e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
Size

1.8MB
MD5

bad333cf18b8455a11e4cb9da7b647c0
SHA1

24fc7388a92afde7cfbf86443ab3503316ab9ce0
SHA256

e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4
SHA512

5178a6d9573d9ac0e14a6392915dbc5b478fbdd2b74f225e9b933a1f04d9b4dc77e511fbdf4e94af0040425b4f26b45a9bbbabdd7203cad80209928666bd3955
SSDEEP

49152:rKJ0WR7AFPyyiSruXKpk3WFDL9zxnS2/snji6attJM:rKlBAFPydSS6W6X9lnJEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1732	alg.exe
2536	DiagnosticsHub.StandardCollector.Service.exe
3420	fxssvc.exe
1964	elevation_service.exe
3660	elevation_service.exe
1864	maintenanceservice.exe
2736	msdtc.exe
1396	OSE.EXE
3468	PerceptionSimulationService.exe
1556	perfhost.exe
228	locator.exe
4756	SensorDataService.exe
4900	snmptrap.exe
4716	spectrum.exe
4304	ssh-agent.exe
3580	TieringEngineService.exe
3764	AgentService.exe
3436	vds.exe
1744	vssvc.exe
5064	wbengine.exe
2040	WmiApSrv.exe
880	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Windows\system32\spectrum.exe	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Windows\system32\AgentService.exe	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cb48c27fe04146c8.bin	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6D21.tmp\goopdateres_bg.dll	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6D21.tmp\goopdateres_hu.dll	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6D21.tmp\goopdateres_id.dll	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6D21.tmp\goopdateres_es.dll	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6D21.tmp\goopdateres_zh-TW.dll	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108421\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6D21.tmp\goopdateres_fa.dll	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108421\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{BB3A5AB2-72E6-4A67-A376-A20E324C372C}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6D21.tmp\GoogleUpdate.exe	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6D21.tmp\goopdateres_pt-BR.dll	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6D21.tmp\goopdateres_iw.dll	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6D21.tmp\goopdateres_uk.dll	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6D21.tmp\GoogleUpdateCore.exe	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6D21.tmp\goopdateres_de.dll	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6D21.tmp\goopdateres_sl.dll	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6D21.tmp\goopdateres_hr.dll	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081dc70a40850da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f043aa40850da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b97182a30850da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004096a8a30850da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000574dc4a40850da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002baee5a40850da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000006cd5da40850da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e33287a30850da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2536	DiagnosticsHub.StandardCollector.Service.exe
2536	DiagnosticsHub.StandardCollector.Service.exe
2536	DiagnosticsHub.StandardCollector.Service.exe
2536	DiagnosticsHub.StandardCollector.Service.exe
2536	DiagnosticsHub.StandardCollector.Service.exe
2536	DiagnosticsHub.StandardCollector.Service.exe
2536	DiagnosticsHub.StandardCollector.Service.exe
1964	elevation_service.exe
1964	elevation_service.exe
1964	elevation_service.exe
1964	elevation_service.exe
1964	elevation_service.exe
1964	elevation_service.exe
1964	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4924	e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
Token: SeAuditPrivilege	3420	fxssvc.exe
Token: SeRestorePrivilege	3580	TieringEngineService.exe
Token: SeManageVolumePrivilege	3580	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3764	AgentService.exe
Token: SeDebugPrivilege	2536	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	1964	elevation_service.exe
Token: SeBackupPrivilege	1744	vssvc.exe
Token: SeRestorePrivilege	1744	vssvc.exe
Token: SeAuditPrivilege	1744	vssvc.exe
Token: SeBackupPrivilege	5064	wbengine.exe
Token: SeRestorePrivilege	5064	wbengine.exe
Token: SeSecurityPrivilege	5064	wbengine.exe
Token: 33	880	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeDebugPrivilege	1964	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 2212	880	SearchIndexer.exe	120
PID 880 wrote to memory of 2212	880	SearchIndexer.exe	120
PID 880 wrote to memory of 3928	880	SearchIndexer.exe	121
PID 880 wrote to memory of 3928	880	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe
"C:\Users\Admin\AppData\Local\Temp\e358cefc06d1d31b1b49ddf6f71268b52642c4ec97d02fb61773786d8b6f20a4.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1732

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:532

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3660

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1864

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2736

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1396

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3468

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1556

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:228

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4756

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4716

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5016

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3436

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2040

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2212
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
57KB

MD5
39f60e8ecc4dfe5b7d23035a657ca5a9

SHA1
1900a92df898104276568cad251384b283f8b595

SHA256
03887fded2e925be7e7a6cf8f8df97d011c555d859a1fb6aba329c52476fc41b

SHA512
2ed3c833d57c5016df9f67df0119871593976eb6e6106f8eba1b6d744b32568b5e75007b6395c33eaf66bf406f823e26ed007d818727d7ea89cab9437abfe53d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
545KB

