4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
Size

1.8MB
MD5

e323c4bc84ba905ae9c12c6c8f43c494
SHA1

1033237510e80d426fd6705ece4f4efa89df7166
SHA256

4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8
SHA512

a5395c9080a98ac8b8202c27da895c662f01efaaeca1d7492653bd36fba05367bec781c1352d2d9f5b87284ffb311306142eb9f62ba5246dd7102f01a0055f48
SSDEEP

49152:+x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAq/snji6attJM:+vbjVkjjCAzJzEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3228	alg.exe
5008	DiagnosticsHub.StandardCollector.Service.exe
3112	fxssvc.exe
3412	elevation_service.exe
4700	elevation_service.exe
1508	maintenanceservice.exe
2088	msdtc.exe
4580	OSE.EXE
4264	PerceptionSimulationService.exe
5116	perfhost.exe
1964	locator.exe
4732	SensorDataService.exe
1424	snmptrap.exe
4356	spectrum.exe
3140	ssh-agent.exe
1492	TieringEngineService.exe
4052	AgentService.exe
4812	vds.exe
4640	vssvc.exe
1508	maintenanceservice.exe
4932	WmiApSrv.exe
2232	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\System32\vds.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\vssvc.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\spectrum.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9fde31b866ec4f27.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\AgentService.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\msiexec.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\locator.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\wbengine.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM54C7.tmp\goopdateres_vi.dll	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM54C7.tmp\goopdateres_ca.dll	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM54C7.tmp\goopdateres_el.dll	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM54C7.tmp\goopdateres_ar.dll	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM54C7.tmp\psmachine_64.dll	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005c3ba1d9652da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c58721e9652da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed6fce1f9652da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000655b01e9652da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ad7541f9652da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5008	DiagnosticsHub.StandardCollector.Service.exe
5008	DiagnosticsHub.StandardCollector.Service.exe
5008	DiagnosticsHub.StandardCollector.Service.exe
5008	DiagnosticsHub.StandardCollector.Service.exe
5008	DiagnosticsHub.StandardCollector.Service.exe
5008	DiagnosticsHub.StandardCollector.Service.exe
5008	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4112	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
Token: SeAuditPrivilege	3112	fxssvc.exe
Token: SeRestorePrivilege	1492	TieringEngineService.exe
Token: SeManageVolumePrivilege	1492	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4052	AgentService.exe
Token: SeBackupPrivilege	4640	vssvc.exe
Token: SeRestorePrivilege	4640	vssvc.exe
Token: SeAuditPrivilege	4640	vssvc.exe
Token: SeBackupPrivilege	1508	maintenanceservice.exe
Token: SeRestorePrivilege	1508	maintenanceservice.exe
Token: SeSecurityPrivilege	1508	maintenanceservice.exe
Token: 33	2232	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeDebugPrivilege	3228	alg.exe
Token: SeDebugPrivilege	3228	alg.exe
Token: SeDebugPrivilege	3228	alg.exe
Token: SeDebugPrivilege	5008	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2000	2232	SearchIndexer.exe	109
PID 2232 wrote to memory of 2000	2232	SearchIndexer.exe	109
PID 2232 wrote to memory of 1052	2232	SearchIndexer.exe	110
PID 2232 wrote to memory of 1052	2232	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
"C:\Users\Admin\AppData\Local\Temp\4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4624

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3412

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4700

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2088

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4264

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4580

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1964

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4732

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1424

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4552

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4812

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2000
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1052

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:1508

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3140

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
138KB

MD5
6044081b37dfcc9121ae688758962d71

SHA1
f107131db3cdb6e8b899363f0279923e9135b97b

SHA256
61e599eea60fb1061e6f459e4425948692e5b23b28fdede7727c655774ac4902

SHA512
b3d10167085526458e2105ec645c5c35ebe864e60006af267f5a24fcab2e9f7df91baa84cb1d76e5e5bd3371ac9f91861922d30180411003b9673b602415a307

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
110KB

MD5
26b2f15e1157b220441901bddacefae9

SHA1
ee7d499c4f11f56279840ed57acb5e568b7f396b

SHA256
68c6b3e0a702a83a00ed5e1efd2939d7c8c2e1df0eb9fc77a3cab13147bc8b1a

SHA512
68a37ff3eefd34028ccf72c50b89c0548a79770296ddce12de8378df610026884245c552bb9b549d16bf9b7f719a3e770431ca2fe1b554a29a004f7a1a902efb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
154KB

