61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
Size

1.8MB
MD5

0bd7a633eb91b07c2914c45b642247e6
SHA1

031fd530e597b402867f3899b5adb2f07ad40347
SHA256

61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307
SHA512

1423b1046f9dd065b6011d1ab5563badb4d092f53a7a1deba36fa7db4770bc703f232089e2f0993af2f73e182ec27c983d4f6f4add9cc516541391def8fd4976
SSDEEP

49152:wx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WArPsZeHog5c1dQ:wvbjVkjjCAzJasQHog5c1dQ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2068	alg.exe
1164	DiagnosticsHub.StandardCollector.Service.exe
4008	fxssvc.exe
2164	elevation_service.exe
3020	elevation_service.exe
1912	maintenanceservice.exe
320	msdtc.exe
3576	OSE.EXE
2692	PerceptionSimulationService.exe
4916	perfhost.exe
2468	locator.exe
4500	SensorDataService.exe
1364	snmptrap.exe
2092	spectrum.exe
512	ssh-agent.exe
3248	TieringEngineService.exe
536	AgentService.exe
2972	vds.exe
4036	vssvc.exe
820	wbengine.exe
2916	WmiApSrv.exe
2380	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Windows\system32\dllhost.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Windows\System32\msdtc.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Windows\system32\locator.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Windows\system32\vssvc.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4c6fb78726fd8b7.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Windows\system32\AgentService.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM43CF.tmp\goopdateres_te.dll	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75437\javaws.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM43CF.tmp\goopdate.dll	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File created	C:\Program Files (x86)\Google\Temp\GUM43CF.tmp\goopdateres_vi.dll	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM43CF.tmp\goopdateres_pt-PT.dll	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM43CF.tmp\goopdateres_fa.dll	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM43CF.tmp\goopdateres_es.dll	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75437\java.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM43CF.tmp\goopdateres_hu.dll	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM43CF.tmp\goopdateres_uk.dll	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM43CF.tmp\goopdateres_hr.dll	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000887b3697474fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e542f97474fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9508c97474fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d275b297474fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000330ca596474fda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070648097474fda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3fdda97474fda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb217a96474fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a4eca97474fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df2e0997474fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4d31198474fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000887b3697474fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1164	DiagnosticsHub.StandardCollector.Service.exe
1164	DiagnosticsHub.StandardCollector.Service.exe
1164	DiagnosticsHub.StandardCollector.Service.exe
1164	DiagnosticsHub.StandardCollector.Service.exe
1164	DiagnosticsHub.StandardCollector.Service.exe
1164	DiagnosticsHub.StandardCollector.Service.exe
1164	DiagnosticsHub.StandardCollector.Service.exe
2164	elevation_service.exe
2164	elevation_service.exe
2164	elevation_service.exe
2164	elevation_service.exe
2164	elevation_service.exe
2164	elevation_service.exe
2164	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2900	61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
Token: SeAuditPrivilege	4008	fxssvc.exe
Token: SeRestorePrivilege	3248	TieringEngineService.exe
Token: SeManageVolumePrivilege	3248	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	536	AgentService.exe
Token: SeBackupPrivilege	4036	vssvc.exe
Token: SeRestorePrivilege	4036	vssvc.exe
Token: SeAuditPrivilege	4036	vssvc.exe
Token: SeBackupPrivilege	820	wbengine.exe
Token: SeRestorePrivilege	820	wbengine.exe
Token: SeSecurityPrivilege	820	wbengine.exe
Token: 33	2380	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeDebugPrivilege	1164	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	2164	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 4480	2380	SearchIndexer.exe	39
PID 2380 wrote to memory of 4480	2380	SearchIndexer.exe	39
PID 2380 wrote to memory of 3412	2380	SearchIndexer.exe	38
PID 2380 wrote to memory of 3412	2380	SearchIndexer.exe	38

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe
"C:\Users\Admin\AppData\Local\Temp\61a13381926821c4186f18e190e1815369818bf60537598b21b98ba064fc0307.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2068

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3020

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1912

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3576

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2092

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2012

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2916

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3412
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4480

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:512

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4500

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2468

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2692

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:320

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
167KB

MD5
85e5138882da743554375c9e9dcc4ce6

SHA1
c3674855eb278d42ed1daaae9a0fa3e9f51433f7

SHA256
0f9929aefaf50f86fb80c5149b6ef863b0afd5122b1466ef54e8e3504e0e647b

SHA512
d6295a568b7aa8c3782a908f270f307062e2ffc9e25c7d6cf13f8b36aff78224781e6ae2f56383636b6797589a2641b11cbde51eff26ee6181c088b7243722ef