MD5
b833de207194d838745c367cf59ce3a4

SHA1
882d96291878297b4046967a3ff14030c359c72c

SHA256
8cb38408b37fd2ff80fa0865d87af21eb0f7c1b6bd398503abf3497bc3deceaa

SHA512
5cf717078c9ec374f401c2f7112c686c25e83221450f03c024464b679d1b2fb5e4f2c731a7f25f8cc45a58656e0624cb4ae27c95e927cbe66b90ef06c178e6d1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
334KB

MD5
b5170631fb2b17d867d812d3505e08c9

SHA1
65ec598ce72bd6a1cdab751ff66607e05c7cdea8

SHA256
af425e9eb8d88ad8ab13eadde8cec325ab96e2d900cf70d5dc0de1e9f7b37ba4

SHA512
f109537d02dec16bb95f0863f1f50f52b8172f62ffc5561d2c11bb34387e56696fdbda54c79fb8e6a11a9d26a6c32846e0344f476ab046071907932f52da591c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
575KB

MD5
a85e971bd7327037c285308b16fa1c26

SHA1
6757c02cba86af4cd667761750390d10eca8adbc

SHA256
34768490901e0eaeedc8fbb8bd4676479e6ded4892c4172ec21051672df5b0e6

SHA512
c40c5734cb1ef5a120ed353f9d268b9a7156ef5214b0364aad0178d180f8b67a94edc986f3830959d9375b63f6396580e2ae767dcd5f0de02ec5601135fd1942

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
413KB

MD5
316dec7efa79b3b370e6dc4384c37a6a

SHA1
9ed7d536085b9203126288763503b68633892896

SHA256
6d0f2d70691c231dc2101762b30347e25ec14f7701b991a84e1396a8f8dceb35

SHA512
05f8d584ced9a8fc0aa4e2d69b65f21c3614806c7076e583f5ef81fd0e480e36cf0522e032e1935d6799502c278a24f1c3d689de84c7cbd3829513e40ca056d9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
278KB

MD5
9dbee36578d12244cf555822bfa16991

SHA1
d941a944421b8e7b6e4b4cc6d216e0f4e56723bc

SHA256
56cd8ae70c5077d3c47b417b076756652e04ed66635e50ecc973223913cac965

SHA512
b03c4d6e94cbd14966a23e4cd92c308d6a8d36548ce1f137dd71f72e0692d9e25f6e6413eac33cc0d0f363587684e118468ee57e5f4d862625fc12e25d56bb50

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
268KB

MD5
81008a49c8dafc800a4d1a55161166e8

SHA1
50de297ffa923617c803d10b19719c6401ae1e19

SHA256
9bb3366647c75409b0dd57faf7e8bf84460e39e13b3a778545cdc4e97a833b46

SHA512
c10ce5c36d9e55ea65e28b804a944649d9fb8eb8e364a48e3216f746a388935933db54347d09244b80d8c9097f30fbccd73105e66c2d3ce90a8bc027e0a9fef7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
281KB

MD5
304e613286a1210b170d3b20c402b092

SHA1
40c43c4a6f59b3c33b24e6e27864c050e8b0a5e2

SHA256
768a04c5410aa462ad5cb8822cdc835d21be7e78e703efdfba5fb0fb3ad57866

SHA512
85dd38b823a50df04a2b60724f3d7508b4aeb661814ceb7cfc50f3f6396918b4d39096e70e4daa4bf720fa733b2a9fbd7dc3e7f8edfe80828efae0dee2ec1015

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
291KB

MD5
179df7835a3de5758379c221aef8bcfe

SHA1
a7935254116c0cffd0c2189cabae1cd5adf0a7bf

SHA256
83b428962ca67ac911556b3c59db66b734dc6af6f82a81f972c28e43a8b1985b

SHA512
f7f14f11a71e558415bba724668311d6ce2ee6b7be04249f038d77f7867e7101799a8d09689b59d77adccb76b73f29d53641c1094b2546538af48ae8c4de4da1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
292KB

MD5
7408a99a827f99b3a5dce7690243127f

SHA1
914cbe871da8cc4bf6f4f8cf84e3fb847cfd48b9

SHA256
75717b4f8fda5f29d40a8dcc676f6f3d27ec2c5c3d046719c333ff6dea23a4ee

SHA512
64bf3139ca0e45d6ecd69fea2ddcde741584f354a3ba2d936feb529ddd60ca27ac08ded33997aa07bacb3c46c95c394f726ce335f9d94b82bb9808f23a5a1fe7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
196KB

