260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
Size

1.8MB
MD5

1bd883a27bf694ac1ef81c9f5399b1dc
SHA1

ca91d8893d9f12fb8461df2d3304809177bb1962
SHA256

260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b
SHA512

281614ac257231b8427e1419412d89e1374d5836681a5e2ea543b21db4dade25c32c3c324dba281c22ff6495ac012fb5198721a6dc5aaddd2d5d39438ca83282
SSDEEP

49152:0KJ0WR7AFPyyiSruXKpk3WFDL9zxnSeN/j2U4FH:0KlBAFPydSS6W6X9lnjj2jF

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4680	alg.exe
2040	DiagnosticsHub.StandardCollector.Service.exe
3140	fxssvc.exe
4952	elevation_service.exe
1796	elevation_service.exe
3920	maintenanceservice.exe
4576	msdtc.exe
3284	OSE.EXE
4620	PerceptionSimulationService.exe
2264	perfhost.exe
680	locator.exe
4904	SensorDataService.exe
1100	snmptrap.exe
4468	spectrum.exe
2668	ssh-agent.exe
2988	TieringEngineService.exe
1948	AgentService.exe
1416	vds.exe
3756	vssvc.exe
4912	wbengine.exe
1432	WmiApSrv.exe
320	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\system32\locator.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\System32\vds.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\system32\vssvc.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\System32\msdtc.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f6f91c518ed1090.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\system32\wbengine.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\system32\spectrum.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM4268.tmp\goopdateres_no.dll	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM4268.tmp\GoogleUpdateSetup.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4268.tmp\GoogleCrashHandler.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4268.tmp\goopdateres_ja.dll	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4268.tmp\goopdateres_en-GB.dll	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4268.tmp\goopdateres_zh-CN.dll	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4268.tmp\goopdateres_am.dll	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4268.tmp\goopdateres_ms.dll	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4268.tmp\psuser.dll	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76312\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab82b5653462da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e42b12593462da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e8e14593462da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037edfd643462da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000194006593462da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e9639a663462da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba7920593462da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000555000653462da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f07526653462da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ecc6f6643462da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032b74b663462da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2040	DiagnosticsHub.StandardCollector.Service.exe
2040	DiagnosticsHub.StandardCollector.Service.exe
2040	DiagnosticsHub.StandardCollector.Service.exe
2040	DiagnosticsHub.StandardCollector.Service.exe
2040	DiagnosticsHub.StandardCollector.Service.exe
2040	DiagnosticsHub.StandardCollector.Service.exe
2040	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4120	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
Token: SeAuditPrivilege	3140	fxssvc.exe
Token: SeRestorePrivilege	2988	TieringEngineService.exe
Token: SeManageVolumePrivilege	2988	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1948	AgentService.exe
Token: SeBackupPrivilege	3756	vssvc.exe
Token: SeRestorePrivilege	3756	vssvc.exe
Token: SeAuditPrivilege	3756	vssvc.exe
Token: SeBackupPrivilege	4912	wbengine.exe
Token: SeRestorePrivilege	4912	wbengine.exe
Token: SeSecurityPrivilege	4912	wbengine.exe
Token: 33	320	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	320	SearchIndexer.exe
Token: SeDebugPrivilege	4680	alg.exe
Token: SeDebugPrivilege	4680	alg.exe
Token: SeDebugPrivilege	4680	alg.exe
Token: SeDebugPrivilege	2040	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 2924	320	SearchIndexer.exe	109
PID 320 wrote to memory of 2924	320	SearchIndexer.exe	109
PID 320 wrote to memory of 1480	320	SearchIndexer.exe	110
PID 320 wrote to memory of 1480	320	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
"C:\Users\Admin\AppData\Local\Temp\260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3080

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4952

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1796

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3920

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4576

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3284

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4620

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2264

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:680

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4904

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1100

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4468

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:220

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1432

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2924
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
47d0a7a3a84cc180421df928941006ff

SHA1
61d8db81a9670b92e38ed9726872ee9e901a6959

SHA256
a4fb7160136acff3df58170648ca29187149bc82dab3910b44541bcb754fbd52

SHA512
bd4e57a186e6df215f0928633d6c0be6c0c55d5caf82b9d8d41c4c825edadc5795729da289f6f8c44a0729ca7da2490e341758ffadecd14b40da6d87ac701905

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
e060ffdf952632fbac23a4c17ab290d5