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
28KB

MD5
9484136d8ed0f0e0ba6d7d83d4046538

SHA1
6b9b8fbc9decb8653ed1c4ec4ba63e61402f44ba

SHA256
68574ca72a1bbf1251bf5057401b9eb5038e2a0e408ed210c9fc7d0a39e075b4

SHA512
ab515908a5eac8909b1a7ce30da60c7f3f0f747deecbba83579bb87e3f9868e5ecf426ecbd5229424c3885eb96a84dad16099efce2c9527677def2625dceabda

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
19KB

MD5
05d759d3a716ef2f4b232f57fe26e2f7

SHA1
8b0b67254bc26fd04bb0fc4557c1998be42b7953

SHA256
3a00834d9332fffbacc362c57120629ff336b5c814a998f341311df4d62078fc

SHA512
56fca6d83d9a944707981013fad27b08e4313b1e74b5ead708069f1821397c88317a3fa3b108b32605333c6a8eabe3a6b3e4105b7b23022b8fde62f06325416e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
57KB

MD5
7f9667d7feacd343e1c6a260990e699d

SHA1
5e6a325abd2c1d11bdd1493cf4dc520e751b414e

SHA256
79d65abf7e9b5dd24beeef27c084342b905ab21eb0ce21ea77ffd8ed0b539b61

SHA512
74be9b8b4d0dd098bdc3837e0e5e3e7e3f9f1c4114153c5692a1a6a6d870086737791cfb4c87646be5431d35a194fa957b3c4689fb918974c59c6c6c9d793272

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
69KB

MD5
ba6595ec69f3bcdf279884a068c332a3

SHA1
f573d2a3f731d2f9218b1ebbc04db9dfaa5a2011

SHA256
3a1282373870bac016c7073f8384e0140ad69db535546e05840e0393ec1d3a54

SHA512
7bad6152f91b4c50f71ac32fb5209f2a58f73aaa1ac1f17424834bdee20c926c740fbd6d7fad34ac52d9e673b5f7832feeb3a6c1257fada9bcdf06c49b3e1651

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
27KB

MD5
7ae6ea1f5a417a0ccf4b5cb81bd517e4

SHA1
2fc15f8bac6f6fdf3dd22d937dba90c8b13a7361

SHA256
395aaf9db5a33ebd9ff59d099fbe54980fa710d50dc47f32eead10db0ec47027

SHA512
42496332030eb7b8ca34b26e5d82590e060cc2ac46d0d3418e50d334269de192d2de836eb0ae472c644321617a108f868ff51ad9bc789892352eab454d0d019b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
69KB

MD5
4fca9100ce4db35f67dbcca31391c9ae

SHA1
fef73e53ed95c47e14c155151394c789c1e92e01

SHA256
f5901e3a9dc9d5d3be3f8daea1e9a76694d3a700523c092681a7f69e9f43ea11

SHA512
e3554364bde297da143daf3096b367ba731819584e93bd69ea73ebd156afda6d261aa07a156eb2152513aa0be9c1f1e3f46ba6cc293485d4c84e8ba92e3a89e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
62KB

MD5
9d6bd4c6f0a39aef5ae6a48389d8553d

SHA1
ca1240c22a82ea5a699ed8c89bf73fdc68786f9b

SHA256
711f57b09ed361221cb9acedda0815c2b7706cb2fe8fcf8a2a51f83475aa4e20

SHA512
ba341b8a87944d566397e7927e87d50193c650e7fe25e8310beece6bce577b6aaa2c559fd42918fd8e5bd0632e15965bf4902a1f816d59c1bcee7193228b8d7f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
93KB

MD5
2f20c5da357fd107ea37f33c299f5931

SHA1
ce606a9cbf86c3468d56e230a44ba8041be417b5

SHA256
39819d93836374d39331de431e01609c9d352d249896cc86a26992df94cefe90

SHA512
6c4ec6f2f5ed6e9ba5f5b9dbd11d56afcd26e9222b9d71d2a83c10700361d856de4add68f7718e1c671be7da20cc8209ee7af72b8ad31e45b59df23e059ceee1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
34KB

MD5
00d3ed6e02a7d533bc67adfd9f1a31b6

SHA1
975322dc6b08a0b11e4eb880a3fac2842d7ea8a4

SHA256
f570d60b6c8efd034d10ec8ed58e587b1f1a78cad02f90fd1c2c87df8bded3e0

SHA512
94d7583d4a88fd95aeb173af575e35f744b04891b4a8f2271f1a8e6da3c656360c35dd410543b70737ad14f3f0a83db333adf5b47eb54b0b42058cbfdd2028c7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
71KB

MD5
2a2b56145d01683dc058efde9736c23d

SHA1
54f1fe7023d8bb6b323290d73f36197579d3cc72

SHA256
3c74f67f91f63e7eaa286402143dfd8db9c2a76cf08d81e93a572b2bd1733181

SHA512
ae3ad0f1b02dfe4c594ee4d9dcf204ca49bca030b8f33469f93c016b9ae8ecd1d2085f3dafa3e8514a82c9412c87ec73fb8b38acef150bbff67d0955df1ae648