MD5
1d333e5227046842ff599c3f7695bfea

SHA1
42d858ec6d4d79514fa16276a74a546b9aa585a7

SHA256
034ae83390821db384b9f6f6d76b1ee199e782b6dc3fda8b924be1e5cc4e55d5

SHA512
4e0c7c68da3dd7bdf2fff999d965e21a8e6454d520feedb98c3d6308bfc3c6830e76827ac22f40a754739a2d30e02c2ae88ce3e934ff5a62f592f935a27fc727

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
195KB

MD5
dc2575e3361ed1518fe4fce84307976f

SHA1
5730166acdccf4ffe802ffa8b94ed9cdafe16ba1

SHA256
3678115af86455247b0e11f19ebc31a71d04ff5ee2f8f237377e6e5b183e716c

SHA512
08574fc43f444a133799cb15b1e27b3381245a051344bf317bd215d4377edd7053ee05f2ccf2e589a1a900e7de6ceda46882678486f1c0126bbedcbba10229bb

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
327KB

MD5
fbe949d98c348042c52c2358c3cf0017

SHA1
f970b9f2a3f978af309e9532dffbd1bdd1cc3f05

SHA256
b74ed225c5ee7ae476cc829de3f8301005df8f316c08604949b1dbd8b0ceca9c

SHA512
82fb477939af958363eaa1657caa742211aa70953ce85ab9a87e3b77625e5ca55cbb92b55eb98cf35e8817184534d10e3f4875b3b54ba966c7e3d16edd7a9005

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
268KB

MD5
3044b0bdb4d4068800ee520c7b96b257

SHA1
877225dd791d95bccca3b21cd119053dccbbf591

SHA256
3d09fd0dfbd7654d310ef15e3bd29c62e26fe6dd2ed2d494f362e146426de1ce

SHA512
f333e82334eaf861429240ec49b497b964dfedfed781f268b01661285e37813f619a2403d7fafc2d2a598ae2f67ab7c5d9875b0aa0e019bbbf864fb2e9d95098

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
432KB

MD5
cc67ad492bc4c168cb9fd58576e4da08

SHA1
0585a8c9d59fde88b47a13071a3782221b0f6df6

SHA256
a5a6eda8318deba43c59e17edb243088f9ad98500a662cd420abaf1e07027629

SHA512
bbfe6eb48ee72e51e7a9949503a472ce9e7524af8939ba66faff4ec4a2c7185a110652cf389ff77c5a81b485a443d68c2956f4229f65911248aef1f0b9a3ef36

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
229KB

MD5
4cf5f9f54b4cad9b974faf0ad5c4fedd

SHA1
dd705bcd5725d69044e841f17c0ebcb30474e915

SHA256
03618618bfbba430c3ed752726542d393611721175f58b2f086d71b134349919

SHA512
8d6b57a528915dc952480425832718c3476bbef419cfbdd8ea0c57cea19183e3feca4b46220c800559d72ac0ebc965b5dd945515e0d741fce6f8810ce70468bd

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
309KB

MD5
f8b5e824619d6b3313925f460042aa8d

SHA1
e74aa2847f1558c4f58c5b0375bfd0088200828c

SHA256
ad1db6c6c47191834eed81c6eeaccdef18f27a04e936a9181491019a8a081d37

SHA512
fedd32423b4697e1bf149d9f668616bea2ed17a0f91777111925a837ac9059fcd300935e0071b74a6ab215823723a7783e0b5abdf5395106fc334fa2fda4b17e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
245KB

MD5
4f39ccd6e9763b729a2b0070c9e11db8

SHA1
f38d16a88028c4a0ebdb57be3ad909fd8f1e1bdb

SHA256
e2b948f8f4a26ec1a1039b726ad34fb0e9dd3d09fe0f77ada95d977f8c1b34a0

SHA512
e03bc78097618db29710e71882d1d2e4877efa04cd7815c89ba180fb2750cb4faddb97f2b83e8a36196d07e031adfb4cfde7c859faa9d26ff42aba51094e0f41

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
453KB

MD5
01ec6d3bd29fdd86c3b6d33f47667cb8

SHA1
0793d585e549ce77a97e96c1a5cbcc1ab31b35bf

SHA256
832991d00e4b2ba5cde6bd71c5026eaa4bc886c67a798037d2a628c67eb96691

SHA512
9afa86649dd86d91cba635d6736a48af9aae0ba34f0edbec31bd2183d5b55ab41009105c304b2e235814f0fd500440125ab26da942136b9270f2b2b4773691b7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
521KB

MD5
9584cb175ea2cf35a2fa202b0720c0ec

SHA1
a2c6b40bf29e7219c88b991c20e2a61d41074f38

SHA256
a6f51420161062abcb621f185722e13194cf8cbef871ee0cd623516a9b4f1d05

SHA512
140a6baca50f25a803bf33b16e481946273ae1794e5c92e29262d21adc8a21a7d2566afac8f26eb5c3dcce06eeb2a786566e4060b82dcdc77816833e16415ea8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
416KB