SHA1
bbaab94b108393b384de33f33aab1174fc9699aa

SHA256
e0e18dc9c8430de433323ff8c0262e94bb46948460a68d0f74c8cd02a55d0d66

SHA512
c11dd4a3fe2791bbd5caf998c4a9373d8695813cd5b42e9f793f01943d6d151cb1ad66224e4325bdbb50d0cf0a745a347087b9df5a3c1a484795a90064ecf510

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
128KB

MD5
9b682a530f47aea249dcc2147b070e4a

SHA1
71832be5016503acffa917165f024cd8c3021e84

SHA256
ecb64aa65bd4f1aaae8282d735adf8cb680a60ab7e8b7c5b690c2e0a78b560ed

SHA512
4f2d7a3138d8852cf534ea4081fc91423ae9ff42c102271221d5c4a1c1be07a2e588b4128626e33ec8992f5fb40510391f1eba2578573e78b07205457c5c4462

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
e7044cc030fdb1d91a960293697c4659

SHA1
ae13bccb25e63b80778ab0e35e515f1ed296a283

SHA256
e3bae11554c41e3ca0e502a89b16864ab32ccab497694c9d013cb2756b4f77cb

SHA512
664ab3cf8ab0b6222fc763d35ef519a41ef9bc0404f253522477c92ee04438bf4f8d496e352e1884a8340003bee8cb21691279510f34362f9f17e0e47a2b4e8c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c32cd71e148edeb775a3242a9ebbed40

SHA1
da96f7c9d959da602886a94f55169c9cc9d82de5

SHA256
b70bef6182333f2c3e57336a218962f0fb1da95e91bb492f88ff002f95da8cfd

SHA512
91f0ef61ce668b11d7a1173a85cd4fa2f03f1e63eb3b75a5e5003c21f3d9e7a373848caa8e387d1e422ee89c339420c4b5cca80eb965c8f19b15d45e24609fef

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
11d4f17671b7ae020e863b93a681a9a4

SHA1
ea643c0b49a9ee49a0f6942cf0e79fea20684edd

SHA256
781db52ac905e0ae36e9d1c0caa4cd51c6ed22c9f8927fff75efb4d1f20d4c1e

SHA512
c8daba715438b58f9a7020511798e70e8c7e8cbe7f95bfbd53d1ef25ebf381b851c8e433820d26cf4459e5d85550761766265c85ed995e5bf8978854b76057eb

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
3aa335ee1734af1fe22c110256499df3

SHA1
e2ef0c997684620b399c57d57711c76f59f68e0e

SHA256
a8a34b214e0dc6fc9180349f710559acd74d6f22ba6123e4d48d59cef7798b26

SHA512
666237edd5f7100aa9cf913819b460022155b149d01c39aa7a902491df53ff40d650bbf7c8b8c801bb0ce85c0931e37ae6b57a9bda381a91fa2a076d4eb864fc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
7edf2003f82571a34c7427247285cc4d

SHA1
2ffe8c8c96b3d4190ba3fd13b141c297ded1ea75

SHA256
2946cad324ac45c7c58bd753bfed322d766435bd7eb88f89841d5e029b2adc61

SHA512
8ddd0fbdce204ba768d6d6016b053ea43aedb3d774b2a9112a09f05b16a961029e6295033e3dae7730b98a467a9dd1e71d931bf80cc127bdc3a756f3d27e7d33

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
896KB

MD5
4c465e2d52e11da8e315990e1e38e22b

SHA1
b51cd7bd132bb659b65269c739819b7ba760f5dd

SHA256
948f83e19c06ca460adf1cd9a1aa548e11ba39026ca503793ca7368b6e98c4b6

SHA512
0e5f21fb5732abf6990be44bc5d8121861e2a788c3c61fef8ea1fdab646aa537deeeffe9d7bcbeb28c69faa8fd52cb46a13102ae228f68e5a27e1791ce4c8b93

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
640KB

MD5
083c809dc617ff3f59e446ed304711cf

SHA1
1837da062f21a4736aa9203ff9efbe7e006ab261

SHA256
58f1c001a4dc6cdf52bf8088d0748d066a4d4cfae2cc016c3971b3d965903c64

SHA512
04b254f89920a7414872ee2ec87c1a69a899e7111f5a705b089476241410b93ff7fcf16aef569b01e2adc226197d4b612fb6e6cac58a9341df8f3daddd07a5c7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5007122eff7f77f8826a2fc545af7306