MD5
a8465c0d7e1c671cd3917af1b56ab985

SHA1
5372ccde693c0d1224300a6478fbd5781fc836b4

SHA256
1ce07c63fabe1f5b47306d33b1923fa70bf62ae1275d310fe240c54e91a1d679

SHA512
bbcb3bc51f4523a40d8cf53b01d761f306af64a0a51a4bb42945b2a6aa7014ebe55c26c78d26e2e36b8797171a92e49224d372a70a8cb7d52e685a67909a0515

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
92KB

MD5
f9ffe7a3ee58fcbe899f583bee5b79e4

SHA1
f16141b3679e8b7693fdb91e5462197e3378d0ac

SHA256
750e0ba00ec6fa1b5c0233fe7007c734bb405eadcec654ced23ad4acc0beec0f

SHA512
98c61f1418876de89fca378bc9cbd69cc9f9aad57ca11eb25ae1e6beba6d0de353025c6b38c211bcf1265b7fb9fe07815f70fb9cf02a783d91f53ba12c395593

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
68KB

MD5
58f4a626bd534cfa2a9870902862d69e

SHA1
56519ed7d9d4650e8fd2ac8986c98ea6bde24af2

SHA256
969701bfd50fbfa650ed3c47feb80c51ac8740664fbc2f609b918af4089dbf42

SHA512
b081cedc1c2c09734793191b1dd5285b8f454e771ea48cc8124c27e73cdf5fb0d4a5ab9c41bd4a5d7f7b13c20dcfdabe3f97fa1624b640ced1617a7ee561a015

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
217KB

MD5
f26f7fb309fc0152310800db75fea0ed

SHA1
26cb24c494da944ca9697cb2ee76ad3346ec5a34

SHA256
628981a8e197c82160e93acd203b7430343b3e6d360215ecacb081f2829a5467

SHA512
369a922be62cce45a5d49a3334fb78380652f222bcfa087e549a6a2624946ad4864403a687259c86d673c69a6ab7c606b9d315ac8bd4a49801a28586d1566e9f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
214KB

MD5
201e5e61f6e0bf97b9f0fa790d4c789d

SHA1
ccafd95fb57038f8870ea52b04351c93772db7ff

SHA256
ed12358e1704a40e5dd6dff954da48b145e64aaf5d4a94f0210007676dd5c45d

SHA512
517250a3b6ada5efe79c2d073cfe461b926308968153f4145864d96295ccb3d041dba48fe9ad9c8967cef8d2582494541594761f16e1ee5fc4ba3d96ae4905e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
149KB

MD5
b461570547b41a4ef0b348868469ea9c

SHA1
416ed68999f5378ee8dd6acc2044dd7a2c747a1e

SHA256
790a35f8b963329d509a6fc393e16f64f56a27e620684e4f7eaa703d1fd04bc5

SHA512
42f0843769061b67097f52fd99559b5bbef81ce8fe24196b1ec58ae6246afbd38e1f656c4c052325ddead4abfaf6e304932246ddfe49a65245b43269ef79e7e2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
211KB

MD5
6c23aa9de89f070533f067d08919a893

SHA1
4838a12197cc47a5d3125595438f979d4dcecec9

SHA256
f61886465df6f7f6a4921e3f0364d1d20136f07ba6c9f6b37e1b50f171a3ecb5

SHA512
fbe210ac4b67bb0934ddd971ce7ded75414236f9dec69076c74e1316396eb7db0f6ccb7687c93e3ac566203eaf6a90aa8890896d2884f788ce90a6a0526ce20e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
43KB

MD5
be261eef19d2c813e8363d3a0ec6695e

SHA1
0f657357e0022faf2d61f72b8519c7554e5bd24a

SHA256
a2c3410526cbe297f14aebc526d9465ece2826139a1d23c2957bc345f597417d

SHA512
527a7189933533134bb0d5956fc06db9cf195d27d40a8f23ac69fb2ffe06b46b6e197a73ad35730df89a7a227303e25a1a03b1c98a48e94f80488255fc48c358

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
42KB

MD5
4cc1b3996f0c1cdc96616e788d84e994

SHA1
ad303c4606c6794ffc25a996a04297ae167dfe6b

SHA256
22b0f0f6b4489e251919ae4517f1604cf590f8c450014cbe0a4cc639d7f42760

SHA512
34417479902523ba73f95a39cdb3905c72448aa17d07eccd1c1230f4ab132ec77d4334f87010b94df6e51bac6ef784046268648d9479b7a777b3cde047e60270

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
147KB

MD5
10892fa3cae140e5de9a3e9cdf72d78d

SHA1
6774723a9cfb8dedb52ecd416af7534cb184b7d6

SHA256
e12101d3043c105f59a47a676c1ebbe79b1b0b474791d4a5bd9286357920897e

SHA512
71c799f189c1683200f222a43e8038db2180e650c4af1743b8615207f08d26e30bbe77966c07b49c2ec659708a681b04a0ed1703bee867531385926ba903a6d0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
127KB