MD5
7e433dff829053e2d71e9682ad433464

SHA1
3830a2854d2be585ef52a85157c023a40b4b000f

SHA256
3e07990ff137157cb56b1c96142687b9fb877c111c70d0edddc324df1f2622cd

SHA512
ca791dd1c91aaeccac57696afba91689caafa0d011f26427ebd986d56161225d9e63308593d6fab55e33be7f11acb5933f7888e717fe92150d3bddb73ab31083

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
483KB

MD5
6773037d22b8ebbdc3acd94f42f4aa8d

SHA1
fd40587af35ff6188958fdb0fe56c921ec816cb5

SHA256
81d2ee1bba30181d217dc7940da13c5a784c44ac7df25474e1f8bd1f9057c2d4

SHA512
d0017bbe928b27e087ac2f87e2526956b840538ef679c751d0ccd58ac571452b5eef842d419dbca40b391386c2a4c3b48e68e629bcc6f42300c3d69983d0fe46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
423KB

MD5
20b920bf21de7495c9dc935a83cb9dc7

SHA1
198543ebd48c954c5991d0c3959724aa7c21800d

SHA256
23115c4a287b268eaf993537d65cf497ff56a706bb87c6460000b8ed6b62f022

SHA512
ed142e753dcd803a482ead94da18283431377debcc913b8a0ab16354423bdb5df59ebc84708897f148786a72d32c50d4fccf1f907a182e4b33b25b86a05f13fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
345KB

MD5
cd25ad6736d6fef666b8baed4cfbf10b

SHA1
dc200abdd287826a0b8dbfe1bcc250f83543a763

SHA256
36bca498ef6dcc9f03b4e228283477ed5823afaa99a860a1f8145ab71b3190a8

SHA512
f55f1b7022c58e916f9a54ba85e1d719cbcf68a8d050c708a04deb785f94c8937440fba158f306e323986d99e2ddcc57908a53dadaa3a9ba9575a96790152dff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
420KB

MD5
ad02e8aea02a0dbf20cefa0e3960688b

SHA1
6ec5fd9eed3faae2ffb9197f812f3ab33fae0abd

SHA256
bb7206ffd362471ccb94bb59194c628a3a06dc0a40db025fffb4011693d91515

SHA512
7213108f89f870a886c19ed2ad93f770a3d1957f31cc85a45f58399c7eb915a26c2ad22eee58273e2b253488a968f8379d22bd08190aeecbe9af0be8d9cd4362

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
518KB

MD5
5fecb8f355e61287c17d9dd84c364afc

SHA1
15cc67ee18bfba113e7e3a0713bcd89253eb5459

SHA256
c87315cc80753b052766e448b7fd388f773ee27f1fe38c9240cd418b07a4cdd6

SHA512
79f0b280618f4843c4c29138aa2fbdad62965f6e86eb73cbe3c6dccf0e1aede0e0b437a8875570441ef1faf66801e48e876428f59f12a9fd59a74b99e4fd627a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
328KB

MD5
d835bc39eef2ef6506dcdf0862ba8283

SHA1
90cee169d8ec5de4e3e448dabedd29d6718f41bc

SHA256
4783b3b12ee8b3771c394f0e9bbe78d011a5fdb3ef753228b04fcaa37493cc9d

SHA512
570785defdb18baa42735ba19844aa7ffe1a4bc1c783b6c0ef1d444a6ab02a4ce02055f98cad77dfe8c32e3651d415389ea6ed8ba2eec3b28040f3d91a1e6ae6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
92KB

MD5
7db1f3ef50df8ddf87f6b5390d910113

SHA1
c5a2b81163720748352333dfb79a01159182c02d

SHA256
c8ca568e5a1d1fc5d32421278c39a169097ae4e6773e16989a593ef584ef6915

SHA512
c84fae2c9304c5ca026f38e449d733b7399c344440749b53911aab90b942e8f6030796e83ddbf9bf96a4623d157def066cb94006f09980288c08851ee2f2b40b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
156KB

MD5
1378007fadff2d22b471c0d437e977b1

SHA1
ec84d39f61709cd22a8a74fab1ab9df18766f073

SHA256
889bba57331aba7569570b112848d3ce47c1920b7913662d40fa697f30b203b3

SHA512
32e12fc6464029ef8b3e84c520c6169a1f136e8a95f03aa95ccd5d70e220c69c0a60604b844beb9b2d3e970505a183d8355b52efdc717a78b096bc8d9e55827f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
132KB