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
76KB

MD5
e89c770cadd3b2340fc46c2f00185786

SHA1
d19d5ae6d0ef876dd30e814d4112712012819684

SHA256
335b859c97dfa6e01a7940205782ff927fd1945d344bc440598c8c14f47eca46

SHA512
2d28d1efdb003a9c6e14b367911d9866df38f1177782b2f9a10de962602060588fc07faf7ab1a674cd2774f7babedf515650a0b3f1277e2979cfd838a69df00a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
104KB

MD5
59df15092c4ab2de1d2c4d08b54fb5c7

SHA1
bbf8808abaa28ca67501d89dea35d5949a37c9a5

SHA256
f1bc1b06c2f8edb1baead8222e373b65eb4f311c985da4adaa693e7549f3f3d4

SHA512
9a9b94bdf13ba96b285a3aee4b3f6c6847cb532e2a3b2157d450319b15720104ac1d45d590115b42baf03948377a92e918699682f0b49b915c8f60cce4372e77

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
52KB

MD5
934e803de5c2780e553a19f23c0e6f62

SHA1
5745521b20e48d50611766dceafb3f99f19f9991

SHA256
60d70738b8f521b8d65075bd9f0501c407517849b84c5d08c76dffb2d15e74ef

SHA512
7624d4ffb062a99461fa937d7415a14f0ea9a2d7528d28eef81e18ecf941657da722d16987f5ad4c76caeaae14348488920e88583295d5c6c1e33bc770ad4c16

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
27KB

MD5
bb94cc17d2bf1447ec8e525ed7e78f48

SHA1
6768ed2337170ca7de59791d8a0d33ccfbac72c5

SHA256
efcb8b04bff373f9d2c3e921058b9fa53b38009477936431c02e177afb248538

SHA512
c1c1bd9e618c4a38149646f7d1a4fefb18f1bc98d1453b43f2bbfeb462bd3533fbd05e237c8cf1f84566ad676fc3049902fbd459dbcef97da3d27c9299396f3d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
9KB

MD5
b7ccf707e77f61691be42b7efa03ac77

SHA1
1f33f77fff7873805500f5b34238c6080ea77ebd

SHA256
0caa8a82fe2c9f6a3346177d87f8d38356f6f80c4aaaf0efec9acbc99253fbef

SHA512
3a01b66a542fd12596f59f8b618cf615b0e88bd1842ce93a0492ea073cae3d392f3f97a914d6ed4c80cff4fc808036931ead509f37aee88f74c5316a4108dd32

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
7KB

MD5
6aeb4b14874084ba963fb4ab07ba800e

SHA1
31ffaa9d3fe2219c29f326155989034f7df1c16b

SHA256
a53b59ab22ae6b1f1dd8db4cdfadbd644c7d6cc0770d962050a4a9df788cb917

SHA512
be39ecc1ebf3445082020f55d1104433218da64684034d343538c4d922a510bcf71c62091ac5beb43fab2cf880e4fb298c7e8db7e1f0bf26b7da24f6099ea6ba

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
99KB

MD5
c1cf7f1a94f30d00ac0357e2e9a6b751

SHA1
1de973af2c278888324a74b5dffa5a3616721dac

SHA256
dd3d862e6b27eca558e363923210742039885de9b16e6de0d4ed1b06632dc1fc

SHA512
71e2bafb037a77c0b190b8cb9bf0b15410e5a0a628f7afb17ba4887ff2bacda565b15f44341686a1dd39850cee9bb8eb73bbe8f40c63280d1e3429eb0eb2c98a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
20KB

MD5
17438ad59b66460660a2756759b2b61a

SHA1
f6fdfcdd14727014fcb30b80c5b3db84ffc8ee4c

SHA256
9095a65d863fbae9a71429e74ad341f6172da948b62d684d1e2dd196b16d47d6

SHA512
dca3002220d7f97f9ced190e8396dbb7dbd4d60f4b50a1ccce907b3ae4f3b74160e4b6a39e2d45813ac5667d35358f3ba3f866ce45f80ac940b8202a0e7f830c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
48KB

MD5
6c8639ee82c2af8e61f9b1b0938b6d29

SHA1
005d895e14c130ec749c113c8a1c3b1dbba72e4e

SHA256
34d6592d2aa0ec2d30c988ba4ac352ce71b800c955ecbf26a73843e0432a8ff0

SHA512
e257feea634d30563418433635b5a8f444f29bf228c2b20688da484fe8209ef7ed933aa91bdbb256579e8f1903c8189024f74cf7ebd37a1908cda1fb357aab91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1KB

MD5
23fb87cc5448614cbed81c1a86c282df

SHA1
6085434c735e0ae5445907928ab0377a62cbb3e8

SHA256
bbbdac914f0ada2e45620285a5b3717631c907108d187736aaeb4c0bdeb4bb36

SHA512
01f4e1a23d075141460b5bdc38183a094a4f3035b33e13cd3ee0be2a480d41dd8400911fe462f1e4ea0e032f88098042a2f9cbc0663cf183fb1984d9fed3692c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
5KB

