fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2024, 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
Size

1.8MB
MD5

55dd7caa96c700a762ad3741e6202656
SHA1

5b4b07e2f08dc0549ac1974b52e349f0ab162995
SHA256

fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8
SHA512

454d982e1d9e430b8ebe2d64be0f2bd3c89804ea5a787096d54f713d8575a53e245f1fac18b3e3deb80695b278a0191debb50cde8b630b5f1ce6fe7153c731f1
SSDEEP

49152:Ex5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAyaB0zj0yjoB2:EvbjVkjjCAzJcB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4352	alg.exe
3512	DiagnosticsHub.StandardCollector.Service.exe
1260	Process not Found
1448	elevation_service.exe
4540	elevation_service.exe
5044	maintenanceservice.exe
528	msdtc.exe
4920	OSE.EXE
4480	PerceptionSimulationService.exe
3244	perfhost.exe
752	locator.exe
1316	SensorDataService.exe
2172	snmptrap.exe
1420	spectrum.exe
852	ssh-agent.exe
1772	TieringEngineService.exe
3680	AgentService.exe
4876	vds.exe
4016	vssvc.exe
1012	wbengine.exe
5028	WmiApSrv.exe
4840	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e6a812c04d74bb6b.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\System32\vds.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\system32\spectrum.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\system32\wbengine.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\system32\AgentService.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\system32\msiexec.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\system32\locator.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\system32\vssvc.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM4006.tmp\goopdateres_el.dll	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4006.tmp\goopdate.dll	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4006.tmp\goopdateres_fi.dll	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4006.tmp\goopdateres_ml.dll	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4006.tmp\goopdateres_pt-PT.dll	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4006.tmp\goopdateres_te.dll	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4006.tmp\psmachine.dll	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85453\javaw.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4006.tmp\goopdateres_et.dll	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4006.tmp\goopdateres_gu.dll	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f77ecbafed55da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3f964afed55da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c163ccaeed55da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a71be8afed55da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000425421b0ed55da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	Process not Found
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9c890aeed55da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd600aafed55da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3512	DiagnosticsHub.StandardCollector.Service.exe
3512	DiagnosticsHub.StandardCollector.Service.exe
3512	DiagnosticsHub.StandardCollector.Service.exe
3512	DiagnosticsHub.StandardCollector.Service.exe
3512	DiagnosticsHub.StandardCollector.Service.exe
3512	DiagnosticsHub.StandardCollector.Service.exe
3512	DiagnosticsHub.StandardCollector.Service.exe
1448	elevation_service.exe
1448	elevation_service.exe
1448	elevation_service.exe
1448	elevation_service.exe
1448	elevation_service.exe
1448	elevation_service.exe
1448	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1588	fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
Token: SeAuditPrivilege	1260	Process not Found
Token: SeRestorePrivilege	1772	TieringEngineService.exe
Token: SeManageVolumePrivilege	1772	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3680	AgentService.exe
Token: SeBackupPrivilege	4016	vssvc.exe
Token: SeRestorePrivilege	4016	vssvc.exe
Token: SeAuditPrivilege	4016	vssvc.exe
Token: SeBackupPrivilege	1012	wbengine.exe
Token: SeRestorePrivilege	1012	wbengine.exe
Token: SeSecurityPrivilege	1012	wbengine.exe
Token: 33	4840	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4840	SearchIndexer.exe
Token: SeDebugPrivilege	3512	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	1448	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 4440	4840	SearchIndexer.exe	115
PID 4840 wrote to memory of 4440	4840	SearchIndexer.exe	115
PID 4840 wrote to memory of 4752	4840	SearchIndexer.exe	114
PID 4840 wrote to memory of 4752	4840	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
"C:\Users\Admin\AppData\Local\Temp\fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4352

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4460

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
PID:1260

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4540

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5044

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4920

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3244

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:752

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1316

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1420

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2172

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4752
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4440

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5028

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2708

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4480

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
301KB

MD5
b807da6cbfe801e76c497e1c82cb43e5

SHA1
b17dfa8c27bed0b112b12cda69ae13c7c2906e17

SHA256
3f1b6bd81fd9de0e3d03b2f84941d036908f9b59122ca73146551dbcf2f6a96d

SHA512
49f6ee6fea0d151cc9b6f54d6882bbc86044c843a5de47c4487c6cb43a52e827e269318b05edaa344b5fa882c43b3cef43522d15eb544b1d4503adf3334323ba

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
240KB

MD5
9e07f2b208338a4c6b9597d7c611ddf9

SHA1
634cdf7975b9ced967bd286ded7497b5ec8ce4d6

SHA256
32ade55b68edde5664099b4b5c2c8484fde5240cc98dc501db1081fc570db8ef

SHA512
5cf8f35119bb6d38a96cf979cb4be6d2424a300ca7f9433eea9ac692c828fa19d9771da8424a91714bd46f341bcac38d6c80f38206fffb76375f9c38a1322301