MD5
ca921a661f5c99b7c26a7bf6336e07ff

SHA1
98e5c04fee0ff98ee7764f1e1bbf32037305c9e7

SHA256
c7e461773b4f37a4ba6d7d567a65d367a76a7d292457a6a8942b1b23083ae31b

SHA512
d56001f770a2487feef5f234966a4ecca936b5ac9c5bf59b6e785b10569d2bac954ee8ec78d7f27cf28e173f1a1b5078ff6053227b579ebd915b2cc1b5c261ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
93KB

MD5
2f590b5b9bdd82c116f88d8e19beadb4

SHA1
eb35a488371b7db59c7a4969dc917763a480bde1

SHA256
e27a7611ee3e89e4c0e0643d4c6fc286b19e55a394b57ca1839f9c36345ab2e2

SHA512
7de3f73b3e34b833a23d99265dfaa3c246dd6669ddeb7575c3ac5e09d65b4a4c55a04dffb74a66025af908f4d534152b17f0b4e4ec244b0c3cf748e744e3c88c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
202KB

MD5
7333b5b020d0507183125fcb1881a75b

SHA1
7a93b8f93d58cb0220a03e1bf64ec0dcd2628c0f

SHA256
a985aae7be79d0f2c5e1cbf3b4658ff60ed17b9a5694f57b6bedf5a6ea9ebceb

SHA512
c994499cfd32bdba76cb6806a4c94f84470eaaa8699679d83dbb56c7a1b173308be9e0a60789bc52819824c83dee299ab329dfb6936adc0b6f205e1f9a10a0fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
76KB

MD5
53c3aae3463d4abf0b58317332bb97e3

SHA1
7e05c105c007939e61ef8177d72432355c776dd6

SHA256
d9cdfb1ff752ce99e337ac2eb3c8a9f4a54c7bb944e8e11e9af5a8cd04a4b15e

SHA512
982f32a9dc98a97b11516435e42d0b9e5d05be672e6d3c7236b786ccbcaeea6ea5772d3f1a71a5d77a94bad1466abe8b0693228d2587b312aaf061cd7fb3da40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
111KB

MD5
629631593d378743bed4399361b789f7

SHA1
a207c79da1eee1075df87c5fab2df7bc438dcaf7

SHA256
6b09c9461a52cbe7ef7eaa63a863c9603c9caf676e092f70c6956ecb456effe6

SHA512
34ac899e3c7262ece90dd70b3324547f2d78214db6c3d41e656957da04a5a50dbc060bfd8977101893efb6e43c24d8b02665ca03085b2f698b113c8496abfc38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
114KB

MD5
7a38039a57662697b3382c47c19f6942

SHA1
7fe85bba9b60e51e2e960fa6344ed6d82be210af

SHA256
24b18f795d9e75f01260dfb04345d845d8002ed6f823cfed6cc87afcfc2355f6

SHA512
33bf7a570fae9ae271e6eefd9e8df2e0660537f36fd6146da63840cfcd0a38ddc124505b4aac983ca8b27691a07556b0b33b66bccf1dff433609451ed0ce779a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
118KB

MD5
4d8037129617fb8f9e7dcf881902587a

SHA1
c29f6ad96792879032eb9a55c43009538f238974

SHA256
3bcc9f8229393c14064b1002c4f3a5a0c00518a6b19b1eac4a5258763c027ea7

SHA512
ffa3e7b5de9fd2ccca0f0a386c16c1660fcc9a50bf3404cee0a509650f7cb62d2b5fae604728e1b4e2ffdd5decf526f46e40e65c075d6e0a818d27863d346429

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
108KB

MD5
350d766108ed1374fdefd0b3b82ef4d1

SHA1
0a87af1a32a594b579b4a5fa2224f3bd7c1b167c

SHA256
25b29fc2b1b08219c0ee7137ee8e0e658023272861ab658468fec93198bd3045

SHA512
f57a1eae0e404835cd3c9c2cd06c7a3d72ea600c218376696e3241a707ffd0418af1bce7c8890e4cbb7297b75b0e1127289ae4ab0084d44a8667ecb761a577c2

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
253KB

MD5
a2969237bb63c537d02d3798cea5a8bc

SHA1
8a6d4ecc48e0080568ba96fbf8bdf842ee7437d1

SHA256
fd140c07a0dec509f10dc346c1da84bb63eb655719bb73999e041495f2b464cc

SHA512
1adefc69ba3e49f6f7c4577bf011b71a447f1f2d8b88f91c67a76e47aec4267550ad7fe8f7560b430c8b42d9b3cebe877d0ace2d722035024e653293706c82bf

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
565KB

MD5
70c6ada729b5350f6a1af08df1228083

SHA1
53875a7e66733a2cb894ba9d4799b61fde5985a9

SHA256
b22ba2b5cd7ed7a949678ec5d06fe6ad4a2b3c2ecb45661637bde27c2adba998

SHA512
3b91bd1be686bddb9a6fb545267daccc9cc5a7b2303be95dba30612087caef405f1358eb5149913f88fb5b3d006e17725237b3cfc6efbc5219876275bd189dda