SHA1
27542152d3d4a271c68a20e279b7e4c63664b0c3

SHA256
6b0edbad230a8ea097e7531d2dd48266c2669e66fc887b8a60a63a6210c40114

SHA512
8be1434307a54fb2cdb958c217a70b60ec7edadb8a5b60f88860df3debbe22b6196ca16dc0bce5c08111f7b7118fd907fdac5a0a31db241985784a3ae39b47dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
377b6835150ad0439e93b25bd09ce8f8

SHA1
cd6524c347203c263f826787a41d97aa1454e5fd

SHA256
e3fe0262b8f3b0613ddc7211fd56fdcdec4adc0055f106d6ed76c50db403aab3

SHA512
c73ca5fd8904548e0833f60493597b24c2b50a23086a9386e11b33bd255fcbbca37d21e64f73c54b032f1aa7e283a868e08095c068078d874cb48d6c7bf58ad5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1be7d72f9f49a27bbd8b3a411ebe6e08

SHA1
deb0c9235d858ab2f24232127aee98a98cd70f77

SHA256
fca58387bfea2c9aef78d7c31592520a8195cf92eb9a513def21d5bbf4b220b9

SHA512
f2f34cb2d0aa8b7d3710c804e4824e3180ec5623afae1d77726dea9de5138d022d51ed9c1e541d5074068684a1e24c3a8b02f892533d4c0fe77422ba454f6cb8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
bd71770df2805c5b3a01f3136efe2913

SHA1
95928b09eb25b199f4884f5bca55f60ba5a4b576

SHA256
608edf3be442982f99fe3e3fac100641cdaf39439299e38d3e5b056f5f6754a6

SHA512
fc2f13b7774b8747c53699812158ae83e88982912335a381c66c84b9ab3e8652bc873b1f12fd8222f20eac488ce6c8c25b07c31d00e11a5fa38a47a314632bc1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
85d9256d77333ebdf1115ced5157b6e4

SHA1
2390401f8c7a20ca20d3e1dd1da4cfb2825e559a

SHA256
e29bb3fca0be37c7e4ce5580569612677a5fe7159c163e57926a4bb4da737f2b

SHA512
fce7f520407cd3032087eebe237eb26e7c03bd429d102189e481171ff9e120f54863f26e7ea31560d6aa35713a9b1b103cfef6e85e06443b1ebdb934e5618ec0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
aca64920f3442ee7e350180189e37c33

SHA1
aec661da9b64c8de2bd6d4834adfc13696307faf

SHA256
58a8f87f424e9dad1347f84c791cbb4270b22d3b9ca51ffdc2958ba5a83e36fa

SHA512
ceb51683b4b834ee6bebeb656f98bed3e6ef32b9363f6a5f7b30977993b6fedab1f39ccfbafb663a8824a8b38b63bd4a53c002c9fa3c38eec57a6c5343111328

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
fd681b192a02cf650afd47690d71ffbf

SHA1
4fc687cae4f01780a97fdb7585d2c86a9cc8dda0

SHA256
846d579b40e94c742cff2528ad5236f76b53a425309f8313e2f1dc54a5efdc66

SHA512
e43576148acf1456c7aebeef18c9de3fbca0ead6c8072853eb47e9d2f9d7b905a9c93e229c400ad74c4318d72574568aa64aee22b885273b84e8bd4eeb9fb9a6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
0f09165bffb8d1a2c2de3e689b5e88cf

SHA1
de4a83848625477ed45b409c63ccb7feb565494b

SHA256
16b373308e6aae940f2d91d531160ee8afc5f644a9942cc00bb100c782a11bff

SHA512
a254ee868574f0dbf9bbf868c06efeee8b983e5e24c2145891e0997b401af3d88092ab864692ca1c5b9764bdf1342ead3d1dec57c9b32e62f8bc0cfa252adbe3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
09a5d82ad055ac4c88d6f5097b17161a

SHA1
cbee58de4d81c812977c2bf6e70445e8ad9ab62d

SHA256
9375626de5a003022cfe3bf3895d317427221e8c68b1e5c4162e625f553a57a3

SHA512
23e1b58438086b8a7efe2fbb99816f025683d18ff7e67a1a9a7329550980105e19d5be3e39728af8175f30a8ae28dd9772f341fe985b3743c86fba9a06fcadca

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
5e1c61d9ef1e458e0c348439a0db601b