MD5
2613bd26af4b56dc074372e94e116bcd

SHA1
02be16dafbfd8818776c02e8efdb888ca87f0ef9

SHA256
fa871db9d9891f697e013f4a8f4851803e27026b58412e2faf128eb9eea39a74

SHA512
67777eb23d1300b8f3b8edf760a745e0d2ea3e444a3a96871dfc190b6a20786cb4e5ad20c358097afa22a712bbed268601a3e35ae3f7ad2c95134cab28de2723

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
39KB

MD5
9f922476e783b8edf44cc0d5fc2f629a

SHA1
57cd4ad3a7803c6a33384a312f96ab7b12422753

SHA256
f8ac4a58a7409b00e284a42505e806a54a1fd8bf43020539d1331afb5e5c4b03

SHA512
36448acae7b2d3af534d5362b036ddcd36bf64dbd74d875533d5ea9401ca7757cf468d5fd4c176bc40305017da8e2dc525bd46a9db851eb19dc6a1da982a7962

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
25KB

MD5
f5da733128c247e01ef803506edaa835

SHA1
3685606b4caeb95882054b08b0512bd218bfef48

SHA256
ac010affffcd17fc38958b4a33095d8c1ba21888924b246870ab728a1abb572a

SHA512
68a87ed76be4af1717b3266d8b1f5d5b0d426dab39603752c8ee74a81e02c565fdaf1c7b7e15ee971c5852d38ed518b6fcca21c73acd35bc3f85487b2c145f7d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
16KB

MD5
2f3d7d114f481c84ba008d43cef9428f

SHA1
a757ed6cd6d110f8f9883d9996584ede17fc1369

SHA256
94b383b17ced8287d09afc75c23d32272da70567c0241b75ffe1adee2d30ce3a

SHA512
eb39bc51883164eee24de0fe3454e54b92dd4408d8934a5f736d1dd48ec878d3174c089114e6eab32396a5b44a45274506ff983bd06df5ac2f640c29823b3b9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
42KB

MD5
2fd2803105a1cf95861906bb88dfca9f

SHA1
9340df71766a25a8ba3f171834848426a04c477d

SHA256
01d9e296cf78dbca5990100a54c735a856fff420ff674d26810481a4c3e95c7f

SHA512
2982b0bd67b7904be8ee54a937895bc5e35468a02f9e813d3b54aba0eea3d0c2c105113e8f6b29a38a89267e2f4e30a9af64bc5385f71d9a051b155f14643918

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
40KB

MD5
43f6b5c5bfc77a9a5bfffbdbeacceeb9

SHA1
853d1e848358325e36e2c7e28665962e1593e3dd

SHA256
1cac5a16c4ddf2190eed74458c6df9470e8b3506fa0526456e1777304bbc2104

SHA512
dca5e1366f5ff070229dd929095996f8ef329a022d2a4ef40532eeb6bce34dc494ab86abf5467124d853f3e4188a2d5313d6c9e40ca1bffdacde09b8f1df7361

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
40KB

MD5
c099dfb614af8d477b0eb0291279869b

SHA1
f40c4c39a49e5aa1a3a6bd1036335785ddb2c26d

SHA256
a2503ebff16ae00751147a4d31a6d9ffae580edfa7d398997c957819691b94a8

SHA512
8b04d1ef8d0ecfb0c33014aea216965f8af9bc4aef4750ac95a7304c38d914b5f57b6cbcd7c9ad10eb6d1ffb307ef9018a8ecc187464bf4fd7e1e6e90bd26078

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
12KB

MD5
1be8aaee993de18b9df935dee12f12a3

SHA1
8143fca94f0359b1d0c20cb33810caf40fffe40f

SHA256
2440080c34fd004e603c00409bd48ec33ab8a9d57aebd910e8471954f7e70ffa

SHA512
9b1dffe390bca80b78171e75f376509f00f599f9ef341a603f1c3e7f2308ae398928bacf44355502a9b2fcaf39ced65d5a9aead1bfe8fbe982fbb0a63bd97817

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
22KB

MD5
87a51d80ab4a8c9ba6fa0f5e3d3503df

SHA1
454bc052bd4e99dd785f671433643107713b3c9f

SHA256
5da8f23e1bb4f88fda0e03c6245863b14698a6214ab7fdd6822371d4656b19a9

SHA512
77626c9a8bfdfe1f9f9c19f0202868c13daa27ac3945db7aeb64719448efb9aff44f8f01637007a4e166c7ae20307bc41de97610c9325ed115705a8f0b9224d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
18KB

