cf28ef0d7c5568104b7b273ef8ba3a02d022ec8448e25179f9f6d25786379eab

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2024, 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf28ef0d7c5568104b7b273ef8ba3a02d022ec8448e25179f9f6d25786379eab.exe
Size

1.8MB
MD5

9ab77b9bbb0b24a5b8678e4f5aabab5a
SHA1

4a8c1b28da6c5faa2f6c590caf760a9f867a94cc
SHA256

cf28ef0d7c5568104b7b273ef8ba3a02d022ec8448e25179f9f6d25786379eab
SHA512

58a148b54fb3d4c6d330f395b2cc5b4c6597110f96a56a00c0e5989eb34bb3bcf1b882286f2297e4cda45f7cf4825b0a7f92a554d7fbf81e2e91e69743cef6d9
SSDEEP

49152:SKJ0WR7AFPyyiSruXKpk3WFDL9zxnSy9TQHj3D:SKlBAFPydSS6W6X9lnpQHj3D

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
440	alg.exe
1348	DiagnosticsHub.StandardCollector.Service.exe
4320	fxssvc.exe
2604	elevation_service.exe
1788	elevation_service.exe
908	maintenanceservice.exe
4480	msdtc.exe
4980	OSE.EXE
1524	PerceptionSimulationService.exe
3668	perfhost.exe
4696	locator.exe
3204	SensorDataService.exe
4624	snmptrap.exe
3928	spectrum.exe
2240	ssh-agent.exe
3712	TieringEngineService.exe
5112	AgentService.exe
1832	vds.exe
4688	vssvc.exe
4664	wbengine.exe
4248	WmiApSrv.exe
3036	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	cf28ef0d7c5568104b7b273ef8ba3a02d022ec8448e25179f9f6d25786379eab.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	cf28ef0d7c5568104b7b273ef8ba3a02d022ec8448e25179f9f6d25786379eab.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\eef6cb3214007a37.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	cf28ef0d7c5568104b7b273ef8ba3a02d022ec8448e25179f9f6d25786379eab.exe
File opened for modification	C:\Windows\system32\msiexec.exe	cf28ef0d7c5568104b7b273ef8ba3a02d022ec8448e25179f9f6d25786379eab.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	cf28ef0d7c5568104b7b273ef8ba3a02d022ec8448e25179f9f6d25786379eab.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	cf28ef0d7c5568104b7b273ef8ba3a02d022ec8448e25179f9f6d25786379eab.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	cf28ef0d7c5568104b7b273ef8ba3a02d022ec8448e25179f9f6d25786379eab.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6C27.tmp\goopdateres_sk.dll	cf28ef0d7c5568104b7b273ef8ba3a02d022ec8448e25179f9f6d25786379eab.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6C27.tmp\GoogleUpdate.exe	cf28ef0d7c5568104b7b273ef8ba3a02d022ec8448e25179f9f6d25786379eab.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6C27.tmp\goopdateres_ca.dll	cf28ef0d7c5568104b7b273ef8ba3a02d022ec8448e25179f9f6d25786379eab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	cf28ef0d7c5568104b7b273ef8ba3a02d022ec8448e25179f9f6d25786379eab.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6C27.tmp\goopdateres_no.dll	cf28ef0d7c5568104b7b273ef8ba3a02d022ec8448e25179f9f6d25786379eab.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108328\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{E677896A-E3BA-4ED1-96E4-D59F52A68832}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6C27.tmp\goopdateres_cs.dll	cf28ef0d7c5568104b7b273ef8ba3a02d022ec8448e25179f9f6d25786379eab.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6C27.tmp\goopdateres_it.dll	cf28ef0d7c5568104b7b273ef8ba3a02d022ec8448e25179f9f6d25786379eab.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6C27.tmp\goopdateres_ar.dll	cf28ef0d7c5568104b7b273ef8ba3a02d022ec8448e25179f9f6d25786379eab.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6C27.tmp\goopdateres_ta.dll	cf28ef0d7c5568104b7b273ef8ba3a02d022ec8448e25179f9f6d25786379eab.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108328\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6C27.tmp\goopdateres_et.dll	cf28ef0d7c5568104b7b273ef8ba3a02d022ec8448e25179f9f6d25786379eab.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	cf28ef0d7c5568104b7b273ef8ba3a02d022ec8448e25179f9f6d25786379eab.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c86acfec754da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c522cc00c854da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005853dbffc754da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000248b8dfec754da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da35bdfec754da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000644e1900c854da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075a28cffc754da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014c2c6fec754da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c4ab1fec754da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1348	DiagnosticsHub.StandardCollector.Service.exe
1348	DiagnosticsHub.StandardCollector.Service.exe
1348	DiagnosticsHub.StandardCollector.Service.exe
1348	DiagnosticsHub.StandardCollector.Service.exe
1348	DiagnosticsHub.StandardCollector.Service.exe
1348	DiagnosticsHub.StandardCollector.Service.exe
2604	elevation_service.exe
2604	elevation_service.exe
2604	elevation_service.exe
2604	elevation_service.exe
2604	elevation_service.exe
2604	elevation_service.exe
2604	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3080	cf28ef0d7c5568104b7b273ef8ba3a02d022ec8448e25179f9f6d25786379eab.exe
Token: SeAuditPrivilege	4320	fxssvc.exe
Token: SeDebugPrivilege	1348	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	2604	elevation_service.exe
Token: SeRestorePrivilege	3712	TieringEngineService.exe
Token: SeManageVolumePrivilege	3712	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5112	AgentService.exe
Token: SeBackupPrivilege	4688	vssvc.exe
Token: SeRestorePrivilege	4688	vssvc.exe
Token: SeAuditPrivilege	4688	vssvc.exe
Token: SeBackupPrivilege	4664	wbengine.exe
Token: SeRestorePrivilege	4664	wbengine.exe
Token: SeSecurityPrivilege	4664	wbengine.exe
Token: 33	3036	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3036	SearchIndexer.exe
Token: SeDebugPrivilege	2604	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 4316	3036	SearchIndexer.exe	116
PID 3036 wrote to memory of 4316	3036	SearchIndexer.exe	116
PID 3036 wrote to memory of 4304	3036	SearchIndexer.exe	117
PID 3036 wrote to memory of 4304	3036	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\cf28ef0d7c5568104b7b273ef8ba3a02d022ec8448e25179f9f6d25786379eab.exe
"C:\Users\Admin\AppData\Local\Temp\cf28ef0d7c5568104b7b273ef8ba3a02d022ec8448e25179f9f6d25786379eab.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:440