SHA1
848dcb11e4ba527a373faf1ea668316394e10d14

SHA256
033e31adff3345855ed1c57323127a5b7360ac17943acb6d41475f4c3c8a26e9

SHA512
953e1ce5bfd41fa86d40ca558714d620a5a639b25a933b9d526b6937821ab037fc196615d5605109e51c0c57b3b511807be8aa59509cc175e7aac1bbf34cbea7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
058a13d837931663a2dbcafe31335851

SHA1
d03eff9554fc30a982bcb417f116b766dcb4d9e0

SHA256
75389a5bb50b7b24b76250dcd6f6a98b02975f7e72290ed74ef1657b30f77785

SHA512
d2c67975fa52076909b7762f51410890ee42a22e76a5ac76cc261b48fac83284f4b0d54536883d0053ff89d3cb58fff2234b8655c227d6919d06c641e3051fb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
c40acc2ea336dfa57f346e472574d2ff

SHA1
b7da688f72f9008a530fd10aaa051e286de79f86

SHA256
e2b1aca8e643975bbeadc818105df2cbf7323985d28eb31aa01e98f95cddbcb3

SHA512
19938a01b58f8cbcad176a074a767091f6bdd0677930a45e3e6ee9b48c680e467d33ee38c07b0dae5b7cff9caeeb3b5cb7e4418825803000aced94d750df5bf3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
bac4ff8ef22448e4fb9dd48dac43d4a3

SHA1
82d3713f0652d769827daa879bc1583cca22fc4c

SHA256
2798a942be20899fefb69f0f59c02e8e1921eb59b92fd8adeb7404d5d6540d38

SHA512
b9d7b09b07ed641d22de47d118b5358657ab5b44705cb32dd103685919b9c39485fd23738020b39512ab9c9e55d7dccacceb18bd2ceb8d07019d9017ac3b6868

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
31d0d083096bfa7fb046fbd1ccf92944

SHA1
beebb237b777ebd58ee87a48fce476d559b5e8dc

SHA256
7969923b52dd44d11b0e480574fd911c599b0e12943e44492d83a315350115d0

SHA512
d26947a03efc252dd3956e3f0fca0b43f7e0a5217a8289d71416931a0f9e215228b540c43ff88851af7a434ff76a53176f2ed425dc0430adcdd530ab7d0e35a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
541991a5a156cdaebe6d2dc14512a442

SHA1
61dd0daa4f15268de03fc2b85d523382b76e16a6

SHA256
955ca7ac18e7bdf86856d0085cf5fd17891441503bb0a809ff68dfee33a93070

SHA512
03d0a6c946c71e3f63e8a1359ffaf25e00ba39fa46bf7b0806b8b814b1f4297ec5996eabbca047aa7c6a0c55e5bf3f84f63ed1a44ec0f2841b5c7653e44e98ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
c77914500646545f9f97c7b2103e55e1

SHA1
0100abcab50bdbf2e7d08346c2fd370c3cef099d

SHA256
b96762255b8de869b1fdf80ca5a8f1300c21a98697a5ef5e07db473f70cc487c

SHA512
3aa3072605093ea53927937619cf2ed38b262346257d1aeadcb84a1dbf8347795c46d3c01dafdde65d01f74ad0bce637646b178ba421869da06de3254ada114c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
cd78c2645d4dcda2751dec22c4b97a4c

SHA1
7e911a5874018e32b06f3847d5400738593df302

SHA256
6b9821bb77a955c6c4c150ca330bd3bdd2fb7cbb88706461159e27efa3a4e0b1

SHA512
5732b086b2d2dab74415b93151f968f88ac1af116c8ae80c49ccf527b1fef1dd12e78cbb4a528f03aefb77406bc190a53221eb487cee26811147de1cfeb972cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
8154ccb2ab8013b4a568b2917d089dce

SHA1
15481cde73fb8e960bf1709c4d56acbfe62d516f

SHA256
38a90bfec855f6a8187b1cfc3ffd25d5678911eda917b4cdf4f8c4737c52234f

SHA512
53610515919dad02af4e4a2acb3b9463b5fd1fac9cb4300f96b0aabc0cfc35dd9e654e2aa51f862ea8602da1391580456e19ba3f7cd168a8c21fab4eb33e1b84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
89e31d972540bf94cfeec1cd6a89a79b

SHA1
7a0c1c0a84d7330ed3ed4e159051efdb5249225c

SHA256
1367d2e0c52fd9b57ca7188c8f766aad82604de328ece51486191a63859bf032

SHA512
39a2fa465ff29ecdbe312a0fc3aaa64dbfbbe635b593dab3f4318ab0eceaa8606561449f6d18c4e81f1b21ecefc87b10239089d11ee1a79a31adbcdd09d7754b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
e9bac7dbb7a172b67856ff58513a43f3