MD5
e00992af0caf94f07455bdef15129063

SHA1
da77f9d37e349ec073bf7989582471cdf708c807

SHA256
47438c3f1177df5ad54f0b3161d8a4a5c2f074d895e69eb03937e16a2adbe5dd

SHA512
2f52c7e4ea8384863e103c2f29381d27824f2e866a8cae36e09be3ef5630ceba6f76b48742e4750eef9bc60746fc3d063b559e7775527faab33eca14d17cf539

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
23KB

MD5
5f7113db8c603ce85bdf6cbc76fe483f

SHA1
08fbcd831937dc9402438465f4b64a8df74d01e1

SHA256
e761b4c412c4b93ad2bae1a13cb34d87d278c2def29516d0602b375265778948

SHA512
795fcb6b22155c34a6ec38533f7de87ac22b10f08d99727f8327ada7b964d216fce3a0bdd6d125b77ce0c445d6d35f56c5901d0a06ebce068358977e25d6707e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
29KB

MD5
5e6ba0cc60820acd655375eacf158952

SHA1
3a0eb770dc6ec1f042830b031a90149bed04ede5

SHA256
cbed02d499b3625d610acab25ed7107bb61373e00948bbed3f355d24f408a728

SHA512
2bf87c7cceddbc55792209e83a25322f34dd37371bab921c9d78b17da288f6b123b2265c4d219fb8937bc9c94ceaa549d05b11a3ee96bd99115a9eba847d8687

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
24KB

MD5
5ab12c25a247926fbda2e773d773859b

SHA1
98dcd22e1c841af2eba8fecb15f7de41ec3ef995

SHA256
7548990598e48c2671721247ab7ad95cd987ee9e01052e2dda1c26c91662e3ea

SHA512
c48735fbba85835c6570ad4bd69c18469e351eac724bd38c340a7133ba1c66547b4884bd67f57898f8e90010558983219c7194b061a7088fc7392945ee47db32

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
20KB

MD5
ee5d4f5df1fdaccd07463bfe205adaf2

SHA1
46a97492bdc6f6675622e7160e6e160212d7ad75

SHA256
e4ebb140631d6a79e0ee5b127f0b8fe88d6fc12473bc89db05f74a8bd533b301

SHA512
916c322fb90655017b985f1d22304603d5182209ae2800a3a2ed81abcadb76b64545a63b417a56fbaa5960ce253bd9e65d4ccc280385923f096dcedd7d81ac10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
32KB

MD5
61fa14255be283359d9f476d075d22f3

SHA1
3fc1f5cc48a468fdc28acf0011d47ff1165577f4

SHA256
358250bb3b75238cc91636fa4524d189c30d4e4d84b10e9b9b17eca2f0729918

SHA512
498772b4275b74235e4924b286b0e2147b002b36ca088030a99d5a39c9302b0d9bcd87847277f3fb67e536fe29c33ff7ea9df94f4d7c8965e569910c411f9059

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
42KB

MD5
7b6eae33151ef8be5a8e5404201d6b0d

SHA1
a9ae7617cedbac5b3133b264dc45d7116b114ea4

SHA256
4ae28a74e7c844d0414d2e30fc30f0a9b47595de9beec9efca43bed5954b48b3

SHA512
f3e467823c883020e495a9cfd94aa33abb8058d4545d98ad9b048aa069a327b407c45956b4c50ddaadc27734efafbdc200862c848331d35fb005223fc1d850e2

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
77KB

MD5
45f58271ea62ddd9074620acb1116c04

SHA1
ab62a36f92f527af86c746bddece988f3d5c7b82

SHA256
c80de05c88c49b5c45a4a6a6d6e1b92a2c826a5fbf9d16b58e3eff38a45a3d36

SHA512
6fa20f6b35a573472f19a8bb8240ec545f835cde898e2041025cc9c449935728b56ff6fadba9dd2985f57ff20039d8510fb7ddd29824ea853c98d98e6615ea77

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
108KB

MD5
f007bdc55414c0c622994cca1d801ea2

SHA1
5d09d6cb1f199d76a814afc8d6958ca050efd466

SHA256
f82fb8493208ba3bc32ac6ff7de460d7664ed026a2cf50d42e74e1bc57d6ab8e

SHA512
660d340b40102a01ec7815de7d5e700c99671e1aa52ea0be7af3e78fa5982d2d2255944446f70bebf6926287ba6bf3a20c83bf2bd4f59dec81a74251284058fc

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
57KB

MD5
4a207e7e0501f57e83996f5b079cf707

SHA1
c8e737d4e82caf635ee97b9d946aff5d42743952

SHA256
2947612b8f22c2416e2a227020f9a2184cf3cfab858a7cd5bfec8237548a1718

SHA512
040d8cd2c3b022271d1760b738341bc40e9167a502cc678590dbe246c2041528598bbcef6527d70c3c841e26972df0ed06343fa83bb2e0d0c94ae692ca5f4688

