c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136

Analysis

max time kernel
107s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
Size

1.8MB
MD5

bab717fa13baabbbe4225732cdf5894a
SHA1

b3d16a71b22515236a0f560411103a7e5a2cd3ff
SHA256

c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136
SHA512

8bfe0e0d77a5f42e5c3a526f500693e31744ac3669d5bdc66272be8904c794b7ded7b926fade4b7e318286caf39845f95a765eb93af762168da270f06b3ce2d8
SSDEEP

49152:zx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA4gDUYmvFur31yAipQCtXxc0H:zvbjVkjjCAzJuU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5040	alg.exe
3484	DiagnosticsHub.StandardCollector.Service.exe
4292	fxssvc.exe
2260	elevation_service.exe
4080	elevation_service.exe
4448	maintenanceservice.exe
2240	msdtc.exe
1816	OSE.EXE
2604	PerceptionSimulationService.exe
3868	perfhost.exe
3476	locator.exe
4084	SensorDataService.exe
316	snmptrap.exe
2212	spectrum.exe
1968	ssh-agent.exe
2064	TieringEngineService.exe
3244	AgentService.exe
628	vds.exe
3112	vssvc.exe
2976	wbengine.exe
4688	WmiApSrv.exe
3904	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7cd1679c1f063bd9.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\system32\spectrum.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\system32\msiexec.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\system32\vssvc.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\system32\AgentService.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\System32\vds.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\system32\wbengine.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM419D.tmp\goopdateres_sk.dll	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM419D.tmp\goopdateres_sl.dll	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM419D.tmp\goopdateres_am.dll	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM419D.tmp\psuser_64.dll	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM419D.tmp\goopdateres_ro.dll	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM419D.tmp\goopdateres_ca.dll	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082ece0973c4ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001033a9983c4ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000fab80983c4ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000053bef973c4ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000decff973c4ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082ece0973c4ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e61f6973c4ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003813e8973c4ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3484	DiagnosticsHub.StandardCollector.Service.exe
3484	DiagnosticsHub.StandardCollector.Service.exe
3484	DiagnosticsHub.StandardCollector.Service.exe
3484	DiagnosticsHub.StandardCollector.Service.exe
3484	DiagnosticsHub.StandardCollector.Service.exe
3484	DiagnosticsHub.StandardCollector.Service.exe
3484	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	224	c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
Token: SeAuditPrivilege	4292	fxssvc.exe
Token: SeRestorePrivilege	2064	TieringEngineService.exe
Token: SeManageVolumePrivilege	2064	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3244	AgentService.exe
Token: SeBackupPrivilege	3112	vssvc.exe
Token: SeRestorePrivilege	3112	vssvc.exe
Token: SeAuditPrivilege	3112	vssvc.exe
Token: SeBackupPrivilege	2976	wbengine.exe
Token: SeRestorePrivilege	2976	wbengine.exe
Token: SeSecurityPrivilege	2976	wbengine.exe
Token: 33	3904	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeDebugPrivilege	5040	alg.exe
Token: SeDebugPrivilege	5040	alg.exe
Token: SeDebugPrivilege	5040	alg.exe
Token: SeDebugPrivilege	3484	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 5664	3904	SearchIndexer.exe	117
PID 3904 wrote to memory of 5664	3904	SearchIndexer.exe	117
PID 3904 wrote to memory of 5692	3904	SearchIndexer.exe	118
PID 3904 wrote to memory of 5692	3904	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
"C:\Users\Admin\AppData\Local\Temp\c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2644

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2260

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2240

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1816

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3476

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3860

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5664
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5692

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4688

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1968

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2212

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:316

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4084

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2604

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4448

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
259KB

MD5
7f126c71809783a418c1d2e3d3f3c86f

SHA1
f084d57e65c43f7c8222020b4e5c7d40367bef7c

SHA256
de38422eb6b6680e8ab809cbaba78ab891ec53f5d408569eb9369c9944377973

SHA512
f3aa7db513e8a7b813dd1c31dc417c86d9590ee37417eb9e87d206e81bd8b4ad7dedf5361bba01657c4f321511350fb090a86f979d6796139f2a701630fc44b5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
195KB

MD5
731008d6b2725d7775915ec5b3341390

SHA1
765a86029d0bd2021c33fae33098639cccbfd2dd

SHA256
3c6a962c8dd3b6ac41632d20e3ce1027221ece8d31df61abd08284411b639f4e

SHA512
1ccf96e5e4098e1de46846ef9174ed939e44cc9a6e7f4e06cbb50a4d5921939e5d77e6244855ebd6818382b8189fede92155ee6754f59a38b27f975254ea67e5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
67KB