SHA1
2a5c94830336a41ada1482f73a70f467ac627336

SHA256
f1f13f3b55582443edfece0b7797d45394fb5b6ddbe377b8296987c0e546c245

SHA512
4712f7d636e6a46ea4db0a0c5519e77bd375c32cbcf28a32a32fe3133ff185f1962ff007e97df0be4f371756a2c35092b9c98183a6d6c452b5a8baae40af720a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
30c8dc7a4ff615864a15d412031e864e

SHA1
8ddc94dfa7fd0209bc92ddbc6eb8508bac627d97

SHA256
5b2928594ad20ffea19cbd1a4e3d3161522508511418c302039dd751189a1eac

SHA512
bebca4dc89c4bffd071b2642a0d35d1aa4947647c4d9fb47e0907e04327c358ed4101acf5783b52c4abeec4ade0930946875e17a0a585f81a8456df61faa9a32

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
449e31ab47d628ae6aaa2d29c6f12fd8

SHA1
1628beac8f4c5a313270f3b620ad7bf1a870b379

SHA256
79bea2b344eee0b29c5b3d72037bb06d74bc710d1621fe9332ebe4df73420fb4

SHA512
b8312e3d29ed52b793bc76e43eaf6799c52569a0d8cd54227a0eacaa96697d972fe761d788abe34ccb9bec3ca39175099cd7194bdff9ff05b82b84f1feda0292

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
346abfcd3dcaff7226333d0d3b52da1b

SHA1
b4831e6abf6d9dd6911ea64c7bd5f4a7db7c8c71

SHA256
45dc5b8d97d85e31c1bccedef8c02cc185c6cb4e8dc1cdb1bdcff636eff00484

SHA512
bcb8dc83902c755932eaea92c95fb440af37e787697ab141b05b46ed769cdb76ae3b24b467c7a513fbf0d96d09490bc83ba5ff7d1ccb041c6e3d1afb7cd67931

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
b089c1b842cfec5adad86470fbd9fb2b

SHA1
1c91566775929194ee2ac8977f95136a55fd0bb5

SHA256
48cfa1c43f6b16a2413a6a8c3f9efd2807b46b5bf343bb402530f411a4e19b4a

SHA512
d1c85d96f21540753fbec3502ed7b77bdcdb8e760ed32d8204af2adfad83230ce91f23d793b16160f212e9ffa1c0f6d5c7fa9933911b28a8461954f4b62ebc10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
b4b97d4405fe6d280ade0b3a7013cce5

SHA1
dc2d57e014212428a3895b02c6b215b9f0136b5f

SHA256
c9e6ba57fe825d426b321cbff2e550415dadfe1882a1ed6c9e62a89fecee1fe8

SHA512
94ac78c26c29e3ce57c3e0a77d48ff35b7d2bdc83a0102047b93715282a1ee5145eae1e15d65a145e3ff8439b8b30d05d9b3c31052c3b06eeadbc03ac96c1cfa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
29ace33d9619e6641110569ec966e147

SHA1
4bc7b3a517025728dd80b5c631ab4fb9196cfa23

SHA256
ea7b538b123937805283013310716d74a74c8719a0f5de206da13d9cadda04b4

SHA512
0e8b6cca65081684edd84cff06e4315a2a8e7247af1a02f2bd3606e33a61ff100ea42b6f567c53f8df4b681bc7307196e8d4b760d5d2893c6734452b17449eb2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
32e4b95abc868e5a276fb28937ab09d3

SHA1
2f9607c8761729ec231cf512725360d4675c0278

SHA256
90880a708a5a1e3c437e26bca62aed4154fb300357d93f2056f16dfe7a14b6a1

SHA512
41ef3697a3e45821d6a1ee0ab7060d2bddb368ae2476eab9d2018a14218c9503507a98972dc81f5e7c72f05455994c20f7986687a4791d33ee7f512ed911082d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e46efb90f420660c10cdad51b0ff0949

SHA1
0f30c70cfa0c1dbe9ce9a8d0e19038a78d76b05e

SHA256
6266e8c48c4528ed1d9e3471616b807c4075be93defa0cfe61b5791826848320

SHA512
f10fb085f419c848f2638265dbf1c44eb5e87e9c42568a74aeb289abd814a6bac177d6aee0a1f19c5aa69496fa64278d2f1ae14ef7a2f0e429be3511d0f1da85