MD5
49b695ffbb72a6639b661c34b1be953b

SHA1
361ff6def0d760f682009a5cd563f81a57f09ebc

SHA256
a3fb41a2be8eeeebac7675f130755173697e0da41def780e9e61cda01e20ee23

SHA512
fae61e82e107420193d34c1145e4a247131f1bd55fd38c2e671d5d554b6c8dbed11841ae122722e2a033e59c13bb65865dfa8f2ae3d6b0f5375381a0f88cdf6a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
99KB

MD5
e1aeb0cfaff9597b780ce765f2ab45ef

SHA1
67d21136cb1e7a0acc75f6cbfcede7c53199d929

SHA256
1e19bc002f9b4d6013e33411c90a94960d1a0bcb09e1cc7d090e983176cf6b19

SHA512
5da3605df00f2ca07884501c932e1d14205ee91aa196cb969b67d24aab443bc53db5ccd468211fd7778207926e9c014cb4796ea38f874f78c97355ebc17311ee

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
155KB

MD5
2e90f00bd32718ae94daf5c410d49d70

SHA1
112f504123ea4246df2c8f9e6b7527f2064d80b4

SHA256
e238375c7770f387c662672fb7ebca48be3d6203b764ba7d78db1b4515f34f74

SHA512
79e29c6e499eab63b14f8473620da7f3331ed7c75f7ba7e67c748f4849925367544308bad796c85a61dc98f59ce6ead5d375181260f229d17ce2e57dbd88c20b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
157KB

MD5
c5fc4e809557bfcdb65a67a4ad7bfd72

SHA1
f5774f3d0899ab0073ffeb108456ab66fbf72012

SHA256
0a14783e981a58cf12d06bb2afaa1c778ebd3723fe5c76cab2393c5ef1a3a887

SHA512
d1d6b3c427ea52ec251f2a7aea41ea4084e6bf7555c2825d46fa7a295719637c01a3fa6d5d1820b243febd8b149c7a479c30693e2dabe9e377968992e719ff92

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
92KB

MD5
e32360dca92746b17f05d79a0771a71c

SHA1
532abd6415d4a62c0fd31bd24d93ee941508d007

SHA256
d6101f422c80fa322f2dbff8bade4d63fc2bd960710d6fde697821d781d96675

SHA512
bb205ab5f7b7330e4e639eb31f8380c0faa368e48ef529c044215cd5c9d954c68b2189452caff4b86f391243a7e1a382e2be95839c484b14c68e32103c99ed51

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
67KB

MD5
3b467346293a51de2b05c9e2797cb1d5

SHA1
644bb6ab58e0ef959db9288daca4b0bf3df7d043

SHA256
9deeee824bf66b5cf17a18dcd511df822b9e22d71e80902124bf4134780bc238

SHA512
c487238619dcfd8cbd7f5c6fbb4a376e309f666d66417f310cd1e397061ca04e65985ffb98feb1052bfe10d88ba0cf9750661e88a041338f0a2dca712eeaee5a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
31KB

MD5
b1c01293634849f87d36ae6187b65eb0

SHA1
dee985895e867ccc5a5a3d6e96582f1e32b27427

SHA256
7592b4294b995b9cf61afff80ebfb3fa20e84cfc1270a55f036fe3686c8ccf52

SHA512
80779758cb56af7f423db5148d229d2412aee3e049974321b974638386e79efb5b58355996829562cd37e775bd91ddc1762c961623d8253b4de86e4d1220737a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
60KB

MD5
63609878d6fad53f50dc1826f338e2be

SHA1
adcb8949749c1d8a5eb74468c33dc6b434c03278

SHA256
491243b74f6f339af8164159d1c547b1d01ccba818b01b8a57070e63ccdf6c5b

SHA512
6819f82b5ac2bf7d88a892d417d6a0232389b671547940b3181f927099a17d62219caf3d50853acec9c51162a8bbd1a102656bee7dcfaa8b4dbef8eb54484eee

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
62KB

MD5
f196a04bff238b7a2a557cb865b4d548

SHA1
131f646923e53c8ac9144d710bcda04c65bf40c4

SHA256
f2972e179104ee4abfc15cf7c9f7d391b94caafa0d5da5ee99dae911d1951c58

SHA512
d2fc7a8943d638868b73c5ec0455abdf0dab419e03ed2e5df174fdd920b0a6ea8eae6d2b7d4fb60ec155cd5f9eef4efe5ba2acd948734b8889d440e4153496f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
99KB