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4660

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1788

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:908

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4480

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4980

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1524

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3668

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4696

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3204

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4624

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3928

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4284

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4248

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4316
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
484KB

MD5
6e5697578ceab52a0ebe72675b306fd9

SHA1
0cbd0d11d55e5958a22c17fb9be974032b0c9b25

SHA256
660fea78fe3811e13f8f0c142b4785f26afaa583cf2640fa1eef35722f4ef78e

SHA512
94fd1a57569d5521ff17930dc21c5b370d6462195f71d6df0324f57f99f4a4203bdd1a549e55799a8f3ba96f4b22547750f032f1048ee702edc3b23a4e82152c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
27KB

MD5
f17ce31844c9de20298ec53df73b267e

SHA1
2cda81ff0d6969957eac2fa240465eee6641243b

SHA256
0abf8a1e84aea8e31eed65f5c810d607f32007d63be606fa6a15359974234050

SHA512
39ddec281a5fc9389f4f263ae281f4e425c9a00341041e58c0bc2712860e5056f41324b1b292ed1302e86b525268a5e4d21b1aa09bf7e0ed7443960f81f5b662

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
124KB

MD5
3d0973f3e77e1e04608b028da84e3fc8

SHA1
c9d77e012c1d452ad8e64e608f18eaf1c13f9742

SHA256
f17a557def17d5d7bc28f3fe580c6bd7ee52fb29ba679bd984501c4228b4a47d

SHA512
cebbd3731d37c30a6ed9633a25b221321c64a8b649e375af4845629a483be8f58df6bf0de6963b076877259f86c680e547ab05108a6d4832c0fabba7e95bdf3c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
359KB

MD5
e05334e10338f3120d3a3f44d47e4a73

SHA1
e8abb4b658215a7b106e6167381411f24004acec

SHA256
6caaa2cefa1897f03f68d6c612775387755b2bb2762bf4b80fd3eb33a5a068dc

SHA512
984b3802c66ab68279c7faa06e99a7095f31d55de9493ea722165eda93ed193a455511681dc5c4aa34ada61fd1fa6aa32e9a7a1b62632e58f8e4fcc6e9b057dc

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
402KB

MD5
7aa7e0e7c616c1ff10872692114f71ca

SHA1
4251f30d30e09a381485dfbc420a060c703a59e3

SHA256
c236ba4fecc6718587ea08addbbe0aa5c85dafcdeca0c04b284f3cd3b56ecc40

SHA512
5ec1be158a9e7389b331b9c107ee729991ece50849a3303c51b0585479aac13d45cfaa556863a8dbf9e1305771efac24631e6f87c942cfc965488553a46a27bb

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
463KB

MD5
680e942d98765598ea1537494226352b

SHA1
f6cb602500b27219064d9bd7b3fa5461f771f6c6

SHA256
8e17d72f63d82a59ab3b3e419b6770d47670b35aa254be3dbd503da3b62f4e95

SHA512
9488bfdae8282a420cb00abdaa2f1bf6350796a25868faff59d050bbe8df2ca9d344cd223ac6abf62aede6582dcc170ac420261fb744ff67bffafe18c395a81d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
478KB

MD5
d29c242f8807afc2a89cf460bf1c97d5

SHA1
429a9577c4d13009923d6ef9aa43f8ca02d6942c

SHA256
10d831d422c1e4ff171ac4e44dd5c3e17b2d811ab08ee5a1ee8bcdddcda0f02b

SHA512
07c75192939360afa669bd018e663b758d2672a369119d0ab83dcbaa941dfe234c91faf542f07b76f88fed3b56422dd82822db49e9d83dfae3dd3788ebba6786