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
264KB

MD5
b3832c545511150f507af60dff494207

SHA1
d2c66917a4aec0bf57a20a9bd87c4db1aa430f6e

SHA256
7210733404a273936e37fd236c0ad512a2fe2c80ecf5ece329920b0d8ca93d72

SHA512
f8235d6f3e50577311d4fb2fbef9314e7ee34d967dea491cfd310ff4c37857aaa21a6f4dc10ba24e3bb1aeea82c03f6a3039547ab65ca2c7d8965c28577e1893

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
2be261dcaadaf07361fd59a152acd23c

SHA1
af7ef754d25ed749bb329693f9e52f0181e799a2

SHA256
6c38f71a585ecaae5d079b3105e197d5c733524f4508a79827a5471c10191bb2

SHA512
4d282bf733709768a84beeaa61888618e0a86f808c2573b61e4357f177efb4698e0d9387dcea29db173a2ed4672035655f48a03a3eed8b00c8bd66bb27135dc9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.1MB

MD5
b616a1e2e287f1d0963872aedb6062fd

SHA1
af9b43bcef6ba20c00d169f06dcb31a4662cafc6

SHA256
33c0de0b85d95e04dfe08fea7dca4875828cd89fa146a8874d10b27557ae4084

SHA512
deb7d1d0568b50800f7c9bc45d1a1bf496208be4e29adc145e733714bd69ba245a472d738fb4eedfdd318e8cf309e6b9df7502b15dfdf9be0810aa55319096a2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
292KB

MD5
e5e0e005a0a0b0d5ae25df7584909d49

SHA1
ba7d3b92ba6aeab8d55b4fc229f00beab4bfd42b

SHA256
7fde60ca6ea20351c44392b0470b8dd9f26487964ebc0c67fa5e2099fda3e3e7

SHA512
935e5a7661726b67a45caa7faf465d8dab044fba63dfa01109cccbd257115e64567787ff57199bd58b9258bf52c776c354bca9de8007d987b371b21c1a9b185f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
62KB

MD5
0191dfb64c7fb0f09177e033b2af0f31

SHA1
93dcd9ee30c7e1dd7908dadfd0ac6fa3397ca3f1

SHA256
fbbc32729f666b06fd95c94cc3f5bf4ecc9d4f119e07466af835184a7bdfe0fe

SHA512
471b4b407c3291e4da6faac883b4c15026f3d193d50c25d48e8d921f84fe8dfb14f9f18c9bfecc0d91fdfe3284afa73e2a7f325073aa8274575b56d9bc56e7b5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
176KB

MD5
7625bb1e90d6c27966f38718bc929d89

SHA1
a8eadcabfb78e2a248a33980dfa987b98e35406c

SHA256
5aa58cb7cb2c4877244af1a26e21a9f7b10abfb7a681a2db30c7da3148d9a2ed

SHA512
61d6f86eec13f68204e3b3419227abcf1f912468de100b8b4ec3700ef9bd1c9828a8994754178ec2f45702b66dec6cbf0730e90e0453b6df3f315acea2cc82d1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
99KB

MD5
7d2a488e7e1db45e85824926c9cc2d99

SHA1
649f57227dbc30a07501824aef54508bcf7ed74e

SHA256
cab1785c943a302120ef2685c6dcf7e56043a322ae946bf952fbcd44ef033cff

SHA512
adcf9018c7038a1b2da39e0699413d6190be8994113089a651f0d2943a21a1592260cc59be0d6617b1a8bc246d71caa1a5c8a923b6191887451419a509478361

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
275KB

MD5
9dddf78047623c92695b4a3cc4c7f4a9

SHA1
de46c637f473e539690e9dc2853dbdb733f455d3

SHA256
a5c80c7b316e9d5545787dfaa3bdb7754dee72f25545edaa1a32e241c1277030

SHA512
0444c8c2963d3bab820fff655bd84668d3c2ae80278e73ef423320a344ade1bff423b8a7d5fe862cb570dea772d54fa2bcacf58af53e5d8d44fa1a8a48123ab8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
311KB

MD5
567515ba807ba112c992c10c2e01f1af

SHA1
06ab8471f62f52f435ce4d295070f6764226d030

SHA256
dbb371646708191ee631e87454df2cbc7c3f3b8fd7af18d5c351402bb11f6cba

SHA512
212f8b89ffeac17666e61dbb2d0c0f47b034e42b889a416d5454ba3ec40e5aa6269b03c1b6cf0e29c376625486b0738af4a66f4410e05f0c52a6aa841e21d7af

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3c40e4c28d3e4ba396697b62e9c39cb6