MD5
9aa2d6f2febcb7bc01bc68d56d1dc4f4

SHA1
742faf53958d441f7f643b783d03bd4dd343f073

SHA256
fa9531e9ba7944aee1d99fbb681a1a8d329c3604319792e5041a22f61bac4219

SHA512
70687f50c984694185c65429ff818428fa73a81597ae8e9b8ba8b48e457af3057167ccd2e4a172084f35c342809fe02bfaf0a134a0be6ae153827e4c49136ab9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
95KB

MD5
7a97c33c7892127b740552681c866bc2

SHA1
0363c9e47b8c6757f28434fcd6fb7a7d429f7703

SHA256
c786e1ef8254c1ed918302530571530acfe03a85970b1ec695a528dc700e09bb

SHA512
9135f95e9e796459415c978a86b9c81671f9abd87689d6861fdd6a72e1973be751f8688c663542c2c577f0e41f0aa110bf5bcf1834ca25b9f92aedda2167da9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
88KB

MD5
90a71fdf2e603fa600508ce5df725c0d

SHA1
358a6aea5e9ddaaf1ab5c6bf30ec85d2a1d106b3

SHA256
416fda8ee5961e88c0ff6b684dd3a982f2c2d10de5df8cf8988cb17f0e0ed4de

SHA512
3734b73566b2d7d5d06ac7ddfa4036264626e235101df0adf2c47e689fb4e457b551e8b32b056f4d072b06faac71fba4531f616f5dd6dd808206cc047220fbd2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
75KB

MD5
5652f733cac4641c15a8fa2acf1bc69b

SHA1
063bc4d0eff924c06f0f67380077f18eb7caf9a0

SHA256
d9f1426067bfdd9d5e522f180c3471dd77a58dcdda985ab9328b8ab9e8f625fd

SHA512
56d8f6ec2c61becb233320a14f3e3a322ae8471f39a6c9c7e70c6fe3784c7890b93d87648709b5c6ce5064054c2801b89a649a226b429669a3e4d3b542d58da2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
83KB

MD5
84b080ac7c349eaf4457f8c44927efaf

SHA1
df2a0d73196d2f1a221d9d122a5a09433ca13c33

SHA256
dde90f2c3c3e0135487350a1f185087de7004f9b49404ab70645a61a60179e83

SHA512
f5adea3b4ba3243e766b54a18c30450018931642f10060f89adac21aa3fdb750b0b0d7ab7867405f23f1b9fbef7c15bd63d98658af0c015f6f3292a6e0559c3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
76KB

MD5
b583a6773e82120d5f903e6806f02add

SHA1
bb82922a50aaf2e286cfaa39f78d39661025e777

SHA256
e0fbab5b73ef1be3d7cc60106840d8ccd227e7f72a97d5c56c384604a450f43a

SHA512
07ab16af77ca23d286c64cc8e963cf519bff132e5e85e3f339dbb2bef436958f87f5452e3a98e8e38f2a4a4153a01c3f8b71481d587e823ffee3577269dd45bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
28KB

MD5
4ffb2d89536e48ee61c823bfc8a515df

SHA1
1e1ed2015eef4e72c392e0665fa4dc8d4a40a7d8

SHA256
c6121acaffc9d385eed4c37c36f74e6fdfd6872ef4d61a5a53b38961f32ae472

SHA512
81412c5fb34e006ae54c64ee4ab6907bd32efb49d9d06739b15ec50c25e1d583e1c2b6d150678545d7603a7a32b90a1816c0765ea01007a82f3c367a8fdfe287

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
76KB

MD5
f0a97aba53034e33451643879abb25f8

SHA1
46a981d1c90d682cf8169d91190680c32d45fc1b

SHA256
b6d040b07187379319e02ec2cf32e8abfc6f84747ff109686d2223bef99fe19b

SHA512
48af988e0bed9311934406e0388a0e10c8b56f0ddfb037239076e3c12948d803cf40e4d797e46204eb274347063f50ef3ae351de6184e42fb45fdcebce2016f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
142KB

MD5
c56366ded6aaa5ad771aefe7e64f90b1

SHA1
5eda637523370f44ea2197f91f09f809aedf7630

SHA256
6a960e364f6fdfec222a3da998d441ef304c4aff4122732aa228e8993e2fecb3

SHA512
5e8bed6cc4ee2b80dc4f170deeabd082b060e35804d68b512a34e0d0c08ba8be6534de746fbf9b38499a4ca57d88c657bed5a2b43ee13b93d9473b0d7bc4b682

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
67KB

MD5
d3e832b96d77a96c199c805fb79ba716

SHA1
0b2b45594176c0a6094c5bddeca151f3906052d6

SHA256
adb51f0ae819a47a30f2035ae36a253edec2ad1114327e216c9e5e3fd3e67f9f

SHA512
9347348404f9f2c5879e44ab04f95c4446f7fb560300886be7bbd0d7301da0647ab21ed530b532d0f37ec9b754703efcbdf73ac06cdbb2dce78f87fc885a2ee8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
50KB