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
372KB

MD5
eb7f14fdcdb63045c14bc13b5d3a3916

SHA1
c323db4e30f7528311e3c09cee993da3afadba91

SHA256
b59e89515257119b84f7f414981f09db78e3ebf3cc5846b9db1e72789018c15c

SHA512
247adbcb94af226f7f028f5e9b2a92cb9df83e31377729c18d391c58f71f7c4b43db727e3628968d6f67f1dd0f640a3c58582dc9a97e52abb796c7a701d0e98d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
277KB

MD5
c3413517a9a1829d9694814281e6df59

SHA1
4c11121c7a5db6e589aba5a8dee2035f2bf20de7

SHA256
127574a6baa035e35b8f3d974abe5d1c63beae946bf99c9c11c91c6b1779b2ae

SHA512
cc94a80ea6b4a85e58083925718e165f7cee6dc34e75aa30f3c976728e95af1cced85b980ab1894fe94af03bbed2aa7bd4bbbf082a00e17b2e19c8c27f41b6ac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
92KB

MD5
45ee231ec602c621bc813bcbb03c0011

SHA1
b174b8cdde6679811fac31742d21c987b947acd7

SHA256
17ee7c396c3ea8b6791273eb1d99f78ff4219aa681df08ba4b79b6536ae1d4b2

SHA512
e2509bc3d4bfb61800470379b70e3318f6a3bc2c324346b2dc69d171952019bd3ea69a00668535186b2890866967023ae7d59d52f5ae1d6917859dbec01a0ce5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
100KB

MD5
4fa9b3f28b7ff1a35676a5c775903dd2

SHA1
9806e397c736855bec343e42a0f81cea283c3b6c

SHA256
331a7511da84edf879d3e0289ddbb0a4032cfcf4b37da7b80f751bb4cc2197b2

SHA512
8c0609d6d5a2a102df2afb18f76a17e1ec3da3f0f4ba5d1d470f827bc3bf8861f3a3c61528a46333cfcc9096de63ea1517e70e6e98675cc6b4547467e269a1a0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
517KB

MD5
146fd7d59163a86584d4835acdcb1a79

SHA1
8d9b85e3676147aaba14fa9fd0a030a2396fa4a7

SHA256
c0345b89ffb16c812266fae2643ba208b7bc52755b25faa8917deccb5c07f59e

SHA512
a5205354ce0012eababc5fae9a8e312db7ac5139e69db924c6d48c802f1b125b49d529e2cb1a37a975111f14c39c6961f98927bb891f47bb1178a119644160bb

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
477KB

MD5
c5ed74ed03120096ac9649de5a829a01

SHA1
8920b903f5d1a2064ce06e0301896be8f3f827ff

SHA256
5aee3eeffa12eb4d222988fb4919ee7f8494092ece46387d89760d13fb539c7a

SHA512
9560a57dc4a980a240a33a045c9dd56eaca8d30adfaea065cb6d83e21b35174c9f17e3c9460672bb01f2697b4f00245960c73ca899920ab73cd4cbd3e0f3f51c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
119KB

MD5
1dea6a56d62baef7465c40c8fc38c75a

SHA1
ba3c766d1c34a0f61e0c2bcd85fabceaa1c38484

SHA256
5ebfd7c2e68bbf9fec231dd12d63f6c32b8cf732b4aab981c8b43348a6129a77

SHA512
7f47f1e72412f9ebed97fb4fd68f86e417a2ff834feb8a444305596a4ca1333d7c855ccfc4d53686fa6c50c10c8a71ac28f908a0997a2c09ec28a4ccbb0db9b2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
379KB

MD5
955091f113587112a2efd365e967d306

SHA1
839dc2efd0294e80023a1fb63504d38a382fc2e6

SHA256
b1dec1e486e49fcfa2e4ab1a4849bdcce6629d7405a91d1aa8c62fbfe6d5680e

SHA512
b0e6abd3b51fb4e6d25c276497dafb30c19f8089b9865ae53dabd1b998152d7623c73ccb8f78a567ee9551ad8bbc32e13c7679e366d4123fdeebc915414af5e0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
356KB

MD5
16fa750a3395b5703d8911a2bd0aa92e

SHA1
36e3c3f1b627d12b5c96eb9b09b6f57185893b8d

SHA256
a870ca3cb673ebe0786fcb0db4636cd010575616c706a757e207147382f78a60

SHA512
3124100fe8f9273bd9cca50c697e364ec3f6a8b92b031506bfed372262c8ec0120ca0cd98840d351ebeb51590205ea008a1553e27c9a6f94fac638ab29a32de6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
523KB

MD5
797f449f07fe4473db57d989bbac065d

SHA1
fc50a37846a6479c607d0aa5f982161ae5814839

SHA256
260dd33e617a7b0766e2e4bd4ede46921707b60f1493c1e218da712dd57033a0

SHA512
a8648b0c85459ec0874cd59735f104c293e5f182b6fcbc2a9af63687eaf6233cabbd0664324fc78523627a60a1ed351c56d51756f7121cdf78de78080f2f69ad

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
385KB

MD5
ce9b08575866516569976700df363d63

SHA1
750f022f995f8c75bd3f00026b11cc7d5936ed15

SHA256
00b341ffe28d82bd0876dcef3f9d82e60dcb35460e7c457a55bfc7ad1934a79a

SHA512
0a2c267cea44ddd1e6056d7af5b0ad3f851c3a23c4677b490ec81db8a51af4dbb30ae634ef7757ad62535fed67cd4a76d129400e3c0f085d895b4ce0f9069c98