SHA1
1627e151afab239e8a81ebce79ac0da25d97151a

SHA256
eedb5e9cbb5c510a0d0374b64f34565f0bd4c0e1b53a47d6d22e044eaea6d579

SHA512
99e8a527fbeecd96c8a7709a7e0dbd6f1cea3bda34f27ab255a6adf96e8f76dc23cfa7c61ef6ce43f46141841313c93fc9ecd5c291bf67674dc421507b83d80e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
221KB

MD5
ba58ea612ae9ab4a599620ed1716b5b2

SHA1
a93ca62bc5881220e33ebe04cb8255a55372cea4

SHA256
9f37ce957afc1216c6a15876435f1ee57b3ddac00999ba33945b3bba9c447fda

SHA512
726a50795c290f1f6125ad3202df84868c61e37a168facc7d0df315c3f943fc7dd99d7883bb56a0b56eb504433bb1eb97d5135fd1cdd63ad14002a0620d96250

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
37KB

MD5
eea13df029a143adf2df1697bff51d02

SHA1
50c3cd15df85075fb075845fa8997964de80a1f9

SHA256
886b22a173cfccf3901a243f5fdd93bd11d5ae06290ab0622b5daabb9122d322

SHA512
37caf4b8ee350f380c3a10aa20eed4d943fdead8bbb57fbd24e7cb41418dff1d975457f8bef4d61fb02afc4c88bb436bb11b847b88c1efc97800b1244cc6f4f0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
1.1MB

MD5
a3a3e1b58a618c0f86a759e464ff8d81

SHA1
7f61eed855bacaee8b2e664d21c50feea30e2f4a

SHA256
89567a09e041f7115701df33fe5a5352550a1d67fd8041505f8ef709fac8b29e

SHA512
63be5e279e563fb3e4ea6ab273aa69ee14c5e91b9033ffdce5a8c6d6ccd200cb15d15cc65a03143b8adf6bd66512bc96ebb7953db25439b57687fd9e32429ac0

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
bdbb9f6fa0d8c49ae4c8785097a72d9b

SHA1
f8aaa58b1f014647398baa46186fbf5157d55f31

SHA256
c4b9480a0f6bbb99e1f8adb86690a7d5975c44aef662d77cc65d8ab74627c51e

SHA512
49edbb9c570d27705056ee9f0ec53c2dd453ca296385bae2c705d58ff6a87a43d76dee20b2d98e3ac686ffe1c6487b7526b11ff865fb4ff196b2d4d6e106cf59

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
394KB

MD5
9ffce58d3976ef7d64ea3ae964e78293

SHA1
3b9e9d934bfc07acda3c24b22f556aeba0b22658

SHA256
b84bd40b28be6984a41c484f3e2883f8dc6292933162bcc18b2c964aca7b08a5

SHA512
e1ece8799d59b9dac29412c81de217051aa129ab797765493c7234f390e12e58ad9d9d1e32b28c31adbc68714c9b7b7b29d354cb658c39f233144da1a3c3880e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
171KB

MD5
b24bdd4e78fd934ef121e57560893ba9

SHA1
4da09a70934ba1cdd7b8ac2c0822c67e3c62eb86

SHA256
ba8aa71164bcabf6ac597dbc3ffd1aac2f42015cd211fe5f314feebb7ffad39a

SHA512
4e0a8679d4b2922d5f8f9a99a615b825359bcd2b25c9dca0c91b07e31f664d7aed5121eff713ec20f5e40937e7c9267455d93abbb1541a3fc45fb8d6bc43b042

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5266af276cc38b9a6100666d541ca8d2

SHA1
e83869f232e77bcfae50a55ed951ddbe34ebc785

SHA256
14eae183964861df9508e70d7d88ddf1ddfdc345e20ea93cb9d12bd61032f374

SHA512
d47fa4850da8925b88fe8ac5d585fc22f91074ff39675b32c5bb2a51041f4231aa27b225157ca9352d0c32483d913fa912948f02a4613721a6c2a5d7822b7e99

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
744KB

MD5
691e39c1b16894b9299819cca8f161ae

SHA1
0f677c75ee9a6c41b61a0ad0c0a541ea7dce4b73

SHA256
df7d09455d86ded30441dca2cba5abaa2e7a403c7cd4dd00e361c4f7ccca5289

SHA512
8c47fb960151f3bba232a77a3c445689ead06a25a7a97b06a15ee51c44a5f4b695bd46daa32b98155edaca4964db093ddac0a3d42e63afb3ccb2cdfb0e92fe13