MD5
dd271281761eff408c4d2a26b46642f8

SHA1
68ade7a0b55e5a4c86f5663ed94f92895df99351

SHA256
62f9d2adee62620bc3e609313c4eb40689e73cbcd283cd94464cdedebca9bf26

SHA512
68e2bb5fa0a36a782129140a32e515a9a455b7ed8336605967ff89910c311684effa189801bedb37fd46ae4a081c873e39046b003514332cf70b664a650ff70c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
102KB

MD5
9b94b96104251f1fd6b520ea6553b1bc

SHA1
9383f49154e319cb2b210215cb4a61ae9707bfa4

SHA256
eb24beb9894b5966011949513ce520a23de45f5af6f2ea9dd378ff0bcca78bd8

SHA512
fa2cbb164fd3b5df0d0926d363c2bbc4b677b66103c50515d5a6229a7e84ed69514a2cea99a5c794b19b7ba19efc281519451939de07dd1d8ef09ee64222d22e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
85KB

MD5
2ffe197e82f30ce20776d060e9d823ac

SHA1
625317561ec384d3b52aaf7a4453d3edbc6d6b61

SHA256
da1699b2f0b063ca8709c10ef82b38e182d20924f010a98fb6e8cfb62c468dae

SHA512
2041ae6710efdbf6f8a89c01a9d17d9075ee305048d27002703066ef9b67295622727ebfeba5136e8d38326e92d85f0041290e9193c097e17e3cbe57ce165b84

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
143KB

MD5
79e3f7443bf525f567eb51156720df45

SHA1
e92b2b09a81ba4ba47b6953714265178d8ff7d52

SHA256
3cb32b8a1d5fadd1c2b2fea8d391f3b4b495778fb17bfefe0f835e7fcfde720f

SHA512
84814d7d9541dbdd67f2e537ca6225822d8556d9c7e189c4b7db3d06bb4aec6bc1a2cf0203a2b0f13238b6140e675338e5e569e458b205547d5ae8f51ddc52b2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
95KB

MD5
b4683d6e1891c7712a7fa0055d8a0858

SHA1
0ad3f992d1f68a265d04404013bf41781858e702

SHA256
1a3103f2d8158fd2dd843f53ddcc8ba72dce2eb7137205c2b2280609af600141

SHA512
a6cb72478291bd830cd064507b31b6eaec4a20d9648119374e344401092033be94a8a8b37538d1e2f93d59649ce0d98e87a837e297c320635a8b61a3ef2de133

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
43KB

MD5
8e6cbc26ce7f8a5b644b009911eb6f5a

SHA1
36495360d315ee00f48d004fc977a5a607383897

SHA256
a9765a855c8ef52253d8dc99230e9da17dee27969d6abc84ccf5c04782fe2cce

SHA512
b80757662d2c9c8af3b0c6823994a7ee3dde2bb3ad45e846cb80548e79ae1943cff1979d7e79f411ad687a7cf2d00063a10b81d1a94509c7441c1c4a21019199

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
122KB

MD5
4bb9d45911d2acab16b85ea6f2a4fd92

SHA1
c8bbc1418d40407345f5685f0d4469e09b4178a7

SHA256
fd970439989fcb67d0ee6de4c293ee4f6ab947d93371224e612f93f75ca2640d

SHA512
c5ab716cb54d66817bcced65257f2b3b3bc50525e148449f98a7dda30db0daf879afb8fa5ea7aaf226f66090e24192e891241b79b485b6d3003dab5a0988481d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
67KB

MD5
ed06736199ddee27a43afbfdac057688

SHA1
f293667d1fbe4563710f3fb64912f5d5723bb7f9

SHA256
1f5488459f8052dfc855f7e64bb8443caede26caee40a9d7bf85a0d579bca224

SHA512
279edc0f263efd5ea87a872bcd926b3bed7fa4c97dfd5035592061630be602477064c9e6dd784bb5a9f38434d59c5e4512282146602f8c05784f739313936471

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
12KB

MD5
aea9c7efa21a6295f41e013dad568aff

SHA1
0d2701a34f6e8c579b2aeabcd144c135408a16e8

SHA256
b5e095bb7d5e285545f36281950b0cc9f896bc8ce04dd735980c1bb7f977ec9a

SHA512
fd790be4baafcc8e5cbcd0ac7dc6ca2d27d5e8bef8f22545cb2a7f16ecf938cd8deff82727a20dde0ad61e5c8df03543927a73297fdc0a9e67739c517e55c78e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
96KB

MD5
08cd42d87aaf3e5af3da024a017a8bf5

SHA1
5a18c3502dca8a93994e31cea840d3d1b07c0750

SHA256
bb916b3490e3664298dabed52e687156182d80dd411dab9d08cc937f4e673422

SHA512
545511386bee69b0dce5ee011055150a73175c066e19543be39bda0732f654904ba1f9862477d2856f83746b21c0fdaaa27d183b960a2e84f7cf6e9392f9ac1c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
148KB