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
157KB

MD5
2f09511eb2d561cb5118a180eddef4a9

SHA1
655ab44e3d6e18cee4a7dcdfaecf148e8960c265

SHA256
e02de57bfe980e6f8bbb97778fab835856b813d32c0fba6ff1bbc8462832790b

SHA512
7ce8ed337cfbdd76b346315b5505e9a44310bbf9f0692bd2bec71181ec8b9bf56e76ccf585396d36ecc86bbdbc4e811ec70a662fd969052d0f05e599d76f419b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
238KB

MD5
93f6a3dc31b2dec649820a838faa5794

SHA1
42e8a6543a8e7eb0a9e5a951436eaac3e05ff5f7

SHA256
84114b8c4223604b80a1f74791b13a3a53d72cce48c16ed008efcb139d42adb9

SHA512
e7a25b24551cebf905ccc648650b692bb988f34829260802dbe3976cbb91bb99fea5a09985c29771ef29b0c508ecf8d544b596fbaa730a77a6a3e6204126f2e9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
223KB

MD5
46f781eaeddbd947d7f8866a95980df5

SHA1
ffcff4ba9e7e733dfd46184437ce8b4a5e4ef8eb

SHA256
30228fca674c05eeb69eaf9d7dda882fa224a1ce39799531ab6e7de8d4f46746

SHA512
b936dc5c300bf28ec8198da00c23016d8d5c51d78cea743c5e6add89fb3528eb71c2e3f6731b489d556395640869638e035d46f15a4f9daec3edbd17b35d0b53

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
129KB

MD5
f9504b6c9b9764bf57f95a969d818b97

SHA1
718d3467ac5620d60649bd88813264097b481c47

SHA256
d9e57524d5bce600231a47553a43a192cd1ecaba16203d97925085fdea00a4e3

SHA512
3055c5baebc025b600c6eb1951a728f709dac753ea9408fe7dc65272ffb7c3e9622fa6427d9ac02a5ef7f32eda1b3c67b695f71192504ad827c6b35066df488c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
137KB

MD5
3d9a8e8c67a6bbb67ccb6e0812a8580c

SHA1
d213819d51e5083005e585cd99e7f8701fb87362

SHA256
aab746075457826a912b6df81df86d32da74ca02e66296a6c0989b50f5cacade

SHA512
6e1ce5f6fda47d11ffbbf9c8005010072a6992474bfc9f64d758f3706ea24032e7f293bb402618759f8d332e925ab50719226119c15ee3fd7f9e8abd984e88ec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
167KB

MD5
237a9351fcfc147dd14a6880665e7fee

SHA1
d2640b0a606a9f78da4220f0d014a90a3115b352

SHA256
f5da7768839122868111ab6e455a58d6d8ec292e4bfb73526fb92f42e10d9686

SHA512
f33da8dd5f5b53fa7c3684b643271ce488a737aa8dab9351b6da96ab89ec4e37d26f8322709f47796ce06a82f5b38d6f7f10566a3c7bf2832afee3a9133826b1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
183KB

MD5
651a2924b899086aba04376648ee9ea7

SHA1
823ec9e595f9ab022bdc74215025eca96d8b2775

SHA256
557db07e8ee1bd316cd64e8ad2c2de0179f2b024360175a00d6d7b20c1728b3a

SHA512
509345a8948cb24e2c2456b1b13c0f4030c6db6a4c77ccc82927e192ac213687c826e7ca559420a9707abebc09e9a0ae62aa89aaad64f0d6bdeaf1439c96982f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
149KB

MD5
dff4fd9f92e22ded59b649c4ac637854

SHA1
c7d9fb2c0caf2a7322c88f5bfd84b395c9b15270

SHA256
0fbe20cbd09933ff98c7a098aa0b1c902331461120730c3f637f83b6b0daaf60

SHA512
8962c3fb5406f5c8aa0b5893cb6d40288f95c0d5d69d4b316690c281fc645539b1e84b893b2feee918bf2ccc4d6ded7b71a039cf89df29a3d9918409cb14f46f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
20KB

MD5
f7b2b3be32255c55246e71ca672eabfd

SHA1
0116e5d6e838766527b2dee49bc1818166e5d586

SHA256
4d29523c69dbfe9e53b98d7cc76ec65377e307d9c9a846f4f809ae3d466ed3ee

SHA512
15c4139dedd5bb4ea895482edf423cb3bb5bc692c04b3c847160aefd82d902f4e294704183da4bd2a3aa1d5408da870e69c6f6697128d070944b56de343a99c2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
243KB

MD5
b2e822cc68372e5c4cc68283adcab195

SHA1
cd9d88df909f28f6042f62f846ac1af4014a1080

SHA256
58fcbabcfe432afb5964941668eb6d7a2e22542d51e31b50f8033355c6a4e492

SHA512
9fb598d1b7c50279ae7da1a8ba57a052bbf2f1c9099e239fefdbf778bee0259182326cd2c5f195242ae9d5ede235eb3583995be7dc5b3c51ddcc8cdddfadbf19