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
608KB

MD5
4cfe1d853a986306befdd60653f4ac89

SHA1
a4966568e3c9d998d388aa7c494cf913551cfa39

SHA256
6a1b5cff242014a2bae3ec5f3e10b5cb44a7a54d6e4c0b59870463b6e1f3b9e8

SHA512
be8d1715567f14ccc77a3f893fcec55f67236176dd0f63590585daccc128792a7758ca856c21be8bc31429ee33dadd50f2980687e74c19d8eacde4b0d185415c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
232KB

MD5
d40b738febc2d2f67eec2dc1bf3c3f45

SHA1
cbad45250c57f0050d11b4df1ac33e7a58a8cb3a

SHA256
e20b9544f4f6a6886b5d8c20f0503db05da19893fc7a5e5056760242af28a879

SHA512
bd371e7120482abcfa72cda372336cbca13f4c36569478b666ecce2b9db6fe81a388de797d2b778693fbb31d47947545bc199c3f7279607626194c01f0359544

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
379KB

MD5
f81dcb0f123f11ac8a422d7189eda762

SHA1
c076802aae396399ee7fd17bf5ea7b3c59262f21

SHA256
5b62234ca7d2ff1854e6ef95a1d6287a0b1484b4f232358e28b376f640659137

SHA512
8955f0ceb34794f70e6cb2b914f4131567cd0d8966eaddff3d358a141069b7c48d121946f63f8f1d231ebf872ca2d59bd64d4b0720a83320986454aac236c4ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
335KB

MD5
6bc639021aaeec7bae780048f6243ca3

SHA1
f8dad8fb6750aa215b4599f3c5f621e5f4d59fec

SHA256
40981262425b2b346464f52e5d08e5607ec94b3388089c86db987ed40354aa1d

SHA512
3a3ac5ff296297cac06495768539e2a0fec2f43b5c0a663bca7d5e81979b9f6e6ba2b3c62101c8e88398b1ccfb9701d313d0527f4592d866ee1fe4d6f5641801

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
327KB

MD5
a2d9a187b60e9c344295fb88a0b73d0e

SHA1
c77f2ffddc8fec7ec39f5d6a29ae799853b6e326

SHA256
0d2a5833d972c6d61953d653039747303eae6c82d9003dcb72672e9f49eba1dd

SHA512
7513abfa8455843af3fe1376c4eb60321d620eb06812e3988c59adc0cd8b214028866ba21cf70341d5a3ca851b848507c340a71dae8020aea322b9636d60849b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
237KB

MD5
d6eec809a81a4fabc8ecdd6fd3f99750

SHA1
19aa4929e4f3d2c6ca402d57c92cc0d8be7dcfed

SHA256
0440428a3b060550709e8179174d8d592b76a546d3111cf81e1c0074a26204c3

SHA512
d580838ba1a0e8aa0770cd5520d82d9dd32a04f371521f9e1c65fd5898e87c1b85b0cd56d9704d076eec01f4be11b2ee63bf726b5e4b93b03be4eff8fdda88ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
280KB

MD5
499ace29492251adfde97a0d601ef6b3

SHA1
db5bb6fe4db9c867321db04efdeb344b7105d66a

SHA256
87979fffeffee9f8593cdc1875bc0c71603bbf8df091d1da84182761ba45386f

SHA512
f36c51787e34766fe73bcf8ac2d3866e50a16e2a215cdb30f1fd4254afea11c9b64eb09f2aa71cbac1be462f8b407117cc08171823ee596b95a91a263cc6af33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
452KB

MD5
1d2086c467bf123648d163f8fc05fd4c

SHA1
58954af9b2baaa9516e6dba60e9ec1dbc29b0d19

SHA256
b7f62a3ca71c5cb765b719fa0eec73749e551c3f3b35072f5b64e56f4753c322

SHA512
1ed38c43c62b40254960f3b721d1d92ce18114019622c69a493a320a03cc9b1e25a4917e0995c7d670b80b9b6f7cd527bbce043f9e52179f0443f6767c0dfe24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
268KB

MD5
d0cff29a5c5045ed0645ab13002ac126

SHA1
a702acf40a5f580c722c342af0b9c7122d913b76

SHA256
2884a738aaf397ff4beaf91e37fc297bf808a279d023c89874a7d3f8881d8fa5

SHA512
20f016acf5f2c278a92c56b5859f2783ea08cfb108a18eee38f8beb0b6f6d5a44d800fcd5e87ec2cc074c5b3db8c464dbd66f1aa9c301127a8c5c10f7f0ecdd8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
124KB

MD5
73cf4d38a0374b9957940700bc2b7e44

SHA1
531f49f3d0024e330cb89357c4e07ca8faa7fd68

SHA256
86d67cde01d013ab700a608451c24892dad62a3c3afbc6d4c338d5d5c15d5782

SHA512
f11ffd1641831843e64fd2b32b07e74b8b1ffaad07fb0de1599b2a29d6857dab3a2259bd4144360373df39c47b747d9bf2e09486ac7154fe4912554feaa0f93a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
97KB