MD5
e922c37ad44b058858ae96f893400507

SHA1
f01bb019b3343ddd191b5569138369db39c58dcd

SHA256
858e9ab38aa4c66129725b94367b54e10811c7d8113bdfc560b407c5c9666765

SHA512
c926cded54c68ce8b6590437391cacb14648f3d3437a125b08123322f5bb08ebfa2ee2530103211d9f06a0d856eb9c12e5f4d5fec6e0a67a5e7ffdf5549bfa49

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
49KB

MD5
0c8b9ec07d77edc27555d190a68b401d

SHA1
21b249dedad5dd0f80a343cba28f4e4a6298d89f

SHA256
1eafedc468b4bc519d31678ed043640e3d7fa3ecb1df4f8eb0b76b6029e4beaa

SHA512
bbde513ca29b50b95fbab8ec3ed2dc35f8bfc0553889248b06362a06aa678380e77844c61b3484684fe6dc4afdc86fbf6c8baa6d7f3c8095a540cb080a54ddcd

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
81KB

MD5
8e53dbdc49101ac1f35652d9929a06ea

SHA1
ba9cdabe74cea7b9c6322b1c97defc6a862f6f44

SHA256
8df9496c9bde184b946c1638616bf5b2a57ade11da89a2af79e82b77f093c7a1

SHA512
34348cfac653b8605d4fa6075f55d5682c40d49c1c8fbb14cb903d918014c3bafb78ae780d282945a8b15296b37d377b4e7ed71c52de494f5544dc7bd17b2ffb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
109KB

MD5
3e652de6c651f7a5c345374f08e7efcd

SHA1
c0f26f52b31ad35c017e88c5c0944f099cd309ac

SHA256
5c199c638c26ef87c76cb71c0970aad9558a636dfc9ea77ef64dc0a548d10acd

SHA512
8cfd5166e1aecbf7c90e7674b8df888ee5e583dd4a9bb46bc1cb28222772949b0a809f78422653ff563ddb56d4217bca829d9f6b7ce32c7786e9ab25f0f5c8ca

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
28KB

MD5
6f2d7ba929d978897432d434927ff217

SHA1
4ee5f5412a47c8799dcf134bd05496bab7df303c

SHA256
ed72e03408daff4570571af91e818c05b0b143a68ed9881002b401e3e0be7f58

SHA512
3fddd882f3fc7c1d9aa5942825dc521022d789479a87b9ccad69265db0150c60fb19a1c477a1047f00ae97fad2bd611a060af47ffffa4edc737ab0ec4c79fa94

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
126KB

MD5
fb9fc53adb83c9116e247b63a2460ba7

SHA1
77552d1599ef494b87b33cbab9e96c8d695fbd4b

SHA256
5cfcc833e80853418d01f107d69e08cf660a8564963c71ba2952b3991862a19e

SHA512
7c0579bcf2dae94f78241cb5648696b48db5701096fa77c3991c8cebea5f85938287de9f926bb3dfa40c3026d3c2b5548725ea85de11f29e3af5046c1e67f531

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
259KB

MD5
7ee2ab10048b2a2113c5aa680e7b5f0d

SHA1
b287f505064b0ce6852f8f03cec117e807cf8aa3

SHA256
366b48590149fc81b554f8682dfd78dcc283dbee7abf592ff4fe5a93d1779e7d

SHA512
948253f3f465879cb290f725e8bbeb395c5c0b9a404f4fb35c1a010af8c301f207546fa8e780126e64ee1891b599e00a5829b4814e5297e2197a8c8fac3c032f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
51KB

MD5
270165f15a5e981c78609aebece7779f

SHA1
6dc8e3b14204e0bb6d81915ba21accd03c72a63f

SHA256
320e8d1927a1a43c48579078baf79cdda6092bad491877ed88d7a7c74fd8a427

SHA512
76ed58a949ec2cffec26a4da51f9bfb9724cf31497cb4d5522d5700cb6fcaec63a2e42f17a5aa347f87ede4b4f3b68c528a01c463ac80e15dfd18bf5510aa841

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
107KB

MD5
8c8775a7d229f5776cd5b431f20c3a85

SHA1
d940db9aa55539f4ff464cd04c8546c20466e88a

SHA256
50a33fb6f4cde72f33ac61792fb6ca870575c040ad9f9da9b601957d452e6505

SHA512
cd5b5494693fa9f335654aba715474d2ddcc74ef9e816b1f18c4fae9a9afbeb70deadaa4afb4498e9719562f3227b80cc1490960546937070582a4ef5412ca95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
91KB