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
130KB

MD5
a62d5d0248f8ce9da1a5c035093faa25

SHA1
4394f11508718076c2d8b4516ceed5ec72fbd3bb

SHA256
df82a2305e33983bc4a9e9926bccb1c2ec03b273db21efa1e670fdfa1166c0fe

SHA512
7cc28df6aae534015f2a89df7c3bd280ab7c461ec1c6656e4ba98c5925c2b33439cae7dc726f529602966ff1b0cd2a07e196cca6ac7b3ea900a2e04b1fd81ae3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
369KB

MD5
e8718407cf684f8c2b58090ead18bd3b

SHA1
620e0936b7fd3a5e04de7ca6924d7a9fefce4666

SHA256
c71f89750409c2feeaf06fd07247e33a2716cf8b06b61904c9687d961e8dd671

SHA512
d61def6d195edd5ca2d943617e6b911cddc3da43209011905b407dd7bea922e9bb8b02f7672fdacc25eddc91fa00680aac1ef07743d7ebf8902cfeab5e6b5377

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
92KB

MD5
1cb4c46132132a28bbbc6b77bc6c55a2

SHA1
fd4026001f5e32ac8d44b25eb27074f7dca3340b

SHA256
7ffabfde342c822e2ce31a42d54849c3069f97d1abd711759c04d95a66cb23f0

SHA512
22b88a3a7d43537a7c32b0795672d7759d9890b18d9fa648ee14c5d39a59b78292583ae50bcf7aa1a02a433d05f1b05ca19ac5efd4be4e3f5219ca145d942a14

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
84KB

MD5
de96e468a759b817c59191f11144e1d1

SHA1
9292b0946343e2b5c10f5e5e2db418bc4935d0e6

SHA256
2374df0b646953ec8d26bc45dbd572d8e3ed91e59dd4afca5682b2fe077a7cf3

SHA512
34af378a8acae7009859504d037206de6f0e13744184d7b5f6f971a3ef4211feb69a42b7bc4c4cd6bf9348d3cd598e7bd9b87977804b2bcfc341264f67a7b583

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
89KB

MD5
060899b276632e9914636ba761f2e942

SHA1
5cd36d3858ecc457963466d39e88866a4aadd7f0

SHA256
579d23514651bbe886daee2e579c6c98a38d994c6aa3812a1f2f16d040a91a9e

SHA512
23c75ffff6ac3991d2b85e5588083f4fc506e30aed28e27b90f268346f7fe07589af8be359d6f8f6c7f075c527aaf7910e069283057286c728c46319894d1c34

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
137KB

MD5
67f5f9dcc9109aad27174822673a87a8

SHA1
b8c1851646da20f259a57ab01335932fce92231a

SHA256
ad549f698c0552669f9130fd66ea8b36d35be033432518741b9441f18f6c753d

SHA512
04bfcee4efa5cab7e0d8b37adcc9fbc953f35a8764f0fb29dbc19ba7029525d8db0a8bb27fcb6dd71750dc5882756e9d3270c0fad8e2d8e8a37b8e7db87c421a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
61KB

MD5
80453ff40f31247f62f8d19c610250cd

SHA1
494209858fc21edb7055b902730f256c49a35d18

SHA256
c60c177830fe2bfdf871c60bc22a416c43c44b57ca7e19c2052a09cee9a8afeb

SHA512
ae0d106b09adf7025c84c261697fb3079be68a548e3b8ec57738b89586dce6975652f8a2807a1de026789d4cc639495aebae3f26d5436fd72ccc2b0b68433afd

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
64KB

MD5
c4ebd029f4cffbaa3394213694ef8350

SHA1
d9b9d8028f7628bb7dd5e55583e510336f7ac19b

SHA256
aeea10d6616402a97f6508f8f2ccf8b9082302ef31e73b8eb9788285da0286a6

SHA512
cb974dd3d1aa75195b2a8296f3ab298d8cf739793fd55b10787f162350b09f26c1f59bda62f1909181e4d282c4ee400da2f8050b5d7d9a353a7c8af2baa05d5e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
80KB

MD5
abc272159d6422afddc0d0f861669b06

SHA1
b2111feda855011bffd51d84ed21833504492cfe

SHA256
3ab69e7a56f3611f83c8487d606e99ba07d0f920045803287ba621c38b1db799

SHA512
ae8a985ac994915f15ea71b4ddaf6487aaaf9896c20b53df7dd67b3a58155b2a44e2dbcc61ad2aa3c36dc30889efb3fe3459d022fc33246fc74336ed206fbe7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
88KB