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
374KB

MD5
c029d62330c227bd7ed0ff624fc8bc95

SHA1
8c4835dc4316fffb145222c2397e0b7d5a0ad34b

SHA256
1232e8b3f3a469afb9d4706d89bd9b3784f1589ce707b9a9ea0eabdbd114cc62

SHA512
af56c9de35b0b5109bc01aa83bb51b42e201e686cb140e60f3534ab53dda7b39ba1b50182d8e1fe130abaad1ada47d0c5d038515c1bdd847b1075004251202ff

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
107KB

MD5
ad85cbb0848127849ea82ba953a70c46

SHA1
fb025b6f682e4cf03ff8fe87951e991c10444ee9

SHA256
cd1f5b86c5ab68f4875aaf7d7aed2ef94a83797026db57840f33aae625dcc74d

SHA512
50a3630a1755d050099a8dee72a40e33ae4eb9f8dc82256989c2446bf582b4d5bc848a6132ca8a2f4a847593bb62b2eaf394b34d178fa0b9ae9c5625edf84f18

Download Submit
C:\Windows\System32\Locator.exe

Filesize
94KB

MD5
87b3b49c7018bfac4805b24270874dda

SHA1
c959667f54306247c312ab37e090901ef5d5f058

SHA256
3e638958faabd505122de5a14d0bf265cbaa3874456d97a709c9fb3450beb4ac

SHA512
b93556726f3eaa22d905bf9912257a5bc645c63859c4277186b9096ceac025589c213694c4707100d010a92bcd9a62851d069694d17015b853c72ead9601d2ac

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
14KB

MD5
c516b28f10be9cacd112dd099ab2c495

SHA1
927992068f4ebe4fadaad2f1e59682e7bb070462

SHA256
d5567d8f20ab0425cee17e33fbd8c95192b341302351b46d128bf2d6167cad74

SHA512
972f5ec36c67246cc63e940c2fdc96b83bc9b3f57abcd8b8e2b21e586178f5a4e9f63379ab5671406d06072a512a54b6f5e1d78870801192b5fd23dfc81a6eb0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
9KB

MD5
1bc4b4b14b1a770872ff700df4ab7a37

SHA1
be945e2feee7ec0545e34bcf6cb6e016cc7b3d1a

SHA256
b919bcd0754660903b420ad6028defb7d269dc5dbf6ecc7d3fbb8290ec7d918b

SHA512
1b3d6565ca671a24bd2cc4c664fe03a23612b5e4306e10abdad477ebfd9412663c4b1f2663156f90db2d807ff505437f40a95b32d5eedb40aac391b229e581c6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
234KB

MD5
b9d82346b1692f8938de4cdfa7594dc1

SHA1
b1a18f0914a14ee8322e0b2b520b3bdcd7ab9554

SHA256
53af50d381e4ab551027ce14c82ba8c0bfbe40f70bdf296db424af227474d88a

SHA512
e7cbe28a1977832df4815ba7aef4f6c732c72184d4bd9bf5cbe17f50e0f0833682ad111fe18cdc7d3755a15a22f276625b31a1ef3dd85620cf3b15fb85e54deb

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
75KB

MD5
8dc596b38843940add8b1a9656d7b096

SHA1
df9a9ca2d79d08afa4c2eebd3d1d11f10bcb20cd

SHA256
c02f370be4e1905d9b7ead2ce8fcd72dffaa8a6d13088e88e5a54e9605249f98

SHA512
c17edfd090e5f20b3b0b3ac85dfaa7d07cd5edd5c06d8ae4db9538e29bf2604d76455945e757971feef278dc02b6449541bd1f1077fad7c153b66555260ec7c4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
107KB

MD5
d3bb18f6bb7c7b12722c99ddec26541d

SHA1
0c138a035e120cfc06d504d95b891c3526a11854

SHA256
ea498045db80c267f86d06cdea1546ae93baadedc28d7321bd749c2bc4643cbb

SHA512
b03b844c22fac1406037ac2653b9c0777d75cc61800af9c6229ad0eda410a3821f229f9540172280ccd37ae3bb154bc00ba4ccb86f3983ccff0dda7602b75759

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
23KB

MD5
3c0b14d0fcc7d0b733ac12142d8b2dbe

SHA1
fc95a81464ebe60e7edfff42c7589ea04e45c603

SHA256
403be8cedc304732c4011c1aea3702709026c511bec66266edec1ded1ee0b05a

SHA512
86dc0aab6fba0572544fe7e2a2883b853f9f87fe897ea483e963a6acdf25ae405f08729a070bef2b37488f50f1a64bc434307f3fda7b374d9549bfad77ac380c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
158KB

MD5
fc854814a465a7386fca5d2ee775c5d7

SHA1
5132ccee9f8396b9719f6157b0043d8d043a65d9

SHA256
28abf7c521e6284eaf6c49341062ee17d46679129f22649998eee4e299c82ed0

SHA512
b27116f7a14d83ffb94a0f8bc0ef7fb064c2dbef5ccb4de8a1bca760b71720fb237542063d5755abbbbaf0cae53cfa27627513f06b9ad51feef761ec5f70cda3