MD5
0ebdb459db9df0a13e7bef0f764d720f

SHA1
c92e8b62cf78727a8a53341aaf6af59e78ce492f

SHA256
9c5d80d70e1b5fe8041659840556214cc9b9e34506ac77e4b6276c1da53a2f10

SHA512
3600c2bed7461e1df952709b592ba5a0e656115e4efe54adc5dc1e5941a7161d153f5d3d44f7b6d2b648fc69494ca590ff205a8f8e16fb5ba8972be7dc117a5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
84KB

MD5
2f2eb145577718f71c34536b31a8e428

SHA1
bce0f38d6e94d5f92e73e940ed069890c883dc1e

SHA256
3c08fd3259fae74dfa2d6a744207bf2f00ffa73f9e8c15ac214392ce668f599e

SHA512
fc0fc08d30b67b81df18f8c85d644e420f92aaf5850efb97ecf859a482f9ffa378823efc717ab9f550f46770486edad6a2090fd484dbe1be850f8093b869d5c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
71KB

MD5
017e6ddcccfa13904bb41a5ba719853e

SHA1
5222fc1d25f810450374f2756f8e5943541490c9

SHA256
87ac58b625e87b397ba803b5076ffe044cf0cbf95c3f0d9673ecfbe3550bde1c

SHA512
d7a76e0de6eaf14bccf5902a6ee1a3beb93aaaf3742f8d1f7346a0c5f297a179e7d875c388bf96862a88d2222af9418ec69b7ebc70a19c5e9c78a85f3990de90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
96KB

MD5
9f3a43a7a27950d8f32320414a4c24db

SHA1
943b37379a1d563523d2f55b2694a1be061b7f6a

SHA256
a8db1b39a44e2b82382aa10f05247d5b80976d1b22e05891a9e9d13972fb0fcf

SHA512
61e076b0516863cb1eee9efb5fd3ebcb7cad46d162a23bf8832d9ddb4eab793089c96e578f1db2ee6e7c9f28a0a34bd2742903e2f8a4dead35719f5fbcbcee16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
97KB

MD5
5388bd4f2c058b0665e7c122d618bc8d

SHA1
991de90b456439616d4e8c8f1c5e4e5c0c811bfd

SHA256
02738329bd9b31cd0890029cd94ba93f721c0715f9c5a9aa7b545b805e78344e

SHA512
dc040f3c8e8f5f963b597ec83be0205c38b4671c5addd97724085ef6061044d2bcc3a3b560980d3058b16c6537fd02675ea63fef9eae4648685260ded1ede673

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
84KB

MD5
df943dbb04f872e3039f6657a014e281

SHA1
3d95e01c6809e31a8ceefe6ae09ac323fa5b7a3c

SHA256
290b89205f659039caa9e8195759b3898c2f31b48cf4095a3fec4527998fcf5b

SHA512
42c006ff4b40b008e968f7c514be918526f62a3d7a1cd6289fecdd29eb5b9fd12478734a95420ab47ad14cfdc062a5d1a2cf1845ec33b214540f9dc79c4aa242

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
96KB

MD5
661a1291a638923f091203d1d48639a6

SHA1
91e0b6495e844959f046e9cd2f948c3ad046c25f

SHA256
8afeceb2205e4a025ea54153f7e370aab3063d6414321e0e47736e1e3224ec5e

SHA512
6710b9b7989648538f7397c770597f621510daaab6514fbb147cba7949dfbba11ecb18544b29715fa4505868f297a026ecdaa22272e51751c06a39af3dce18bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
108KB

MD5
e3cf76f29a68bd11b1b214fa638e7bcb

SHA1
0826550cff095d5b91fd6cce7246ec0bcf2a34c1

SHA256
c4701dc35da951cdbf9412d47fff75497414a899aa9d79f4c01d83eead045d79

SHA512
e8bea2aebef7f8fb8134c337711b2dead3db20ca09fec3d6f97d9ce91c4e67741b9a448deccf7685405e49eef4e02d68b21504d08a01e539d8bd372f141a8a0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
92KB

MD5
cf6b61f618d67601fb06ede693739f59

SHA1
87ade3c9f12bb49278cead2591867f698f954035

SHA256
e88fb32e7c8eb568eea477d6064565598f73dfc5242143c6a5f3f701d0c0acd0

SHA512
877ed16206de5942c958c82d205153614301de13670adb5db86a4f2ee615cc5f3f5ac476e9a91d5e3d4140a62ab2d3b0bc58982d008e1dd19314773022af9d98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
26KB