MD5
18f29f4c471aa919902909c5272b4940

SHA1
92c6408d7a578ac936d4a0587a7a336fa81ea74e

SHA256
5ca023393bb15d405243456c4ff236cf3943247b6a107a9b6bf2fff9d98d3ccc

SHA512
3bbfc1a1b9df9bfee44bb07cf89dafb3ecd1b9a29a21ebdffe0a2af95c5cb8b0a45544cf5719dd0b3ad3d321ce04fff8e74e4d88a47f1bdd1e5c059f1adbe428

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
115KB

MD5
d17674e466eae3f6a4dbd06354983652

SHA1
e8f515e2a4a4d480cf78646efaafa26f4c590d1b

SHA256
c6177c1a59848d0a8b8ef8625841c46d1e7dbb52278ca6e900af323dc0365aa9

SHA512
063a6f41330003808f50c2ce744661a7f4814f7570237a9714a2a1d48e42df589e7edafec0fce863eadd6e5d1ebe3722be6e5be86a56e3c3ad757926aec3d9ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
93KB

MD5
8a42cebe262b8a151d78db7e63b4b71f

SHA1
29d9be2b1591b5ff3414337cdf461765618c0176

SHA256
6cac12b97c480fb4c3e6a27b1d90affbbd349235556805bcdc3fbfa7b5079cef

SHA512
83c973da76b9eddda7dfbf1349c686aea2a6238f52f22f766412772a2e8475aa1ad4bf184f6a9933e5eeedb66fc2e3e7289ddb658acd41b4ab950d6dd2437372

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
96KB

MD5
4ecdbef87f18b60f3a60ccd16dfa82c8

SHA1
d230c83f9c8391a561dca624c35cec64eff61c6e

SHA256
6dbc1a9ab5c57e152098f5efa839800b68f28a9d1ee3b8f4ae07db13f5ff02c8

SHA512
a26bc14105b05fa5a016b0e5feece5a0593d395b5c7a54f922215c0681ffbe64b968a7738905dbae55b61dd0c942a8c04d199d2660cc1c3dd632915f0bbb71ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
68KB

MD5
ef6d9f6e2ff065091fe97218501ab8b8

SHA1
8127f6ba163bbd036db3f837205bce54458768a2

SHA256
db4a123218317d22ad3d2b1d394b32a51f6c721c31b28a50b609844178985781

SHA512
5d1455cd967214e2f8479ecbbbf8dcf8d2166e9c84ee646c5822860f3dd9c782385fded470d351dd5a320bbe1ed250857e721159dbe0fdd84544f16b551c1af4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
159KB

MD5
31d6f0d98eb280f07b4ebc0d884135b0

SHA1
cea398e20d0ad4535e595e00c0a6d94f9d37ddaa

SHA256
6f6adeb86814e35804e8318ba341371b5eae148f277f9dd8ca8c10d1ed3e1015

SHA512
1badfda0fd9aed6cb5827f828495d27d729a273fc0ceb96d26670b69d0429529b30722b9cd67f31c021399e9ba549090ebf7da798fc0bf808179320f23375d26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
92KB

MD5
0eddb1a0281ccf2f042586abd3097a49

SHA1
173a4e1be549cc459de260bb1b93252b9590051d

SHA256
d69bacdc41405b0449d29a286288bcb820e23d755da67bc31b68f7b18e8662dc

SHA512
5c356b58055ca593632e1beb9edb669deeb2e0c4b98e6a50243673853fd345b57e198e8f460d06efdb8522d63b2f3156ce2ac79642fbd7af493cef4b7a34dc74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
149KB

MD5
452aee8aa49e5e2c803a67bbcfd1ba9e

SHA1
e063a1534fba4e18ebdef363710d1e8fb8d3ffc1

SHA256
00dcdc50dfd9e075fb20ae2f1d418d174a6e5c62bb2bdf8d7c98642fb61ffdf8

SHA512
0c0d1265c88ed3f842bd908ec25a404cd98039ad5d9af543439ac0fdc8fe9f4424e7e37cf20222f7a21d65487bf1b31a5820a2426ffbe83363df82da5c8ae572

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
57KB

MD5
6b01bae8fa2538a16510352f94b0918b

SHA1
6078cfb2697358d5c6345c38d6e06cb68516019b

SHA256
c3eec3f1831e2eb00c4ca32292c709b5b56ed2091f8b4a8f4dff8195af7032e9

SHA512
5866924daf80752888315b8c5eb647db27b4dc5b37315cfdb53eba41c4fec4313d7ec61e54efdfee1294c294aca8f930722f42c90d54b81182c97dcba586b73c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
193KB

MD5
9ee36caa53e6d94ab15da19fbc7607a8

SHA1
512a82f5733b11c48a8f0c4f63e2204f03523757

SHA256
590768886c03c052bfd0d9407ee341389dcc8ef9a4ab03effa91fc43d45f016e

SHA512
1866c3b3d099d0214699d07bca3b68d50837f0484595f08c95e9031c731441b6500b6f0269bed148b87dfce08b890c9d3477510fc8d51f32dc314300a5be3b15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
80KB