Download Submit
C:\Windows\System32\alg.exe

Filesize
149KB

MD5
9c74f67a6a1e10d2810544bb67096103

SHA1
537a9c2be67c4928a48d740740b724e419de8b46

SHA256
ff82eadce13c53fe94bfcb241ced1db07abf48cf76707c7d79288d98f1d7acbd

SHA512
7d6c63d7d5f78d0758904e49a73d256e9af499de9af0160421e54d5ff234d15f150baa4752ff244103d908c8fd844eb5650ada37963a7ae7a94a0e913560f38e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
95KB

MD5
c30ee9aff1c65ad0529ca6ee6f34e3f8

SHA1
d89fe0c3b0d0a8a9c8c40ea51b6cd9279719a723

SHA256
2174fded656021fd4da6d4fb82ad3d00a96c3bc734a7f4ae897771c07868ba55

SHA512
09b3ad9d9b3176ba9ff9c0718e7fe20cd4b6306bfb9d001ca7581266f84579c241f97a751a512c07fca3169df674d26176293676a3b229335f0334b1871a85f6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
104KB

MD5
cd03b7dbe6b18a941ff436127f206e7a

SHA1
7b46f70890801e790c6e87267eeafd2190da3d82

SHA256
5f650677c15c729a1f2845828d0915f923d30d264f314c961b39b8100d68ad4a

SHA512
60fba2d3181e5508d0dd9c5f97614d696d02af1985dfcce675c7ef53996b83c43f5fee1d42fcaa0117903f82d11b84551d8182a3a5c3cfc4abd1f8579cdb6376

Download Submit
C:\Windows\System32\vds.exe

Filesize
1KB

MD5
dfd3f2a68982ae20d1b4b2a0e313a3c9

SHA1
032b0ca20e029b98b9356c8e462bfae1a8fedd21

SHA256
8d7c43ce814cdeff9623119a97b5ba82e1056b86df63d4a8529544a60dae928e

SHA512
c1e5b00cd8e1d9b1dbbad38bc20faaf9dba3aca9e906e38a8ae0e430b2b96e85b7aa3cd0b5b8ff44d1e186a474969d8315f4530c60306e8bfb9dce521b718fa9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
61KB

MD5
20daf7d267814fe502dba6eb976c18a7

SHA1
5de66dbb0fe89c89705905b0c2e696152345a479

SHA256
5c9b7f43bdaf32809d16bea45915dcb975a768dd023239b77fde0efc386cc1c9

SHA512
f68c9cf46fb2d1acfe77c9faf4cc8703531de0dc8733485f49ae196c0cf4a59cdd9080072e4aa5c8296dff450dcfc8471a2882293940f06208933a8df5082ffe

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
1KB

MD5
8e2a0003f4d9ff5e8b83c6e26da78fd4

SHA1
ef2c85b2d8be255e765d25d676fc6e5663c7adb4

SHA256
950cec7865b769fd0564c838ff314471a34b0bb225bbdda79d427c204b120ca1

SHA512
6b4efa83c8072ed04cab02925f35b69c1dafcaad50e58dacee234c3d157d62c11b064069ead85ad559fc7e54234d2abf5ffed42f614b58604a622a3ef4038f50

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
126KB

MD5
09e2c6307ed75152a3f7b9560be708a4

SHA1
e17497ce623ccd42d85178842b306df89f5dd3f4

SHA256
d0adccf419dfce40ec1bcf379ef7c22f6fc13a08c98a75c93a393e714e8c145e

SHA512
5a942be2ee8a934098b781f94f6a279c79fb4cb210221eff1743102dbfcf0917d82d026895527b53659bcd979b501b59d219e9c41f626cb45f62243c652ccbec

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
71KB

MD5
a91fdfb6d30902678cb783a40773664b

SHA1
519b2782dbe9657394b4f385d5e23c1456fdd3be

SHA256
64ebcab2ef421a8ab7fef332ca77364f0d84e8c0fdf488d91d444a5e8a424abf

SHA512
89f456ffaa025fdb35f6546eb53a3c15d71828636e72a010a32c928c1e90b09b864114083bdcc11cd6cbecfce47106885f99d87f21e960bc2022e0925c1495ef

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
92KB

MD5
aefb69b7457d62520bf400c6da7ac1b7

SHA1
ed3fd1de7cd0d7aa47226cd527ba25174b160bfe

SHA256
5f3cc65917b318326511ba7f4e21e3831081ea3f527a5a318625e6486c128562

SHA512
1027c816535445d89300187c65b7ee6ba9fdfe67212943577d6b55a4b93375464a498826834a341e514913744fe64a9294e260fd963d63d078413acf7f6bf9cb