MD5
5b5b4f1381b7358068de27e3689537f1

SHA1
0070dd97dc585989228439daed5b68e68bd8fb99

SHA256
85e99359dd1b932d55702b3733201a4a7f49d2a9392eac9633414e6628b82a1d

SHA512
7d5cb6b02f11840f06bf5bce2425c88de3def41655c8ef8e477a68cac486fb000175ebf4a0accb9d1f2b51f7c0e52674731b8acf8b60e8b62905a9c6e96be514

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
77KB

MD5
7a4faa343c18401d0f24d3a9c5a9da26

SHA1
e6019aa2588caa8da0491c959b1080219f498d9d

SHA256
840856201872918e5edc67f033a0c71449f38f507c57e758bcb49c5bc04c5c2c

SHA512
1e4ff06c45fc357409d542d656f376f65d1af43b3267fce6d10e4a2b6ca7147bccaad2299c9f7afd130dc93a816cddb37f1917118db6c1f6ba2f37aca7455bc3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
96KB

MD5
d78d6aab3dd104de08cabcde568dabf3

SHA1
94fbbb14632e50c9be6b6e7a62eae4687ed32521

SHA256
d4fe45347492a1b72f6d8e437d2819c43616bdcd1233f37212182c4d128e2263

SHA512
e7de2d9aba57b16ddeed1d44113f9d27abe71a0f956034fa8acf37ece386ec1d958d960908a33b61d1d68c44bbc7fd14a46a2e8958ab817cba3db28a5cbc02e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
23KB

MD5
d83e1052c55c48595229c884ed20836d

SHA1
68a5760f6ad2101b107e855a8ca717e22370a35a

SHA256
6389a609db3c1de402ba0f232de148fb5a5d0225d449845603d36c55443bab7e

SHA512
8cc3df666350a3812157241455289276b9c69a65e762b2bb044f19eec7c24ed75b514babcc6e6c1a1bc52268c939a7ba34695617a822a806a8cc5762a8a77af2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
37KB

MD5
71ce16b514512deac80426707a421e3f

SHA1
b6f4c7dc327dfd536aa90c29f44721e5de90afdd

SHA256
60df1d557fe6c1b89e4e914e98778c721cc610ede4d4c4ba7e46a2706aba4d7d

SHA512
616c1fd87f8c8144cda91cbbed15e735a9884890b99017a5ee91657ec9e0b94f170317259b4991854e52af2cb5ed0c4e0466d1fdf6fbd6c7277e1bd253cb83ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
65KB

MD5
36f100d32a313e663bfda1e7dbfce307

SHA1
6c581518fbf7c3fd80b4d6638b7bb6cf675e2695

SHA256
9b47cb439b47cdc9ed0b00328397ca1ec3caebd53d3f7915cbea78bf9f7355a1

SHA512
2a6c29820e995025dab34aec411a23775793dedc7b03151209df52e6f229c10abe06f8fc3d4439cf283f27a4371121bbab5630cb3507da5c888c04cffa25650f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
87KB

MD5
84607bdfcea12a27c98100fd54f694d9

SHA1
80fec49d654f1a700524a9a6ca68ac9ff5cc4a84

SHA256
d286c9ad57b237306e9663b397802d80ff7d19da84d30ff9671014c69c4a17e9

SHA512
550094c253a91af33060d95678924351b6a9c678fe979dbef31674ca07bcb011352858293bc9312fbd89e7a31f9b5def6e1b2b8c5d1a31383a140808ff41e368

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
180KB

MD5
68cb5692126d2e9be5ce1c075ce9ed59

SHA1
a6a485753d23ddc7d7c97af163a7c38726efa74e

SHA256
1083ebc48a79288483a42f765213d065e347a67afb5a36a588fd7692c651b16e

SHA512
e4d7ba3700a51e0b1e1af3ede9c7013f0622cf7974b0a90215b6b504c5fe1885c0d8cc2f5fafea0de74efcbbc2b5ac3bde82d3d42379374e6908cbda357dd577

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
118KB

MD5
49ac31bc330e32bc7722f3d8bb05559f

SHA1
425c490b1e7a3b2db53909e894ce22c0be543328

SHA256
28d142ccf8800891720e76e7db83137303b6b3068fe0d50336d7bddb050d0c51

SHA512
6855267d949b02b51a81dc8098c67f9d35484364eda5ca0ac1f66bb8f8eb235aeb5bf697a8c72274efa7a36dbd39511701728f8600cf82caadd5f7268ac7775c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
130KB

MD5
ed1adc29516ac3048162228222389219

SHA1
68d3258382810bdda49f33e6076ce831fa340e18

SHA256
fe7bd530dcc4bb639dee1383583ee6cfa2520eca856780a52568c2e6e179d966

SHA512
f67237e3a2ccfc577da8b858b79fd3a4b20838c0588f4dd7d64ccc731c42454d3363ffed41e531d22c0f6d68fdacea14db9a568fd70858f46d437547bb5e9092