MD5
b90ea947539730b0d6725c39f3412972

SHA1
6a9570e93026a15f9607a5805f0590d206ee54eb

SHA256
8eae29c028093b4172ef7013e8616e2c0e13e28172a8b9d1b779ec05c82257f2

SHA512
06d9cae9f85a2e165775c7b260fea77b1e9141bf4bafbf2f0ef078e5b120b4005af8ac132e3575cffbe64e756b2af8aecde663d9195de8a4fcad8cffc3698193

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
82KB

MD5
1c3317ac21f675de07666fa6020cc6db

SHA1
ab8346867b22a557b3216ed333372e30c0a0f2e0

SHA256
a5b3bcd2f8361e50720a4547108efbdf25d08981980aa486452e6fc37b831cfa

SHA512
1cff7498ea8e17b0bf286a811210b9c7ad93276170cbac30701aa5d99893c14ac75ab1b1fa4888e95c4488bce6939be0962d228e28caaadfd5262bded3790140

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
108KB

MD5
db6bbdda76c3c0d56b2e715de55f0936

SHA1
4cd5ab8d6bef713bb85a07bb25968ab741f93b70

SHA256
90847ec2a60b67783f25501de8533a5af1c81adc17cb35e07c764349deaaf7c8

SHA512
eb218beb52771b95a2a132baefa01eaa880479de9006311ce7545c1d282c905310db16620473004d829764722bd494391276eeb1be716c48dcad84f2add0aa33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
67KB

MD5
cc24425aaae248fb44c862dc0e5b7f64

SHA1
85f9f4e7e8f3f5b4085aa011e47d2b3c8326b66c

SHA256
8bfee6fcc1ffe0078d0114a10ef35a37842d0fe5a85145619c8a820e6d51de4a

SHA512
c2dbafb33c92405b1ddff0f19f1b3a7854c868add1374374ba0b9dfd5c8a9a7099b6ad8a2eda71c37dbb039327e827cd3d737b03e5f8fb4304af526dfa83e50a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
106KB

MD5
8e501936868428367e8640f386e39664

SHA1
ba0f4b1915a1a0dfd9b1c3ef92fbde647e9bf3a6

SHA256
39c9efae620cc26686e1a04dce82856da2e2d9fc2b1e87f98216a8c7151175e5

SHA512
5fd2369dd437bcf9fd31aeaf383f5bc78f92e8e598428516ad5a673a47e434f4db40650eb5b924937be53d4c1a32634ef2850dc11566bfb3edeed56c0288fe14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
99KB

MD5
10d8b55f148b4a23d351a39542dac809

SHA1
3d17b993f1b3a399006dc976c9013f224f199b5e

SHA256
b59230c93bcbc119bdd6f198ea4d379b87e76b914c6daa164c4283f0d5833400

SHA512
98c8718a39b57a9478c28d7e7f70c4be6b87ac76ea14aaf3f0e0914e38233c2eaf04386fbb5371d0290fbc2de382ff66e927994fed01e0c3839a2aa87f219059

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
105KB

MD5
dbbc0a0bb0cf12f89cd7c8174384502d

SHA1
5ecd5c36af3634fae4299b469f8281697889853c

SHA256
2b335a6ef8b724e1fe23fe1c7046e932df95543aa93b5d1c83c2c0dd6a7594be

SHA512
8ee1d8c95eca6d9a66778159e506f0d5f6ef30257013d916519eef990baeaebe61b7865afbfdbcc38f25317b626f8a801ddafdf9be62d8e2b6a3c653d5473613

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
163KB

MD5
a0e213ab6553d517ef169b84fb86269c

SHA1
fe6ee79452c9417732341abc1a6ef699f4254248

SHA256
a1b2159ef0c52eb9eb3277f7fc595da5b843d289c457fe478a414d7835541367

SHA512
242b86e85c0f284d435ed617a0f6e0a263b383c61e0140e85f124970780b65c4f1c6a017b86dd5efbc971db76b034dbfb5fb109465e94c73d9cf76c5b972d982

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
226KB

MD5
af1ee46fa011da6701507e2b5453face

SHA1
267f41bea34d9b522db65b899356a7956fc42c61

SHA256
c4bde0d50f1fa6e226723d103e1dda7e42052fa76356075afdc84a447b9f521d

SHA512
0a3f3a900e6a77c072ad1611c44944465a8ca95c832355afcdd8b5d7bb43af9d6fceeb24d4da1facc60e356bca1323f93c4430d2f7c982b0181be5d269fe38fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
84KB

MD5
a8c34e4a169797f0872c971be85b350c

SHA1
5334e66584c29d58d686fbba2eb7505143541151

SHA256
33b6ff597c2c1880733cc3d28ec6b35673bf33fb28bb17aa74e66881b7bcc977

SHA512
968b9af4154f46b27e3f9cdebf8e721ef489976b529eaeb0278f86abb092e27fedea4bbd7ea2587eaafe350db967f5e4cbc0cdefda323ff68d2ec45038f83452

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
92KB

MD5
7ad30df779f49b729bae866e3401b111

SHA1
61047c106fd71f4f7b689c16e2c42cda43356fac

SHA256
11ec1b1542a7201dee74bc2e0729099c26912c32f1b17af84cf4a93dcd3a1a9c

SHA512
9da13a92b3923ca334084e0d740356129a0b420cd68704e2c2fad22765fe7fd9e686433240894c9a66ff90f0e1ab62bea76db9a795e893f9a69f64ac0d204b5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
167KB