MD5
c659e0e91c69d78a34890f7e88181891

SHA1
e29b3829ffe44c592678ec389a006115e3ea8968

SHA256
48317c3e7cccfb52cae68f43a56dc8bea8fdd53d9475f9e9cdcb54eec12a8e8b

SHA512
cb6e405c9ecc459591eb1c9d7948e7d46965bc15dfbaf437059b15791030ee4e57ae6731fb57038ea35c91d644d3022f1fba8329ac7359702dabc65784af37f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
92KB

MD5
9eff58f3b5b83c0d6ae67ab9a024d40c

SHA1
2dabb852292be13f94475e99796f3d2599bdf90f

SHA256
67852277869efa24043339926a07eb4f0276f28788ae25c69dcd6e13271a9b48

SHA512
488714f84c27a2c54be6ede41f3bbb4fb97bf293085a3d0b313c68ef93288198e737fd1f4b879eeebd302419187532ec1560ef9e6efa02a29025e700362debc5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
61KB

MD5
bd92437995723701c8a398a3315a9be3

SHA1
ade6deb2ec09b363ecb0b2c6e9d4e223c855fe0f

SHA256
51d1937fc028054bec0c27711981e8fd2db7183ba8e1e1fc3607bfef41284e65

SHA512
7ab858483dad60f274384b6bd25a1721bef63d39655d3ffcb725dd085d0176e33a5b88d003e79387d6d31b79e555f2239561e0a65c6e2a3f4e54040433206089

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
38KB

MD5
fca685a02fd799dd9fa7931015712911

SHA1
8c0c3375ca0cef32633e7504f9023b9d379aa731

SHA256
2cfc2c4d4aa0e8fdc701f583268d90dbaea86e82a34ab066cc8c4ee4fa24096b

SHA512
4c1203773b48b0c4f9d7844aff0b3626e7a18141956938c430693814e0f84f6e404ff9db10e36d4b49a13333e174ba449dfe622bf36cd6894113f7cc69cf4240

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
96KB

MD5
f7d4a515de8fb1a4ccc1bb15cba7effd

SHA1
dcdd81999efe24658f4c01890fee8621dca6243c

SHA256
d82399b31b9e7915f226dcd80d8433c1f32e193d1ec5fc31f7fb652acffebfee

SHA512
713520de88032f57b896e8ff68aaf7605f4cca6e09ead4024e73d1e0af817e9f87af3d06b0b0e89c0bcad2caedfae2c4c1ca9e218c718a56a00b5c1616d7aef1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
113KB

MD5
15bc22f299fc4c505dd8c33186572e8a

SHA1
50e94b99f919b96f7d6ff971b161b09b0cdbbcc3

SHA256
c1539677798e9fe8a25caa0ffa249a5a1b97bb60e947c3f7d4a9ea1dcc2da422

SHA512
1d9dbcf0f269a3ac43f1ed915e4ed065b3e03e6f3d9ea2d2499100e780ca23e663542edd0868fe5fef0e99fea573ca5a542750178433741e98dd5f4e6fc0e97a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
162KB

MD5
d4c9c16640ec00325fccba8605b0f4eb

SHA1
04f8ed2b02a98aab54ca0dd5700266fe2703b164

SHA256
a12508a4c21e061f226d9d0cd3208e7acc74e5cc3db2edb665a9295b2d43ddc1

SHA512
2c80b08ed0721a742afeae50c69506de62db6f86a36346100a7d7cd6da296d1dd1d140820d581c5ffc9d661a9062fc997bb0e67bdf1163a40ede9a7857a281e7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
124KB

MD5
62bf47b1a16a30c34609d23e367abdf7

SHA1
37c38b1c0b92be332b043f2181c3c33ba499b9a3

SHA256
2bc1de3589ef03762abd77eaff050a018a70733be9659a1efbb1c769e7325b01

SHA512
9a9115b62b154541a4b0a8fc7669b6ac99c80e0ed58c9a0384859d0c16b7b85facdb1ac5ed14a0b287494a7e62f5598b747fdf591d33070ca5a28a4348cc5b58

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
47KB

MD5
b89f66aaed31051be3fdc8d187386827

SHA1
c20e8823fc1b11d4a369e54d6db96219fc2e6ebe

SHA256
6d999430ea8e9a561f310bb472cc5ccff5cbd46ea0d18a6b2b0ab283b6c25ea9

SHA512
4fdc3ed6313e6eb62a94c54ae18d8029915a1df5a04479fed94e150adbfcd9cc0428e4c7306d96d38111be6d405cd1e744e6602e13a47fed46d5ae315563ff69