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
56KB

MD5
bdfe74e1f44cb037e9893bdf1f29f7d7

SHA1
3a48724a6d471c8ae1376f325eed59e0a8074d9f

SHA256
5604c97b8a6cefb436820ea4fba8c2fe1a444f55a78dfe6f861c982ebf91e9de

SHA512
d7c00a3f013356aed6886e1fe0de76e854a19e986ee7c1264d5600bc32080f784df62d560f7480f5861796edc29c5c996cdc882e6b2d23c53b5eb5298718963b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
73KB

MD5
789b03fbb98c42a2e98551008a0223f1

SHA1
b524dda788a5065836d3c1d4bfd8bbfa1a1c3749

SHA256
2c7f3a2ef49b21b8e0df7ba77b4a66bd54f58dfc991cfe48851b1322538cb6bf

SHA512
8164b20b17fe8178fc7d5de6a15fae949befe3556848630ba0fb70bc09b743726474b501f40fa7fe3460d8628514a8630c58daba5246a3f176ec38a6ec77a11b

Download Submit
C:\odt\office2016setup.exe

Filesize
57KB

MD5
7078b658f2c04ff70b12de68eb4874a2

SHA1
190d8151a0941d38c8872d29089d8d9e03a827d3

SHA256
789fddabc16ebc86a83f6182ab75c14423c0791bd9e716c5a2bbcaf09bcde5cd

SHA512
ff0ee2ba365d5a6514d062921c5e36357ece27259d6ee49cec5b2c26f4dbb596425ec34456f9ae5f0b3ca7246d8bc6b733a305a77b0ca308a67057c3119fe4d8

Download Submit
memory/320-139-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/320-191-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/512-216-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/512-207-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/512-565-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/536-225-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/536-223-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/820-602-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/820-235-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1164-144-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/1164-91-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1164-15-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/1164-16-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1364-237-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1364-188-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1912-136-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/1912-125-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/1912-133-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1912-130-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1912-123-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/2068-138-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/2068-11-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/2092-202-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2092-192-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2092-242-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2164-106-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2164-168-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2164-99-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2164-101-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2380-243-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2380-619-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2468-182-0x0000000140000000-0x0000000140129000-memory.dmp

Filesize
1.2MB

Download
memory/2692-165-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2692-159-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2692-158-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/2692-215-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/2900-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2900-122-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2900-6-0x0000000000B60000-0x0000000000BC6000-memory.dmp

Filesize
408KB

Download
memory/2900-523-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2900-1-0x0000000000B60000-0x0000000000BC6000-memory.dmp

Filesize
408KB

Download
memory/2916-614-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2916-239-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2972-227-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2972-595-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3020-118-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3020-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3020-112-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3020-111-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3248-585-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3248-219-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3412-583-0x000001D812D80000-0x000001D812D81000-memory.dmp

Filesize
4KB

Download
memory/3412-587-0x000001D812D60000-0x000001D812D70000-memory.dmp

Filesize
64KB

Download
memory/3412-564-0x000001D812D70000-0x000001D812D80000-memory.dmp

Filesize
64KB

Download
memory/3412-576-0x000001D812D60000-0x000001D812D70000-memory.dmp

Filesize
64KB

Download
memory/3412-578-0x000001D812D60000-0x000001D812D70000-memory.dmp

Filesize
64KB

Download
memory/3412-580-0x000001D812D60000-0x000001D812D70000-memory.dmp

Filesize
64KB

Download
memory/3412-584-0x000001D812D60000-0x000001D812D70000-memory.dmp

Filesize
64KB

Download
memory/3412-589-0x000001D812D60000-0x000001D812D70000-memory.dmp

Filesize
64KB

Download
memory/3412-591-0x000001D812D60000-0x000001D812D70000-memory.dmp

Filesize
64KB

Download
memory/3412-596-0x000001D812D60000-0x000001D812D70000-memory.dmp

Filesize
64KB

Download
memory/3412-563-0x000001D812D60000-0x000001D812D70000-memory.dmp

Filesize
64KB

Download
memory/3412-598-0x000001D812D60000-0x000001D812D70000-memory.dmp

Filesize
64KB

Download
memory/3412-610-0x000001D812D60000-0x000001D812D70000-memory.dmp

Filesize
64KB

Download
memory/3412-615-0x000001D812D60000-0x000001D812D70000-memory.dmp

Filesize
64KB

Download
memory/3412-620-0x000001D812D60000-0x000001D812D70000-memory.dmp

Filesize
64KB

Download
memory/3576-200-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3576-143-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3576-148-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3576-154-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4008-96-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4008-107-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4036-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4036-597-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4500-186-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4500-233-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4916-171-0x0000000000690000-0x00000000006F6000-memory.dmp

Filesize
408KB

Download
memory/4916-176-0x0000000000690000-0x00000000006F6000-memory.dmp

Filesize
408KB

Download
memory/4916-170-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/4916-222-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download