MD5
6191511bd1f102d1a770f009b9c34a32

SHA1
5a8c9d02b9884983ea2941f7fd504cc162622d92

SHA256
45ae276b73f6f626aa0f26ce102b77485870db637499ad913670ced8f42030b3

SHA512
707963e60982d4fec09a9ca44cc30c72242d1505355d57f28b884021b6d8830611bb2f4b748016e76f50587eda4ca5df05a9c0b3355b5ef9fbd9245ff86b2cae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
116KB

MD5
d7b7517a2411a72685bda2f4b06cf7f4

SHA1
4f02165edf07a30794a4c1c1c037af05beed6f7e

SHA256
6e896022e77a71ff1ff6fc9f9a33f8fb60c2998c29982cba05ad9b10956201af

SHA512
19e002d250003077c88fc08c9d995b33c09e71b9bb86aa946c7bfe56793f4aa9353b9a59f3aed10be7c963e5d519ac3afaace084e767a154e71f72990f89f7ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
149KB

MD5
2f7b4d95abfc346318cb48c428e65f34

SHA1
441a2ee0fd0a954d0550355aaf8b97e1cbd8024e

SHA256
3cf24fa0939706fd4e3a4095c5825be67260b953976b68aebda4d1deacb3b606

SHA512
30e5ee0d75e1e9e8e494a44f7f8daab1ababbb936377b9498c31e4f31a6ed8cff68cbaa5949b7151d8d0118d2b1a39a9440c8fb8b0f4b6237d3877736631c0ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
47KB

MD5
c7d5bcc50bc0ef6151b3833ca0783e37

SHA1
e5f50e41a081fa0e0892546f73cf72b8d88872c8

SHA256
f0570a345db374e453125eef5868084899f9ad54b811570c92eb030e27ce212a

SHA512
9afe3fa670c85c5bb763ab8f344156f1c5909494ef2fd9f035889ab6314e21a2a8d9bbfb9f8c484030d83f69a6aaef74fe666298efc2dcf5b1c593957163ebc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
102KB

MD5
b0b020a9c28f60372835b6a0ffdfc99f

SHA1
3f991c517e43221d91ab07232f0af9f73eee7cdf

SHA256
3145aa22b880a7049b003128a3862e1339f99681b84a0f48fa2465f2c81174ce

SHA512
cb55a5ebc00d5145c88620ce19dbf12266f258859498bf445e37ee7e310b199fd1385338188206ca9f2f4f3cedf4dd7aca4309d64cdb4fceb53f805e7bfb7cf7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
43KB

MD5
9836d6c14e6633989ea2e7c40a2ada4e

SHA1
7aa090aa6c3315050574b7c3802fe02119eb56b7

SHA256
a602e8e2d6834ea42a3c19b104a08fe13bc01c4e7c8615baf69f2af2ead86611

SHA512
eaa2b5b4723ca22fb9dc7de92c7a5f4ad24fbd4567118ff9e81ac91c24274057ff339249008f46020accd29b1c30bc1cc09a10d95dca3eef02efbd6a66566381

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
252KB

MD5
848be409d56c66750f1941619a2d678c

SHA1
cda65c651416d3ff10e6710ac3991f9d4cafbef2

SHA256
a974c6307233c8b7220446476fde9e3179ae992ee1a9f8f6348e75ab44bf11a3

SHA512
7cc7b9e7b9db61c9230f3f5bb13c0abe3c96fc9e1aebb7aa95e1cfc5eb10db515c451d8d5ea374dddf5e59623cdc1136a2f86728768b0f52e3c78bb46e63c0ca

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
102KB

MD5
e3a6f175aef4018b7c365b9eb7387973

SHA1
053b88298b14ebe06fdb7737dbbd02452ff5457b

SHA256
ee7cfce7d2968f6536fd6448d4acf8f33336e2a496ace7da1fb1d5ed4a98cfaa

SHA512
b42529957742125adae237d125caaf3f2d4d9a4e73371c09ed103580284bb7bc0cb4a29995c91117f9977950ed0fea3ba02c5aa6093341687b703bbf670499ed

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
101KB

MD5
f23c8594a5b998c819098625362816ce

SHA1
f04d145c9b34e4db10e509a6ca554478c8bc2f8b

SHA256
3d6f974c5a0aaae5f16bdcdf6e71aef29b1c6c17f244246d24f62cc663eba6e5

SHA512
41f4c1a91dac14d5a483a73151c47d7a09c36abb76b1f22cac17eed3c79f51b2207cf19f1200cb96ce607e5c816e4bae90e8f1c9105622fbbf3cde83d76e0ff3

