82c25301382fdba6a8ca6f75c3219307b6a0dd0428fc36fd9557afe3411ec940642665478cb9599123ea4db48713e8333328c317df3943c83f76434df27028a

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
efa79136a660b420cb9e0e610d4fa36c

SHA1
e942a76e51e737f0c433e88809559f5cf8544599

SHA256
cf2cb9366ef29e9f77cb6e935f24b7065fe3f6b375a9f8834b5118e2305a28e4

SHA512
c2ada104f70d57f50166d5e3e64fb7bc3c3d703e78784d77640d5746d7f5b97a74ab60da60b1bb48abf6fa57791b8118d103e7f12421fbec7e0dd7a2777449da

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
9127ce32878818bbcc9fe296745eec4c

SHA1
81cd3f94ada325c764fe12c8f033c0ac1b42b5b9

SHA256
eca2d7b77ca6a0181150cac76f6cfa767d9501536be9066ceceb0f7290a0a1b7

SHA512
99ab78824a11d22ce5b661c44e9e6181817d3965c6dc96419c92078b7a2b905d419d8ac3a2f66806804730b4ecce09984c5c57bc1b041677c35c4f29c885b969

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
2c18ab50acd43f4ef6bab899ece3d702

SHA1
8b737e942e89889f7ad49013fa6d7b5bf0727b11

SHA256
5c7fad1f73a5d3564351ffd8e23f263065446d11a95f818441755d7f47ab59b3

SHA512
8a562faf6569747789c2031d3901ec90c11722e192ebc1fdc91a60dda245a16dfb04bb00749fd48783bd94fead7f38543f692a594bf6ed1238c735a664e3fce3

Download Submit
C:\Windows\System32\vds.exe

Filesize
209KB

MD5
c1744ab64ed43c31884894a1431a89b2

SHA1
6b1f99ee24fa20536e2c1536c0ac0f0bc50e6678

SHA256
bfded944b888c14d76f07af923b66b6ddf36aa96930c189138b90c75280ea747

SHA512
bf1273476b18139678d1eb6ff02c06efa228a7c2630c10e2e021d2b96257e768a2e1068eb416ae4e12d44ebcd6b971109832745c91b081c90877b1987857767d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
814744bc2feae1a9216ee1c44ff80fcf

SHA1
7c5fff9db44b4ac8a03bfcddbdd82c66e1303709

SHA256
9aec7fd15719d9118396e85ae6cbee59d4e22d731b123f0673bb1523a5b6c60d

SHA512
f8107d0cc8f37098baae6d2ea8a23d4fdfc0d0fcb4b468c1820a23cbe4d089048f3622e74229b4b1604262d0d17b0cee6d04459ddd0947c12b2866ae1a999683

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
110KB

MD5
613ba24c6b9eb7e19f7fc0a33a4cdf79

SHA1
a3ff33a9f42fa2e185a75af5c9a5e1237842bbaf

SHA256
36286f364a3379d40514dac350e577df21203936be12a25e06c595c8195b8698

SHA512
a02e8d7b2644a483bafbdaf3a6a78ac18432f6954bd9882a055c369d0dcf480e60d62efa243b6f261611bdae9ff8332eec7ed76b44771f985778451df3fbc0fa

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
121KB

MD5
ac6686b0b87241b9e946fe316bce132b

SHA1
876b8908cb4de3b8644237a51cec8743e88aadbf

SHA256
aabe64f7cd9f17fc3f506d861c772f6a2a699b49b0f33c2c007056215ca429a1

SHA512
7deea4a7c3da0b5f721a6028a996263b7f4e2d682c400902362939b523afc882e604513e9f37d8be498c0a8707039eaa0615b5e54c730dd98cb19e490802b143

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
923KB

MD5
56424837292e13a34800767b9fbfa583

SHA1
3af4849e438b8b7ac805f709db0fd17062099544

SHA256
f7b38e7701285233c75536d9bececcf0294532aaef6c6ca25f653605f3971284

SHA512
28cde4a68587da28dde6395ffb65c63c8533905f47ee8c8cdd32ced695e00798820b98affc524e3b790c46188e9ee8e0f1a5fb72f565526af8b2a6d92063d436

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
318KB

MD5
c25915941755ae1fbd1e627595718e4f

SHA1
afee8388d9cd2b6536c30331e29c75244c9c8e21

SHA256
fd9a07ef1a91667f68853520eb6ab5b1524edb095329fa0b5b9ef938fe05c868

SHA512
2bf4d804e56c90e9090d93f3368dd65a67ca8197bbfc4aefb4b1250c413ae0583603e33e13b9baf56eb6aaf6c5439ca9d8a8644303a7633d58fb1459d6942093