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
73KB

MD5
87c76a3109eb41b927fccc22a328027a

SHA1
c24ae3d4daf67052067a32a4ca6a8c2b172d257a

SHA256
b198e1d602c86a77fa71656a93c8f809f417f35b77697189cfc11a5054d8d302

SHA512
294615f009ceff04e1e5e3ff5d72465d7f8a7af918faa0dff99d8682729b8b45dc73a110c5b29a105ea68340facc0d4b7914883846798db37fc5f2598245110a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
126KB

MD5
34c542efe17e35c8a70be30fe5ad8890

SHA1
037ae93651bd0d8931f838baec90a531507d0f5e

SHA256
09705e32e45e8640b60e91cbb6ca2a5ec29611bae491f847d7154c80a6cc5ea2

SHA512
eebe415b5f6648028e0c4e5812a8a64e18361b84c0dae2daa2637556b3e3445a914384920dce4d0830e78e1bc61b568c2172043dfbe19342dcef3739b816b58d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
456KB

MD5
4a5b5eb18f8a9aa1039cb0c8720c50e6

SHA1
bb0c41472a670b4953b496a4cfa20e37ce427d75

SHA256
b7c95372283d2020ca8afa38567bb4e38c7c843638c97cb02c2e1776700dca77

SHA512
ae1681048814f300d69668747959c1edeec62adff6a978ee88f62add2c673c94f4cd16754a83fdee00b01a74706f67ef1f6f5486c8e3f57ce31db29ac61fbf2a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
64KB

MD5
135ff58ff6079f46e82305b2c1235c30

SHA1
29c4ab2bf64e5957fe5cb8b048c20475efff29d1

SHA256
5a6a9e50f3d9389111afda22dbf883e67c72018cfb1ceef4aeb6abd5b2d8f486

SHA512
7e13a0c5224526722819e888a46748b82fe13b9203c994dc0a07205f1a852caf1a189dffce3847650aaecf1b060a0aae3e3cbbdfef06c1c73b8cf641e2774a72

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
109KB

MD5
5619c0564e1a28885ae25d1f410fdf46

SHA1
965ef687ee6a09543bbd7e4a783d5aa5c7a29d1e

SHA256
90fdbf4d5310517c938a71c3f91061f965c319f57c35ca14a4f3796d34c4c883

SHA512
b17dc6376215e7f0161d71d3738830f380ba2ef00e7e91231c22e7dba4f4f996556029f0b8b67cf3cc3f318c76b88e5fc47979488a4844d02933eec158ae1ca6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
22KB

MD5
f728b19cb2b864f54886fe324f755323

SHA1
52bea472536e2e6199a6997f966cadeca8b9ec80

SHA256
ed6997fef4026a5c55e58fd1c2dc91c2f8f22436f991d79dcf41471ccabbe00f

SHA512
b212da820b9ef7dc955d4cbd1573aeb4bd3e4aa9d70b4ff7ea54bee8043e32a7453deb77b6186552570ca3602586fcc56fba3cb3df27ecefc410706dfaf043d9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
32KB

MD5
62f0e8f423b0e86299f6e4d29d62f521

SHA1
36d9bc41d3ab1c02d6c8bfdc0ee34ca21cc16826

SHA256
ca0b20a86f2e8fd75881008aff02dcbea4753295ea20b7926d9ea54fd485645d

SHA512
9ace16ac1a0c79e5550b126db73e564b9c90b09f2f364e47a6bf26b484fd89976a4d21e3a03bdb118e3bbcd263b908042c696a929bad3efb51a0445bb999970f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
71KB

MD5
718120a607124f8427f884c1d0f2ecb1

SHA1
78f2373a42dd5eda022dfed6e3adbc87662e61a7

SHA256
5290301b5aae95693731d57f8752f6cb957d9db1418a4c012908a2890bc59cd7

SHA512
bb2a202d20a5235d7422878122543cb81ce1327588cd84a7d6f5ea5882299dcd6d792f5e9fdc7846343c10a5c51d3579a0b034ac88a01e947bb855232625a5d2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1KB

MD5
a349047132079af389a2b7a33d50c292

SHA1
8641de0d1f670deb85f13130be168bcea1078d2c

SHA256
634dc0d0af7c5707e9558c4c6e163894c36856fe913ee54dd9912482117eb2a0

SHA512
9f5a56e630972510c5a7e91b1393a0ee692297c886423e36f5686560cc5d86d0565072d36cef9c8900aaac442e727f8c0a6a6dd947512d709830f5556a0b57cc