MD5
d933cab5e36c47d92a66a6e038b55f88

SHA1
7ebf100d1d33c6bff300ac88ee59841ede73f39a

SHA256
9cff139bb598eb1de4d7bcdf822d37108bc1b919ef757901b414b9003ca19818

SHA512
d58802db8e79626f089c6662aa9c10858c15441a436f4fa850feb9c4a1d8ab3fe6f008a234c3410c72f3df7a3a7e3ddde2b3f1a8b1b295b8ec6c640b37e0bbd8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
291KB

MD5
6dd4700a199f881bded3b0a0af2af0fb

SHA1
2074d107787f64248d14be24aadbfac554758f97

SHA256
65e2b5aac5b31d2c518045c5cdc47a81ebb55a330a88d6d5eb44dad52cd2aa9b

SHA512
3df9adc6de5247a35625e286ad92c1ac32caccc105337913b8d4db42e2ea640d82b39a02c7e92da31b18b91c72bb59de4e3d20f3c0ff6b7b89fe657a09d08e44

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
458KB

MD5
9bc6dc81577f51ab64107de4a04e5295

SHA1
4d083225c4145150550d8a828b9de7548bf4317d

SHA256
55214e24043e5bb64f49ab89c39d4d6097393714816a2ea2aa0ad12512b1c687

SHA512
04e5b4e713699de586ad60351d3cf86be32890ebcf1a772b4343bdc309aeac6786af74fdb351e892311e8e30b96c7c41d28150224d76663be5f0901777638b8f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
121KB

MD5
d8b524add6e47cd02c3142162ff9646d

SHA1
5d6bd50785255013c8105258eebdbc194123f016

SHA256
39419bdbfe559fef74421dae9838b44db77dbc7d04ea1d64ffbb41b4c9e00764

SHA512
10ca101326fd5c808b74cacd8fc3cf9af3f7475c818735bf74fae379da2006a350d4ca4654286c89ff0731823b04a707ce5fe80f358d949a1cd185a18382313f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.1MB

MD5
81210664a9158447ba1622e767aceb5c

SHA1
d2b8101e189e6b90ecb5fa1bf5860e93a9e5cd72

SHA256
467143ac8ba71adfe6535aec17822976b973b67bb82e94bce018d67611c8cf07

SHA512
1205e3c6f533009b5e6eb0f694beb852e5cb14538ba75ece56adc2e680ebc20e4a8570d678fb634370186dd971e2ba6fde20482b64ecf3cf9ecef03a91f78254

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
742KB

MD5
6f3796b6fa5e6c0dec31c260354eaeaa

SHA1
0e1bfc9ef755c5e0f6b93e571453f357c042a92d

SHA256
dc2adbd58cf76db6b58e890c8cf37a41f85373a1166a1b03c2e7ca9f7457c230

SHA512
8d20a0437bd1bad748901d81497e29f4b0e103d1b8001931da1ab56edeaf4f418271a40a9666b080eed5865efede349c3812ffc6d4718ae948bcbeb85d136047

Download Submit
C:\Windows\System32\Locator.exe

Filesize
34KB

MD5
9c6d821be1b21cc600a0de0047e136ff

SHA1
a887dd9d75ee0348a135211a141f412d4c1d0901

SHA256
f64a5ac0142b4a235f0ca402a588ff4fc6ed74e7b737f0a0288f3f8cb8799087

SHA512
f238b0856442f084a41a47652693cc815155324ff968a0424bd2c226c788308195d0c578b13becee1461ba26480a2f358d2d7e0928efae9e7c75b94c70ccb28f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
443KB

MD5
91ea8c30b689e200a3a8c2ace02e9f54

SHA1
da6454a9e41e44058728e9823e31aa3f8b7f325b

SHA256
6d2089662d44b7556b05520ba1e55eef4c856b514f909f87814626fe74f3dfa1

SHA512
6b10be1791dcb6bb38074963a5b5a9da09d955bfeb029bfd37e220ea669db31486cf59ac549d5311b1761a305ae7f6df5298a846c1b6c816e34d915a38c0818f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
462KB

MD5
fbbae13e8054cf6f29d2d91018b0093e

SHA1
830eac0344e17300fb298775b4476d561e0bab93

SHA256
590aa3210be9b35fe029c6e073f45d8500d3db1c94051fd2f093fcd8b3142072

SHA512
bddb68f7d3fe8f52adcf7cf093ebdfccc9777d8a19e64073d10f21ff99b8632bbe1b841b12452f1d8d8e09556f771bb6a69b7fdd243ab605afacf6f3005f1ade

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
f66e0cc6dfe96d366a2131a3da1eb474

SHA1
7a4855a0645f4552d7fb545273844afcf1502d43

SHA256
6552f38b0f309098c22e1479a1b721348fc1bcc188b96a808bed36bcf3171042

SHA512
34c672be8deb31c5c99f65739b5c07f034f66326bf8c386cf1a6b1c437812349d3cbcaf5cd5a1692d5970ab9ae51ecdf8da1a103a7bf996394dc021b0efc6516