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
1.1MB

MD5
3a03258ce65db9d8bb2ac217fea6e001

SHA1
8c1b9a256468f741ba88a5a1f680a47653c960d9

SHA256
7bcd3f134bac31e949b40377672a6b43df8d2b32c0c336910e9db81054ada621

SHA512
d22b2bdb154a219c0b28ac805827f6c02163b1590aee4176e9d1157081901bae319ab61f2495f94e4f6b024ba26325c4a7d30351d50bfa9fd6efd6c8cc174727

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
2a68595996944c775402ecb26b2bf032

SHA1
c079e013de8c3553fb48d525ace1a7ea4beb775c

SHA256
0072658f17b36e14083141f819734efc0f78824a1cce653d64fa66888a5b6dc7

SHA512
66023cc1145cccdc567f6b55955be46f8e08d930c2a3fc3a30133ef473f4abad3811a047de47aaf346eb167de4723456350b5497a8e182e32a310c15b76df472

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
559KB

MD5
5e3c337b0975967245a2ea5deeee6b9a

SHA1
83dde3b4994e3e70c8dc9d52e9e4acd84c187ff0

SHA256
8ff917b68e342cab34aa5bc697c45c702c620f1ab400104362c2f49243d18b37

SHA512
6a67a5ec8ca81af900cd3d1c8af99f5f1ee805b523670d7ca12e40160ba0483d77b8af1dd0ae03787d87313f2b0a7e1c9c65d62ad753f9e2ee7661b4aa69cfda

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
201KB

MD5
f52f5c91393ee9d17bb2b0d630414e49

SHA1
31204e8d27013f4111d0114fbb168e47c4d99ff0

SHA256
b805f7c9ee340cc94c32a22d54dc29e2713cc5660dc33ebabc72d375881d1042

SHA512
e3d0ecbeef64f725457c15b05f1787094bf6a25cae4743757f5c21127e9cb1f7a5208a1e2807d6a363a289dabff767b4f6b7907cf350e89564360b8bc865e442

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
340KB

MD5
5f16d7d5614434d4e940153520d4ff92

SHA1
2be04fc94f2a7f29adbaa79457d156962dee48d2

SHA256
d704987e1d22cdd586bf3d355b1f342014d4415083fa8010b93215fef126eff2

SHA512
b1eabf31938ff9c0f58b27a0feb4fb7de94afcbab8bfb23735ae2113027079fd03a3babef60b06e55332428276d7a24c0f389741b339b6bb054a9b31e561a6e3

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
299KB

MD5
d3e3d9762b2d7c5f208460fc3bc8c61f

SHA1
dab94c1d9a8a5f0348132ead661d1c557b1bf105

SHA256
be51e12aff4074a67232757a42a12758fdea75642f7418b13bb35669308af76d

SHA512
69a57ce0d1e8045895179df7546863a44ab20e47db39fe5f95a73b140c79817f6587e7be3183861f8d5ecba9240a8e351f74908b47704196d26166bba9ba9b2d

Download Submit
C:\odt\office2016setup.exe

Filesize
339KB

MD5
a22cc0f2cffd99470b0a9c8a8e76bca1

SHA1
162a536d9ea122b7a0e48b1718bdcc35dfc4bcec

SHA256
33ab00187ca582338ffb74b177b3a69fa79db6b094295600a4b550aad1878edd

SHA512
2d1e0170dcf14adc20690c7a4187062f9c9d5c5767c177f9f4ddac5b4a0d93a19f0d7f901a9209c6e397082d7785af6d2bce846bdba5d12042aed946f0452773

Download Submit
memory/228-184-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/880-575-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/880-492-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1396-146-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1396-157-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1396-203-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1396-149-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1556-299-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1556-174-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1556-179-0x0000000000930000-0x0000000000997000-memory.dmp

Filesize
412KB

Download
memory/1556-173-0x0000000000930000-0x0000000000997000-memory.dmp

Filesize
412KB

Download
memory/1732-12-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1732-141-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1744-571-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1744-482-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1864-139-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1864-124-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/1864-127-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1864-133-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/1864-136-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/1964-170-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1964-109-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1964-102-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1964-101-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2040-573-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2040-488-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2536-92-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2536-56-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2536-69-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2536-147-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2736-142-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2736-194-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3420-97-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3420-99-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3436-570-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3436-479-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3468-217-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/3468-162-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/3468-161-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3468-168-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3580-469-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/3580-222-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/3660-181-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3660-113-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3660-114-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3660-120-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3764-308-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3764-303-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4304-218-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4304-468-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4304-210-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4716-467-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4716-196-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4716-205-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4756-188-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4756-462-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4756-461-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4900-465-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/4900-191-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/4924-300-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4924-7-0x00000000006E0000-0x0000000000747000-memory.dmp

Filesize
412KB

Download
memory/4924-1-0x00000000006E0000-0x0000000000747000-memory.dmp

Filesize
412KB

Download
memory/4924-125-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4924-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/5064-572-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5064-485-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download