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
195KB

MD5
35f3f9c2bddb87f22a547a447a317926

SHA1
a7644342b2ac7f14a0a922980c6ecd6139234c6f

SHA256
84d51e32c92af25ea64a7f259d11ffd95cb2ad58e60cd4d6970aeaf850d238a8

SHA512
d5c0e732c980b2e792e4add75658dc7750cf672a5ddf03b590d239fbdaf0976a49d15ba9218e867eb6c2ccca4dd2a10d8489d1ad4103f7f0fb4fdbf344fd8506

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
60KB

MD5
fe1e3ed5b2c0629614fb4fa68bfe6401

SHA1
e1f9744e2f829e24cf9a416a3d26eaee6999b48b

SHA256
78e6f15e5e826211ac65ef20b1c14cec2afb46c30858291be3e48abb9b7c36a5

SHA512
be8f63ba8618693b689e9a9d2d23b6be8bc7bf51d4be2c53ba70a3a56661c39452e2856c0a7787976f8678dc36dd38d4167d21ca6f08e34aa2372ffaaf498f10

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
203KB

MD5
86b1ce3450ce34a2be90d70f883cb31c

SHA1
d757c877dd1c5645379d0207381cc8c90127b801

SHA256
92481ad41764b5629098dd6396aa5765ffb4e334e862f7e12d292418a01bdd68

SHA512
e4ab8b8028948ed198d0e6b235c757950e49c71591d93aa565daa4c1d252af255c9c9446d37a62e886dc58a4c1a5477d48704e17f6c27027637216a9d6ab85e3

Download Submit
C:\Windows\System32\alg.exe

Filesize
132KB

MD5
2a997e7b9189a2915b90f762e273c185

SHA1
0492d264b513b72284964a83e727cdddd444ef06

SHA256
72d30122763e935555fd016b160dc991eda91d05ac1fb8daf8ebcbdd655e4c5a

SHA512
4191d3191a1599e1d347ca3d43a5172eea66ee4eccf454bdb13a6465c2d9a1edf7e17a4bb54cc629c5b97a938d403a72369f55ce0486cbcbf6b29d97fed1862e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
161KB

MD5
8665590aa5f137eb4127bf808bcee69c

SHA1
0eeaab90bbdc7721ed8f33e3ee7ea1f8a533ad6f

SHA256
6b86f23f69348b269e216f16931abfbd53ca8c98bcfd2c3403b88b308f642ffe

SHA512
15b21915bc003c81cbf4148d31aec8d492fb3e51a1e729fa130ecd613de255c8e3ad48039023c3ace152294d4452c294f0419b02a66f6a6d0079537421887521

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
6KB

MD5
1d6ed8b92f3fe3f64409baae850723b3

SHA1
37f6058a26dc3661063f3cba4b2ab5514cbe209c

SHA256
234fbf7b3f9df4a94476db45d3b0727d9d512c00cfedf8cda9aee74af709df7c

SHA512
8ca1e6aa127a7384d3d2e3d5d6928f801872dcfab924061bd395a1d231f20204fc07a79809d8c7e234c2b59435d266f6cd5269c1e5ef594abce849391a8b28e9

Download Submit
C:\Windows\System32\vds.exe

Filesize
78KB

MD5
f2aed80767651639125d38ca61fdabbe

SHA1
fce72bc594e28e2722fcd36362cfdc4f6c724feb

SHA256
c0fc059ab9eaf84ede7617e6bbebc1ca560264dc9b9e223175a66a2b7f12829d

SHA512
3bd058d6f21806059db8646ec186371881598fd115c6f0983e125c3237e0f7f3c2a4be99f0a058847636dca1c1df758c9a95b5ec9039edf9afec6f5a6e375c79

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
39KB

MD5
1abd4f3df214e2ba8e9a7c3660378a81

SHA1
c4429b07c11f4cd0dc63834f6e8bf3a676184336

SHA256
2b54a1f799e68b50cfffea8276af91c38810ada2875a65da2fcd66f7b41d62a6

SHA512
6025c2fc193b200b55e5ba40958092f4fa46bb9a4bf2f35fcc9254aeab668debf481e7deb95ce8a7b8cbbfaa54041f3c55e58654cb2a112b6db1f3c9d7bd3b9d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
164KB

MD5
95b51c3f6e92a126bad079a428f14da0

SHA1
73d7bde07e2edde4aa069484fdf576238b47f118

SHA256
0cada46552b997a9eda72edba37e03bf6d8896d55580d48491744c7d7f2e642d

SHA512
610c120946f866d836003e849c510286f7245c62fbf17985bbcf3f8f01b79918374d67a3181c38049c28bdc8edc352279552589454a212ed21bbbc039135e333