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
41KB

MD5
0b7c9000d3aa8e653bf4ee39844cac66

SHA1
266f0278a9eca5cec0fb95b6dc1f91e499a60eff

SHA256
f59aeee3c653e7a560d20669d9512a8071c9d887e82c3d873a9eae30d28055f7

SHA512
fcdc9a204d2f7177dbb9a5150215f586d3e39280249ae17f3b1e4415ed36ace4749bd180ea344bab26bb4519fb37ff7c1ea86a56e4e56accf7821f667e972f9b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
738KB

MD5
dae557a6f41bee8f0308b538ccc9b5e1

SHA1
c7b80db6ebc31fa565ed99a1b086e7ce4b8acfec

SHA256
b937c03d0ad05c4e6b37a8d1d1d1fca32e27d118f0a6e4c66e5a51658b5a392c

SHA512
de0d41e4ad80ef8193de1b5935c6931b7233a6329c1ff77df4bbe53bb3ad39153c3dc09cdbaa64b2b1823d125fa24fb05bd07ac1f900405c77fda95ab9b20e59

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
481KB

MD5
dac4a1f10e36305a22a1d3aca4d14f31

SHA1
290d39fbbd78048c8671c3dcdc5b22e6af9d9e7b

SHA256
07676470f274a05622c3f46dfb08155ced4a9edb76c9b18972104e10825e32d7

SHA512
864eda05636bd235ce53f4d91c658af699fe155f7ad23b41d79aca488132208dec3e4d392bda29ce7117fd4cebcba46a02e9aa985fed64f953a09a4fe6156a83

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
223KB

MD5
124b80a5d5ce055c1a413e40eb741eac

SHA1
4797fb49ac04e69eee18679f57db812d9cb8c216

SHA256
0a1caa0394bcb79cbf5ce9533c8974242e5d56b99e4c52736d434fe3bcd2b28d

SHA512
ecdf768cdefb8f2e54e8534e17f66bb3bd658c89a255cba78a980f679ef7e63ee975963d0f7f8d785bf26b3c085f0945cdcc3f9722a8678577d80bbb5f4ff05b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
57KB

MD5
6fb2f0372ae77dffb09e76bd83f3db2c

SHA1
6b0f5a2ec8609f1502889ce1637192616b398953

SHA256
e56d4eb31e665aa01edd875dc520e1b350e5da52cc514ee31305331758aada1d

SHA512
ed5adc9e5af06e4ef5e42c829e3168a31c7350dcad098091a1f87f1e3349b5c191577ad54959b630db554e3d906e5d028fda353195650173ce7e96c3bbab5ad5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
212a9af0d58df272321ded1e5ece720c

SHA1
4455775cb90863c5433537b05f50959572b56d3f

SHA256
8dde61fc09b2ba9bcbaa323a57b85f5b45b8b12bea044bebd280bba002d95888

SHA512
1ff19428d772fc25ccec0b04416e9075612a771b3d336b6f6181c47f0413262f16bbcc1ae1b7fb3bb8a0bfa42fbca266ffb877567c73d416d3735dee6f26080a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
379KB

MD5
c43225f9f6fe22f3cf0a2a987b3a4a17

SHA1
b7709cd6e1838737c3b08e1b3a0131b14bbd5ade

SHA256
d861c07aebc46e4d64bedead389823101b9e6c72810d4bf9ab10f67a982488aa

SHA512
36b24cc6b74dc6a103fa40a4f8ddf401523b2e2259ad1aae556825d844dfb427cc6426e71d874e6885ab5e9fcfc635bbdf38b8ec34fba446d2a0ac9272842fc0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
668KB

MD5
267624ef8579a84f7634073ec584acba

SHA1
7bc66da32f9a423675cb70fe02487b0d1d80cea3

SHA256
9cf93796135a18e61cd2958e2c45ba87b81bc910ee6df5875062914d51b7121d

SHA512
83c78e18f5a20d8cf8317caf40e69332ce4088bb3cc0f601a766be14bf93093481871f608f5eb487c0ae21f8040abcf2a547894d9363fe06e82d60a647445735

Download Submit
C:\Windows\System32\vds.exe

Filesize
83KB

MD5
3e21b5cb1cb321777e5e7a90fd28b4bd

SHA1
cabefe8aa67e5359f952404bfad3ff9dfe42f35c

SHA256
2e323bf9517e52b48306438566bd9ccf1fc511ff692e98a1dabed583818538cd

SHA512
2a0fcb125aa82e52caa45bcbfa508af59b66fd026b6aa9f199dc653e5bf4b565e264c29de204917b8e28e547f54b91dc592ef430e9a456708a941beb5d59595e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
271KB

MD5
3ac2570bb4f4839f54d5894963a3d2fa

SHA1
7370bed0c5cd45540d73d26cc44ae8ada5386376

SHA256
01674225bde8b5c0f59b8e80c9e1fc4dee2592a5abb8b5eed6466ef730b88dd5

SHA512
e6d4725c9062dc371cc91e0f7cc5ff26307cdd9393fb4bbb0261a8857e44f5963ffa28e7d57058a2cacc48cde3aca1029ce01096d4814fba2e2221a2c28dc603