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
137KB

MD5
ca3f7b60c13c70266bf782da4949dd74

SHA1
7225ec349aa4d772b4ec390d60e96fb34c30a9d1

SHA256
9df9919090bcf16a809c1d81917c4f683bccd902c079e09afb0506bc1c93a8c0

SHA512
1a27139977a60873b40ec2255e64dbb45db3704f374cd4fce73938c2ebe03d2fdd98bb4ef7704b03e382d44841ce236626a24e23698fdeb40c43a679500dfac3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
128KB

MD5
d6d7d651bccdd042fb59140577132e33

SHA1
78bfc9420a383702fa0ac1108d7c5149896d0e6c

SHA256
58ad66979a1bb1e1786162d1bc9a057e3fcf1772ca4e981dd715f9939b1688e8

SHA512
0bb4400f71f77a1cf6487868c7696419017f3a037fb6adf709e4ccd22cd6ba59e5532942af51709d39d1ec7b12627b581a9e91e3df9371a43eb41751df582b51

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
35KB

MD5
f11045cd04ddde8b73e2669b59730386

SHA1
b4e64d8813224db733398a53f275f2ff6a1c1cf4

SHA256
951953502cd0a189566634f0ba3c8ed0a46fed91693075de632fa3e39086387e

SHA512
e32c92e8a59ebaf77b7c8e17ef536426f4cc38dba1d259ec2f54a766f0432b2ba7b62eafbcaeecf2c7eee1ca1e4d26ea28e2d6a36d24b9b647fac12fe2c0c823

Download Submit
C:\Windows\System32\Locator.exe

Filesize
102KB

MD5
985b0d5f8ea6c5f93df74ae14c47664a

SHA1
a105be1fa78a664202cdf464ac248f455feb5f34

SHA256
56c97a0c386f45fd0b89e3e1a201df28664d55ef2b5b458d43c25a4751014da7

SHA512
0ff27dbada26296b5eb8046a655dc2cb5619e91c060505d2e139793d2b250c0ca6807db4ea7dc13243d5f784df746cd3d8b20b5b97f19819de585969ae8e9f5f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1KB

MD5
63c78cc244f2746a17ffc0efe52728f4

SHA1
c88dd35b088b31a7eb902c9960a4c407b6e7bf0d

SHA256
b700ef9da094e2dffa2f6b699447da7905aeae0047df2e3be45b7668869e83bf

SHA512
a6f826b1272377b598b038ed7c9ea376853b638effd8631025abe6eecd1f0330d2dbd566bdcbb9032ecfb5386136aef981a609939d275cf780a66963d1d9038a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
37KB

MD5
372dd95719160793b073e1ee365a12d8

SHA1
633109adf310065ae44ec1d285f27e9882d52b9d

SHA256
e3b4b803ab714af82fae4a2461abd2336e909165b89d283834cf14a4437cb6ab

SHA512
e724926b745223d554cfe18431ea702016c7928a14ebe4d9bb5b4ba7f478b99cec075e7cce31638547879c64ed8067e669204202a33b763e66a61be3091086c5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
133KB

MD5
95cccd508cd08245bc076edf950b2856

SHA1
80b8f2f8356753c8e420e0a32d289d8bec6ba9b2

SHA256
13e5ff2746b828eab48c6becd70ad6f67d9bd9cfe887a0af66f78f5ce562680e

SHA512
0220498eca3ae5be4b851e23695d9e55f73151ce4d7339c1bba830df1066909dee5df5cff59fb76f067d76d0204279c64e29e620275dce5bb1c9ab0a861e2c69

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
162KB

MD5
e28a2a972c18d2bb9d2941441ae98a91

SHA1
d9add52763a80bcaaa8702bd270d3202aac1f9c1

SHA256
5c3e87d3ddfa23f9943ac877302dae95e0083ef7a09d66711fb00983257b9ddc

SHA512
82a1f2664ff78cdb96639c7a3f7477b6e8d06b24c5debf5b979569382ab212cc0bab93366c6f878511a176927923946040662f74ed7ffc730fdcbb465476a5e4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
200KB

MD5
2c4654772f03fa9e4a9ac41d93f777f7

SHA1
73b322a8429935388749a7cabe12904e40668c78

SHA256
0a24c7b67490e7880f078025ba8604409cfe8725022d8b86b979457fb882d187

SHA512
216c2b4f1c6a6c6d07c4d18e8d459fcc10bbd300674b336822ffeb3eadc518b8e21dc7b7ff05ff801cad8e65c5e53ed42379070ca7657aa5e7da5d97f4033df8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
57KB

MD5
0ea644ddbd7c8541917f3724ef4cc5ac

SHA1
231912d9548712e596dc595e42664c81ccb1ea75

SHA256
48071f08b4f0730690027a6c74b86508b9e6c1274b0643eff99f47b2ac520afd

SHA512
825b04b48948fb544d30a9a57876bba3c7298c7e704d328e6d2c8c93169468c2aaedaa93efface35cf559a37976779fd2377002209549dd62c17b3f3e34b7f43