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
140KB

MD5
b21f4a8a4d37e179851b13f0479eff29

SHA1
0616933381abc641262b51ed578c0e7b38b09c39

SHA256
5e4f7f603c9aeafffe8c16aca6ddca9dcaf2cf6094aea3de2b1b15f95c88b8a9

SHA512
c61b374ad5273e950a53307e1ee59cfad4820e279cfd2202f2f7748737d05312749066b7622263541a13864a333bc142c4d96e082eb2d70ea0e3a12996225abf

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
177KB

MD5
77534188ae778fbb7de7f5ca1b1c29b2

SHA1
d5712787b9d2236bb128adbfa74d6cdbd3c52830

SHA256
24755336fa7ae08774486de63f2d2daaa7a908283445963ba95f831af8df2d54

SHA512
3e2f08fb3b40ebccf44758d829640441f28a7ccfab863032141198338ae038302ed0eee95d9fd54caf7517ba13a6ab7f44408c679ecd5635bac3d9513a2ca6f5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
101KB

MD5
b9b3dcd655e13c15e7e97d652a46f0fb

SHA1
a548ba66974c4f17e57a9d86a481b6610c5a5df4

SHA256
a138c70528c4bb2e54664d52b4aeebe7f9b27bb4856462ecf43f51a9da80f5c8

SHA512
4d7051e7c6a2c5131bd51e568cc255f0d25d6566285b142f0d02ae3c677d37965c3044f925a6d2e37a57a8ccca98ab7a0a57feba09b368f4ba2c8f007dc85770

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
5KB

MD5
91cc196041d7a0b4e74fb81695e144ce

SHA1
3b5b00d3275f3b4c06eb3910774414375b1f8942

SHA256
9397e2ed6b3cb246e7004b648dfd8ec2c06d8a4892213bcd02c5aa451e8bb50a

SHA512
d5dc08823e0ed9eddfa19d049531860e222935d58054f09babea2b1436e18821eecb4c3604e303e61f95e1404b0a26a12df9fa40c1d0142e3ca71da917c11d46

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
213KB

MD5
1dac17dbf85977c7192f69a2d2aa13dd

SHA1
9f7a68dafca331497cde66463c6fee3df132520b

SHA256
f14ab0f18719cd759f5b2bfd7250fca27e438a2304fbf43bc6d766628a82b83b

SHA512
e6b597c119ce1ee9e0037374f6980e6d84a2f7eee0154bc47bb4ecb65466d248eb1d3d1f8e459edf5c382c428a0f6e9065d0b61d9d8cd9b1f6cf9795637ea399

Download Submit
C:\odt\office2016setup.exe

Filesize
81KB

MD5
cf381a8227a3d8133750f4455c41d3c0

SHA1
65b3eb22bf35ed5a4f29ff14ab9ba0470ea56620

SHA256
def71739a3468586adb965302458ceb81e63660429ed4f1830f2e76d34ec843e

SHA512
7f0b3a85f330c710afbc8ce0a0e0c8aa1a0eb055ed573022be91245bb385fba627400e583d4321310ea858e014b206dc307e9204f46e7cab75cd35eee3f2f36e

Download Submit
memory/224-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/224-130-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/224-538-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/224-1-0x00000000022E0000-0x0000000002347000-memory.dmp

Filesize
412KB

Download
memory/224-6-0x00000000022E0000-0x0000000002347000-memory.dmp

Filesize
412KB

Download
memory/316-242-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/316-309-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/316-247-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/628-641-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/628-311-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/628-318-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1816-175-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1816-239-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1816-183-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1968-268-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1968-335-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1968-276-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2064-282-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2064-289-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2064-348-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2212-322-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2212-253-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2212-261-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2240-159-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2240-225-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2240-168-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2240-161-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2260-125-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2260-188-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2260-117-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2260-119-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2604-251-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2604-189-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2604-196-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2976-345-0x0000000000640000-0x00000000006A0000-memory.dmp

Filesize
384KB

Download
memory/2976-337-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3112-332-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/3112-323-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3244-307-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/3244-301-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/3244-295-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3244-306-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3476-220-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3476-212-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3476-280-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3484-158-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3484-100-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3484-94-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3484-93-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3868-207-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/3868-275-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/3868-265-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3868-202-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3904-362-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3904-370-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4080-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4080-200-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4080-129-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4080-132-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4084-234-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4084-293-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4084-227-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4084-683-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4292-118-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4292-105-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/4292-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4292-113-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/4292-111-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/4448-149-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download
memory/4448-156-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/4448-155-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download
memory/4448-142-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download
memory/4448-144-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/4688-351-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4688-358-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/5040-141-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/5040-37-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5040-13-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/5040-11-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5040-36-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download