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
175KB

MD5
c30de32d0473b0edb67509d731e0baa0

SHA1
dead6cc185a8283cb2673a783ea251b163611889

SHA256
a20c8989941c9643067dbee80a04b9f049fb6e41971c2650a52cbff129b10bf4

SHA512
2baf9c097643f0e6d9c726306081ec0ff64a64b87456efb78df4dfa36000d28d148dc02cfcf6055a2b7a5f0c7986cd0e633a58bd9178d164c262e42736b907f8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
93KB

MD5
b2b3ea8431f8373828ecb250c50574ec

SHA1
c1a58940ec0295ee51164a88c13550644dc916e1

SHA256
7c0622d3f85d936ab6899dc409d287e6364606cf4b3934a4fc4accf28deb2768

SHA512
5477202072454f2d71667181fb2a4a74c88e6450a5ee7f36a575dee5407ad0d30a3f712c9ec0b60a940ebf63be76707fd7901bbfaa2f200ce3924957916c8217

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
43KB

MD5
6d84864bfabb313209aef61546028e25

SHA1
0507f32d766d6826715adf5e9dd9674ed73d1e24

SHA256
4f936308a6e33aa7c3c821af6e4d69d6f4cd46446ac45fccfb85fe9b70e08d03

SHA512
4ee0615e319d36565bdc21b318d8cee8c1d6e396886621228168d6d0a6f62b41d64f431a6da3d2d49745cafff3ac0a48e254cdac1d28ba58916213f009baad13

Download Submit
C:\Windows\System32\Locator.exe

Filesize
44KB

MD5
f61be92defcb0003f0730b7df6a32531

SHA1
54b8850dc305b31e3a746b70ac29a19efd8565bc

SHA256
89f55072c0706478da7290406946d34b4adf75ba4267356b0247770f5d2221f8

SHA512
f1b6706e1f25db13e0e1c45f5ec53d0bd9b1f567f08b5f4b8d8a3928171f888e1fe69d2e3353bbd2422773ea90f996da0a679b78e1590be3daafeac93b82de92

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
46KB

MD5
62b10c09f8ed0a196e13702b2bc8b017

SHA1
a3ab23e91c65da305d0847622b230b5d1c19e6e0

SHA256
d2947f1d6e008ca9ff3afb1dff6ad90e259e211b561960ef1901b2b7ac934fc5

SHA512
62007e8dc69fc093239a3f4a7bddd8afae0e84325f148f8af708b3f096ab7119e7b177307a70b6015bc276d7085c8da1852d97a24632b559b5c712d8a160e953

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
119KB

MD5
a7acff5a8d396b2092ef794071424589

SHA1
89e1fc6e99acdd372fc3ab6a9bf68d3286c1199a

SHA256
6ed225415803477415c9e66fbac6474e27ed8b1d259bb07d09026c8f7e600970

SHA512
39c40fbaa4bcd210681da395180f4751383c784bf487b95bfa6249be204dec1a16ef213f6a85f702d8fb1e70add4613da140be46f7d3f034ac8f76e3744f0dad

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
135KB

MD5
490dc8d7b61c4090d26dda2a3a7af9d4

SHA1
fbc55de4e390f845c047e8feb9231598ad8ea202

SHA256
9cad12c48990b8975c9d496ef24aaf5a39cfa833331579d274beecb4bac4e9c0

SHA512
78b2f169fc8a6c1349b422f1d59597f3d787e9740daceda5742d6f6105efb5ae951d8b49aed0011ebc9a6603a3661484d212da540e725ab7bc01adc2b8ebc81c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
32KB

MD5
cc8f41e9319cb94fc075f1444cfb40b5

SHA1
1108f48ea8cb177dd6a16b43a1cd217a90837406

SHA256
7aeb617fc8f0fc32d327a4a4ea7e655269730aa1c4834d69ea5eec159eed213c

SHA512
d57dce452e24921d2f6bbaf5ab31e1018115db21fa85622fe3d3db917ee2cb2495b2686c664b99bdefcc2214d87bbfc4d6bc0e4599c22e5f5f36b389e4c44879

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
15KB

MD5
d28909366026384b38099c889737175a

SHA1
24ba8bfd067e3fdc8c95321700c6e6824b21c911

SHA256
c197ec7ebdf03b606a7ee0349c20d442f8227a53b041d6ec433e1ed7d6a608cd

SHA512
fed9866059db3196f591a3b79c198dfa54a329590615871a7efc7853127d19f8133313a30524ba40ab895bf7581fa9bb349f5400780312181ffb3d8cdca77a49