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
13KB

MD5
5cab13fbae001352fcd6f7e8059bfd9f

SHA1
f554c197d425e0290bc59a4a1b8c75d89131c8bc

SHA256
4447a131e1e39f2a38e2b333d48477649045656d1894ac802b8a731a148bb467

SHA512
5b6627728ddad643e307fdce289a1ad47a7264ac6c3d71fbe36d7c387a8b993f7b17bb5a98a50c0d8f17c9cc85c784dabcaef506e7e63708fc594045fb6b8e3d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
223KB

MD5
d3bd9257c675c10e3ba09889305aaa13

SHA1
28f2e322a6e9f872ad99a189d022f967c80096c7

SHA256
5b87da8b7c30c7cb26836a309e187b58380d5c20df687aaffd6bf9af7414c538

SHA512
d09958d8fc58d1660fcd51d0ea06efa60a5ed193d3fa2a6dbbcd824eeb4a5225f15d9912bcebe20501537f234e9c99ac00468e9c666a70478918df2187f535cd

Download Submit
C:\Windows\System32\alg.exe

Filesize
267KB

MD5
bff9d6665b74405995604ca42e5e40eb

SHA1
d1b5ce52b2346013ad2869431bc559016963cda6

SHA256
5255e8961e89135308a3467a3099fca03d337e6d42cbc5492735f585ed073987

SHA512
e90d35f89ab9ee3c8381f425bb78e9b6cb055cb3f9b87f543be8f2205b18c70ea6cf3dd8a6c18a325cd58f6b2ca24472128377957b864e5f651b629c8f5b0aa9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
170KB

MD5
e6e0c3ec220d72b75da40a1cb232b169

SHA1
b7b7e398371c663707f8b4eb84c99f7b03ce3db5

SHA256
dc6fd37ca0f7104a2d887de41250daab942a64f8566c3ed9832bbcb032feab0d

SHA512
dac9ba0693082d7cbc52673bb2503e281e18d5496f1ff92ac23282b25c02df94afb2accdc48b49010e0ed55c8feaa48753ed610fc33fb12da4b04233e7000594

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
67KB

MD5
d20ebfff767e07736276bcda7da98cb1

SHA1
958f531aa3a72a91054adbb38b221bd2dc7eefb7

SHA256
de2305bf9b3366932d4f8f63a8e2a95ca08a34618029dd657fadbd12113e2314

SHA512
2924d675ffc58b0ab21c19f541c4e79bcae0812ccc3a5f1ee667c8cb503fcdceeab2e60fe0008c3e35756a82af0bc978bf5bfe9a32414c52c9e13cff72a56bbc

Download Submit
C:\Windows\System32\vds.exe

Filesize
195KB

MD5
74c9b004c311fc3c59a5cdbe9e8e8a27

SHA1
307ea8367fe9e3f9faef443590daa39d3becd0eb

SHA256
c543d199d4aabe029c4c44edaf688214b98604861c37f5481681e924650d5b00

SHA512
5a951f4c5c03cfa63f6cd0dbbf57926e7fa528c61d324d1d693f87a99322053af69047d98a9a94ebfd19f6a688ab29bef07d613213bc1e338491f9994c105a26

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
173KB

MD5
4c210bba5b35278c97ce9152f50d9b2e

SHA1
81890a903339c881328e4491487163f12f6ca42f

SHA256
fa392760b6b2b292ac718991b9788fd435f6acf25f36857fd36b7a669391262d

SHA512
83220ebfee4318dff7f96803baa8a812e0f2bdc6b9491be321ee57171ce97a43947c02b97b74f674397fe85af18254382d7b462a6c2641a908ca552d96caaf15

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
72KB

MD5
feb11e8cdb0265d290eee639f6ee222d

SHA1
bd3e9b02af65b1ccde3ec3fef40f91098395ad9b

SHA256
ef4afc1844067cad2aa6e35f0c98351b156ae7ca6c068665bc42e176594f2867

SHA512
a8b152a9b8c2a451cd7f6c2c847bee64f8773db3a17ad257d60c03de6b935d86913a9aa9fe824d670bbab68d048289ee0798e96547308a6eb702b8a4dab4e59b

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
180KB

MD5
0b064525a91ac7d85bcf613bb37e2df9

SHA1
29dd563f299c337432dbfe25c24b8129e1a62d25

SHA256
80f62aad3c9acdaa55495ecb4547e4bd2674a3866b1c24012510aa9309331963

SHA512
644757dfc3e8bdb6443f9775963895280930be7b8db9f0e24cf597c1479607c55dfa78ad9d54532075e764a13f1ab8c1d1221c895bfd208e9630b455391cea57

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
164KB

MD5
08d42d5b2be0851ef3f28c5ec9efd30d

SHA1
d442ef54009ec68ddd0f9c620125042334a0e34c

SHA256
b241cf1fbb4cb94489eb2582a84bd014c9135531d7aa8031535f689ae213cb6b

SHA512
d2d29f4b3c47e97086276681b46e1e390e0581512309d617dc4aac8701c3772c5f298681e1e99d4f321411b70383de2f4ebe16a33d9c98f1a6e4d0b152fb20c4