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
200KB

MD5
74cfa640a423c28674ace705e13470ff

SHA1
86fa700035af9d0521d11d42fc969dfa230e9f77

SHA256
faf6761b07c39ad203012504994fd53f1632e937ac9fb49549c0f36b7031acb5

SHA512
2b38aab6f8d27a1523a20a7d525a647b5a7d541d97990a3ec8e01def930abde050e79ac4d810a1f56bd57a91f1e80cd0c214d1038e50c83615412331cc61d4cd

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
153KB

MD5
e95489e92e20ce8ac6e1ef2c6f221aaa

SHA1
0524cd96ef5d8f29feeab563b5f406910097af21

SHA256
bae506b9f3fae8c90ae0526440a7792b4149b1f64015702161ce07e1a8241fc0

SHA512
c922598f776dbab8ee6aaa5468dcc136a9c1d3fcb9cea8e6c5baa3fb09a56c82ebd76d7d00e190de2610cb1379518b6dea9c4f31f1fcd85bc90e415b40998678

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
177KB

MD5
20ccc0e70d34a3cd434e62c894db98e9

SHA1
342aca916a72614ed83297986833c157113a3d30

SHA256
bdb8de5175c232de440b26d9baed633dcffb6b7b4544703d0cfcc2efa0f4ce38

SHA512
f83fd7e7586f2794a4abdb31d50c1341e1ba09a2102848740dcd2c33647fe6090574c276cb5bc56f8d6f4c0387e16082af6451e517d71f8b7e42f87d6bcc885d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
119KB

MD5
2fae55047138bd966f825cb704e94277

SHA1
6b039665eabaa5fddb55bc7ec81c85e5900489db

SHA256
f8fb73d29ac25641adfc1679922377b991e28395a7634c6bb044120dbc803c10

SHA512
ba36aa9227e73ea90a728e6bbd30fa5429c94b8ebb623c5b271ddc309a03741b41ee6854e210097a405662b452535e434cfef6bd10f698c642bee007a994c614

Download Submit
C:\odt\office2016setup.exe

Filesize
574KB

MD5
a9c4f2165d0e90c60fa9eb4a0b84d3e8

SHA1
2a7da8ece1d33bb9c4e793dc961dc890d778dac4

SHA256
853a7295edb350239a4bd04d6ea940995da42ed48a02a4c03884bde8996ccf39

SHA512
43a705b79cfc172f80fa97276f2bd13362848637970994c164bc99617e438888e5e31fab6ad89d704e0db66cbf78a54c12cccc665e0caf48e8e0bd4ae4c059ef

Download Submit
memory/440-12-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/440-139-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/908-134-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/908-127-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/908-122-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/908-137-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/908-131-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1348-91-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1348-44-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1348-27-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1348-224-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1524-456-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1524-405-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1524-404-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1524-411-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1788-112-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1788-118-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1788-111-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1788-392-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1832-469-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1832-580-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2240-563-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2240-458-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2240-448-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2604-101-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2604-107-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2604-388-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2604-100-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3036-486-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3036-597-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3080-7-0x0000000000BD0000-0x0000000000C37000-memory.dmp

Filesize
412KB

Download
memory/3080-123-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3080-219-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3080-1-0x0000000000BD0000-0x0000000000C37000-memory.dmp

Filesize
412KB

Download
memory/3080-6-0x0000000000BD0000-0x0000000000C37000-memory.dmp

Filesize
412KB

Download
memory/3080-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3204-428-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3204-476-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3668-468-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/3668-416-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/3668-415-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3668-464-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3712-569-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3712-461-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3928-444-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3928-435-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3928-485-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4248-482-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4248-587-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4304-598-0x000001E247E10000-0x000001E247E20000-memory.dmp

Filesize
64KB

Download
memory/4304-571-0x000001E247E40000-0x000001E247E41000-memory.dmp

Filesize
4KB

Download
memory/4304-584-0x000001E247E10000-0x000001E247E20000-memory.dmp

Filesize
64KB

Download
memory/4304-592-0x000001E247E10000-0x000001E247E20000-memory.dmp

Filesize
64KB

Download
memory/4304-570-0x000001E247E10000-0x000001E247E20000-memory.dmp

Filesize
64KB

Download
memory/4304-564-0x000001E247E10000-0x000001E247E20000-memory.dmp

Filesize
64KB

Download
memory/4304-583-0x000001E247E10000-0x000001E247E20000-memory.dmp

Filesize
64KB

Download
memory/4304-588-0x000001E247E10000-0x000001E247E20000-memory.dmp

Filesize
64KB

Download
memory/4304-612-0x000001E247E10000-0x000001E247E20000-memory.dmp

Filesize
64KB

Download
memory/4304-582-0x000001E247E10000-0x000001E247E20000-memory.dmp

Filesize
64KB

Download
memory/4304-609-0x000001E247E10000-0x000001E247E20000-memory.dmp

Filesize
64KB

Download
memory/4304-565-0x000001E247E20000-0x000001E247E30000-memory.dmp

Filesize
64KB

Download
memory/4320-99-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4320-96-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4480-395-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4480-140-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4624-480-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4624-432-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4664-589-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4664-477-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4688-586-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4688-473-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4696-425-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4696-472-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4980-396-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4980-240-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4980-221-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4980-220-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/5112-465-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download