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
101KB

MD5
4f8f617e3031d57db551c558f3b3906c

SHA1
fc48943a839be22903e5cc5ae199b9823e73638b

SHA256
9f0c3dab475bf15d593a77c9184a7117cd9e08b3604475c307f5d1c251206ed2

SHA512
4a49b6403be00e5d7349343f0664da7ab3e558fc3c1b8ffe4501d238e2f5022d7c590f4640180229ac3007c4f192289353e49a3deed903cbe77d1d6e023314da

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
180KB

MD5
4b84e052984ef1007e80100ab2327cfa

SHA1
8410883123cb60fac9aa24551480a47c5205ff4d

SHA256
e8e18115cbfa071e9ebcbefde330445f10563c1357714a9624b30d0950cfc384

SHA512
591cf4fa22f0488fe6829a51567ba9e690d46f7072490db4b3dc237319faa575134158265f88d0a7f5d2cda03ae15c780add5ae4e85dd23cce44236eab116ca5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
19KB

MD5
d6badce28cbb4b2328ff064e78fcc498

SHA1
d532b05966eb1c35770f3c42a06528bc096aa612

SHA256
75ee50aeccbd4d478f3b97fbe0dae7c3d9874ef2f44f632071fd07ee9c2e7c53

SHA512
687693b9d99310e9b64443cdbad894f6b3fc2c4b66bb3f78fd11ec50dd458402f77a2eaf5aeb7fb5e2e65ae14ed105eebf9ce46365952d6237642d2c0cb1c3ef

Download Submit
C:\Windows\System32\alg.exe

Filesize
164KB

MD5
ca7772947ac8342df922a20cdc50822b

SHA1
df6c71df03475a34afa8e12efc8821989055096c

SHA256
cb124f960b1bb08304044906da401c1ad46ada6f8aab7a2c184ae52b7f0b6777

SHA512
7b5f73c4692273aefeb6fc81a156b408cdc2dd4077e558060476f2b3123caf22560ed3018722ece85c6b8b31598b9c437c2e81dc2ac6dd4d343f4ebfb62f46af

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
69KB

MD5
9e046c3ba45936786bba09992b67b196

SHA1
e6ea56a185e6193f5d04aa2e87352b4a4876c7f8

SHA256
bb30a7a51856eae2c653e488a89d76556f0e5acee8ebded0ecfcf5e61cdd120c

SHA512
a6297f6fab4032a60a9996a785bc5846f8a45528a86c7ab7d3b3d4cee02af8d5069292706b00e4359c620562d3d73b5972c360759479fcd5e4fd6e7827330f82

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
27KB

MD5
60f8c898e8254bb6fe846ebd6939d56f

SHA1
e7b5a7fa86d570da8c23951845746829c0ab72b3

SHA256
e615b8a88ddc3e11f4d4db94f55672e490cce0044c518af55958fcd7f933c309

SHA512
772f9b4fa8b9886710d51441296090c2d08ff6d382f4ccbbf5d1d7f40926d0ac20a4c8959f3fd6f4c47218988e7ed33989172838ec29f9ffa4ccf7deb3ff4b5c

Download Submit
C:\Windows\System32\vds.exe

Filesize
186KB

MD5
b422a3551b525925eaf87a39855e651b

SHA1
8afdc2d5bc482c31e3b338d4886aaac89661f64a

SHA256
85cf39b99856eb52637d7cc4682ff4f60b2c8500d952f939aa22fa7538084703

SHA512
8a62a899e564f455ce9e4d09363297ee6af36e4ecaa2cfbcb9a0cb9da417b6ebf79c260dce4958c2d3a52a95f12d969e956a3e343e62b853c3b091de8683fe31

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
34KB

MD5
510a81264c648613e9be03169f432d55

SHA1
bcef5a71d9f2887c8641f9a4520c7802cbb0b37b

SHA256
fd681bd84d5d7f1ace476681e1dc4178aba7592891a7edd8d51316a9da319b07

SHA512
03620a2a73d04cef9d9d65f2bcf373ef65027042287406adc35225d18ff71cbb285d509f62fecfa1512a24719459bf13b486d6f64d9ff6570f868c1b8c4b95d7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
17KB

MD5
0b7f1938935a1c780b7b1907cf18773b

SHA1
a3a0ed853f4bfe97b94e10e318347efb3fa493f4

SHA256
c15405ff5279f4d5f3a4aac6a7c5c79d7b651c56868d57fea9814d78185ff47c

SHA512
a7892cb87d6535ebaedac621d502bfd4c8be2c630bdeef8505c1c24be32059e34dd11ce9a6fac78960c39170033645ca6c7d43fada3e1aa7e0a840597be4252a