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
266KB

MD5
a24daece6b5b30b78870ac7352ce2f06

SHA1
1e04d48ba82a9114987a054833e372482724675f

SHA256
dcc8c690bc516999e919825f12a8ed550963b24a98db7a80004e43bd958c9e34

SHA512
88f67f1d3806558f51dfca0e46c83714787c4ecb47b78009ae5d445096b0a83db26454c94c9ce9169a3ea2459c71a3f055d876939c52d4b130a5e49e6f1d660a

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
310KB

MD5
f0ff5df06d886bafb4dd26dad2210c84

SHA1
f1be25b48795a2198cb8db10e93e25d525d0b7b7

SHA256
5b6dd79d838acdfbca2ceb8e381fda1e463f14293461fdaccf5b99a3d2972b49

SHA512
f0090421d0cf723c0b4c70a8f1a928ed7541c09f8c73e41cc6eea26d9e5c4532710ba693138fe94b684c26f308d94745039086bd9d593c5bd53cdff483f633d2

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
245KB

MD5
29976960763a230bfdd0a93ccc768d8e

SHA1
eded16626e1bc91d67a3ac26152fd07c91d2e4f7

SHA256
6cb00cbd5cef651052df5c5f011289034624cb5147808e0fec6e5b5fe730786d

SHA512
d43573dc4f853badc6c90995a0a68129bd00e63858b54eacd8fe038a296d5d2232cc561c5d8880c9a7281fe4322ad2a41836a586a84199e2ca7fe79517562bc9

Download Submit
C:\odt\office2016setup.exe

Filesize
213KB

MD5
280ea46383070aaa2ece8b344f237b70

SHA1
412e6093cc2af94ae58424e64cf59d704c2aa580

SHA256
1ecbaf08e7c3dbf1338b61dc2b21270f1009ca02523997cd878b40dd02d753a4

SHA512
29ca4479e4f365ac6127874963d04743cea5e336d06d226296371bbbc456e058439c0fb21a04deba73e358efc68f1f943d65fcd365e38b4c94fb456b99d3a474

Download Submit
memory/528-139-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/528-191-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/752-181-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/852-403-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/852-216-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/852-207-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/1012-235-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1012-615-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1260-95-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1260-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1316-233-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1316-614-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1316-184-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1420-202-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1420-242-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1420-192-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1448-98-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1448-99-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1448-105-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1448-167-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1588-508-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1588-122-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1588-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1588-1-0x0000000000760000-0x00000000007C7000-memory.dmp

Filesize
412KB

Download
memory/1588-6-0x0000000000760000-0x00000000007C7000-memory.dmp

Filesize
412KB

Download
memory/1772-220-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2172-237-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2172-189-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3244-176-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/3244-170-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3244-222-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3244-171-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/3512-145-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3512-17-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3512-15-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3512-90-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3680-225-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3680-224-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4016-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4016-613-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4352-138-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4352-11-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4480-165-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4480-158-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4480-215-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4480-160-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4540-177-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4540-113-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4540-117-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4540-110-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4752-404-0x000001B94E410000-0x000001B94E420000-memory.dmp

Filesize
64KB

Download
memory/4752-620-0x000001B94E5B0000-0x000001B94E5C0000-memory.dmp

Filesize
64KB

Download
memory/4752-566-0x000001B94E410000-0x000001B94E420000-memory.dmp

Filesize
64KB

Download
memory/4752-569-0x000001B94E5B0000-0x000001B94E5C0000-memory.dmp

Filesize
64KB

Download
memory/4752-568-0x000001B94E5B0000-0x000001B94E5C0000-memory.dmp

Filesize
64KB

Download
memory/4752-607-0x000001B94E650000-0x000001B94E660000-memory.dmp

Filesize
64KB

Download
memory/4752-606-0x000001B94E410000-0x000001B94E420000-memory.dmp

Filesize
64KB

Download
memory/4752-421-0x000001B94E410000-0x000001B94E420000-memory.dmp

Filesize
64KB

Download
memory/4752-567-0x000001B94E5B0000-0x000001B94E5C0000-memory.dmp

Filesize
64KB

Download
memory/4752-621-0x000001B94E5B0000-0x000001B94E5C0000-memory.dmp

Filesize
64KB

Download
memory/4752-622-0x000001B94E5B0000-0x000001B94E5C0000-memory.dmp

Filesize
64KB

Download
memory/4752-410-0x000001B94E410000-0x000001B94E420000-memory.dmp

Filesize
64KB

Download
memory/4840-617-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4840-243-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4876-605-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4876-227-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4920-143-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4920-201-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4920-153-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4920-147-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/5028-239-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5028-616-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5044-129-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/5044-136-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/5044-121-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/5044-132-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/5044-124-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download