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
403KB

MD5
0f28c115d6194bd57b24a4f379747b63

SHA1
218c0df20605d0f2a58b2713a016d6cd9470d8c3

SHA256
5198e8cc110f37bb018756576a6b49eae0b747b569effc1c96cd851b1b36f6c2

SHA512
922e546a8b27b8f57598e98380fc7526ac101724e739b8ef58a223b3236f15a958247efb75a391c38d11544d89ab432e27a3dfed38113468e5e1c8a06dc99d7f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
498KB

MD5
1e4e784d9ece41e096b6518a983aa241

SHA1
d3dea2981123ca071849395138cd53386986809a

SHA256
b31f6d814ca9c5d853493d10a63be06036e7c62d5d6918f958827821af79b0ac

SHA512
d7fbe8ee2e5296f70f3ef1be5d067b902e0c645c43c69c6062f64d3a62047820161fcf6d26cc2d2da5ad2a4f9044d3cbf135ad86c82e4f6bd737f47f1a988da0

Download Submit
C:\odt\office2016setup.exe

Filesize
348KB

MD5
dbcd889832cf727a64cdf89f79b9a2a5

SHA1
7f42350e5bc3d2b5e343a028eafe3a39fd294f3f

SHA256
9f8a066fab58e9fba5b8ecfd0d1d21e1ca9f2a66f1d0c39c6d9c3f23347d4755

SHA512
dcf1ab807fbe88c3f033f2a9eb6c881c12461d9000a741709c46f2d67cfc6c016f16c751f1257429da6fe93777e07306f42b848bd2bbabc36094f326eec541dc

Download Submit
memory/408-167-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/408-98-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/408-99-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/408-105-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/740-6-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/740-1-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/740-123-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/740-518-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/740-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1164-243-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1164-630-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1408-227-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1408-604-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1596-143-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1596-17-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1596-15-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1596-90-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2028-591-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2028-219-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2068-233-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2068-185-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2132-139-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2132-191-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2680-181-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2812-223-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2812-225-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2836-619-0x000001712D260000-0x000001712D270000-memory.dmp

Filesize
64KB

Download
memory/2836-596-0x000001712D220000-0x000001712D230000-memory.dmp

Filesize
64KB

Download
memory/2836-610-0x000001712D220000-0x000001712D230000-memory.dmp

Filesize
64KB

Download
memory/2836-601-0x000001712D220000-0x000001712D230000-memory.dmp

Filesize
64KB

Download
memory/2836-581-0x000001712D220000-0x000001712D230000-memory.dmp

Filesize
64KB

Download
memory/2836-567-0x000001712D220000-0x000001712D230000-memory.dmp

Filesize
64KB

Download
memory/2836-568-0x000001712D240000-0x000001712D250000-memory.dmp

Filesize
64KB

Download
memory/2836-582-0x000001712D260000-0x000001712D270000-memory.dmp

Filesize
64KB

Download
memory/2836-570-0x000001712D250000-0x000001712D260000-memory.dmp

Filesize
64KB

Download
memory/2836-618-0x000001712D220000-0x000001712D230000-memory.dmp

Filesize
64KB

Download
memory/2836-597-0x000001712D220000-0x000001712D230000-memory.dmp

Filesize
64KB

Download
memory/2836-598-0x000001712D260000-0x000001712D270000-memory.dmp

Filesize
64KB

Download
memory/2836-583-0x000001712D260000-0x000001712D270000-memory.dmp

Filesize
64KB

Download
memory/2836-599-0x000001712D260000-0x000001712D270000-memory.dmp

Filesize
64KB

Download
memory/2836-605-0x000001712D220000-0x000001712D230000-memory.dmp

Filesize
64KB

Download
memory/2836-609-0x000001712D260000-0x000001712D270000-memory.dmp

Filesize
64KB

Download
memory/2948-569-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2948-207-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2948-216-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3160-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3160-138-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3200-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3200-117-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3200-110-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3200-111-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3572-159-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3572-158-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3572-165-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3572-215-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3768-222-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3768-171-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/3768-176-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/3768-170-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3916-238-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3916-617-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4188-129-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4188-125-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4188-136-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4188-121-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4188-134-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4188-130-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4536-199-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4536-144-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4536-145-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4536-154-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4860-237-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4860-188-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4944-236-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5020-193-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5020-242-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5020-201-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/5044-95-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5044-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5096-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5096-608-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download