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
196KB

MD5
3df2f3c92dc11953339920f0f4d83e04

SHA1
073e71309dd12157fa3d9b1efc61f7e9c2328090

SHA256
6dce54a5d8f72bd235b1cefeee2f9ac1921cbf6c6fc8f11e9ee1450fd526cf39

SHA512
ad445e06faa4fe00e02a192e9d4387c2263e237cd609032e923d4e2d9ddf95cbe4d51f5d43e1c411dffa14f6e3304ae673449153f9d7785ea0367b4bc22c7b8e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
107KB

MD5
b5945c3414c0ba74becadbe9d1bc0337

SHA1
8228829f4b5381c94451151d8fee9d7a6f45a6fa

SHA256
b5af49b0c85197b750736d19d323cec6d82dabde093e9b3100ef82a19c83a253

SHA512
08da796a5034d495fd1144b8f2778a31e6200c13a2c591147ce76e84f1975050dd5254f20c545be9f74d73e762aca946a03b4be03ebd7dc76405e118327724e5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
181KB

MD5
0c5caec439f85fd2c94514c5493cab5d

SHA1
c5d408778af27bfa9ecb267b80f2f5b44a1ec0ff

SHA256
deabc1a6e2af8c847680d14791096e8209e8abac116187e44ebd07b68618a959

SHA512
aa1e06fccdb038f5878558f84dd9f67c3a973e8815a0595f7e8258857e941a1be31d4d03dcfb81c0c29e9374f3904d0001994fc4415d1cc1abc38860439507f7

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
55KB

MD5
412e94db6395e8201cf8c7301edd366c

SHA1
910dfb05f872285135cc009d6470a81263047fda

SHA256
1589ac75c372689d2aaabc654cf16668db72a98657d6a6507969e496905b02b1

SHA512
e74e37a1d29ce65ff398daa0bd5b3460aa376644cf62b4f79d9508b933c43677752dd1102de32a2843eda2cadb97deed1ea2e02df791ca270709c37c5262fb35

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
193KB

MD5
5eebe47a75e4d1d2a76445c9696dfab8

SHA1
248de280022d0fa00bb151bb4861eb986aa128af

SHA256
14cb1ed45a3a2db857738d288b4153da228257134a443ee1591dedfccb470182

SHA512
dac6c16142648c90dc2cec4c73d25de79ffdcb073c0b4caed36a39d54ea5eda31f135d3b9b9dc1485bf81a4c1e7d884c091fa4a027293679e9786e9dc287b7e7

Download Submit
C:\odt\office2016setup.exe

Filesize
149KB

MD5
61e3df775de7eb81fdfe4dd2bc3be18a

SHA1
35be33eb4473ee5703e33fc3cf9bd4dad9eb15b9

SHA256
d680b81d1b038d14b80e799c58ed6a4239e18322699da366c49dc85c105939b3

SHA512
c5d637496d02ad036f3b5d3b995339f0271913f38d3bb404efd73156612bb8aa6163959e3565cb070d9f0ad0ee82aa2d5a9e4acef3f2244b2fb0bec55d324fdd

Download Submit
memory/1052-646-0x000002A2D48D0000-0x000002A2D48E0000-memory.dmp

Filesize
64KB

Download
memory/1424-247-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1424-241-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1424-309-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1492-280-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1492-349-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1492-288-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1508-155-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1508-345-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/1508-156-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1508-149-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1508-144-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1508-338-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1508-142-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1964-279-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1964-213-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1964-221-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2088-159-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2088-225-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2088-168-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2088-160-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2232-370-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2232-362-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3112-110-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3112-104-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3112-103-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3112-113-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3112-116-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3140-276-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3140-335-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/3140-268-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/3228-141-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3228-11-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/3228-12-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3228-27-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/3412-118-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3412-187-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3412-124-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3412-117-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4052-306-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4052-294-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4052-302-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4052-307-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4112-6-0x0000000000B50000-0x0000000000BB7000-memory.dmp

Filesize
412KB

Download
memory/4112-574-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4112-1-0x0000000000B50000-0x0000000000BB7000-memory.dmp

Filesize
412KB

Download
memory/4112-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4112-129-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4264-195-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4264-261-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4264-189-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4264-251-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4356-262-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4356-322-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4356-253-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4580-175-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4580-183-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4580-239-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4640-332-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4640-323-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4700-128-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4700-200-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4700-130-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4700-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4732-227-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4732-292-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4732-234-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/4812-310-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4812-626-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4812-319-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4932-357-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4932-351-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5008-158-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/5008-92-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/5008-94-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/5008-99-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/5116-266-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/5116-209-0x00000000006F0000-0x0000000000757000-memory.dmp

Filesize
412KB

Download
memory/5116-201-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download