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
5f52e80e7061c13a66272d0203de8428

SHA1
a2c6f552d2bd32d4680ad13a7e3d23552253f37b

SHA256
869251177e6cbe910819cc56744bacb1b6ee50134d973bb342c7177e4ac7a5ca

SHA512
7c3a931d97bf9ea4eddcd291027cb7f37d51889ea6427bcba3c4d2ac853d571004d189bd4fa9c346288e71d3f68a5a7fe243420bee2a36e097c4a8c63424eaaa

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
bea0e53e3f21fdcfc774a6c1d2fd5fda

SHA1
b65131b4d6ae813e06cc3d6b96dad7e8f423fd8c

SHA256
04e257313445eedf10aea4e568412a8a18eff56eba0439a5a64205fd43c30898

SHA512
78ac5eb2ac815088cb2aeee214416aa48c8f7dd0d64c43fa019dfb930b4bd37289d345b4bdb80f883f163d18f90ff1adcc57fd8772ba35cd30326860dde0eeb2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3b6a17aae6d478c0eb4f570f886b3c6b

SHA1
ab1bf8752f5ab2aecef5ae5894747d1007eba8ce

SHA256
eca3d9b971f10dd9f42812d653102695f4e743834cefd31ff7f3c424fd27e61b

SHA512
7f1073d6476b7db3bf059915287e77a6c80115d3ad441717ffda3cc3b414983fe1d8c40a03b0329959491cee38087ebceb46961691ba7822a06e36ee25342da4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
39b1aff8f08db349189d9e1764208d70

SHA1
6f82e622494a54f3bacd53a08ce7089742f1819e

SHA256
82305c9050dab163efeac8c9b689fdc69a26dd408c77b85148a17ea94f5917db

SHA512
9c562618c8e6bfb90a5386d38281c8eda17b305e6488506634c044d31716d314d089b3a5ce125c9fe082491a9d71648cefedd6f315f8d8485d5612d6638b074a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1b62fbe52c92c04e49800c0e24607ba6

SHA1
26ebd3e7ac9bab6041b3f133e76dba8cb5a643e0

SHA256
356f18bf91500dc77746056c6014de1e9e40366e113cf3c1ac31f64927b85d15

SHA512
0fc2adf0a46fb9973d55c10a862f476829351ef1a6a4ad0f5516e7fec297dc6d6a461d3944d4ad8fa09374a53c3b66cc40e5a1fe9a6668efc4332d86966b90df

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
72af4403e35b44646b66782c1f5cacdd

SHA1
900f713928729de7f58da9cf4f41ac83d4b06446

SHA256
5d9dddbe97d5f5334027cc46f674fd1c59b946fd372dc8c57cfb38d2e456f514

SHA512
a96db8dae89ab3b825785f074660dc62e69f4934fa0e33f47f293b90d4316495a86b21d9c58860facf153107034d8e28f53964b7a814e6466a1d4359103719e3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
edabf0d917595753d1f5ca45cf7391bd

SHA1
2bc456f6f80b1593833bec30cac8474ae8328e65

SHA256
22bec7d4a35512a5311afd766d4a12f94c7380a90e6721fed4d7216aa56f08ca

SHA512
e63932316dd5aa92d088bdcf6ccd0606aeaeb780d41f3d7b0dd350ad637ec13a96eb7b8801ecf57d86ced7a38dd5a7a9408ef51233e247e2660541a562a89391

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
be247c4ca521e8ead96283f5f24a87ab

SHA1
574959db4973d5822da151655dafb5292d034e11

SHA256
b6b391436a492e2800024068a94beb32e2538652ee0949d89108b0293408373c

SHA512
3e27a1cbdabc3e43f1147f3cba781b13e2dd202e153e49e6a5a580198b3e1815343025291a18cce2a3b8c5589cbb6b0cd2da3de3c188f97e7fd15e3934d02971

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3116d771c834f62dea494f007d599fa7

SHA1
bf8e8fa60a494e4201d0c3e011626255f1b5005a

SHA256
0511ee6652ba1a5a0f47f85192336fe4b9c0653c9659a7bdd220b7cf54b3e78d

SHA512
76a977af0f13613387fd0e12f79a3952221336812ee0830c173164981f25952e70a0148c88bac896cfae685a73de9854f0132249557123c6d08eea07bc010279

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3bb4de47f51c314ba644e44f8877eec6

SHA1
6e804cf4c15c4a80c0dff5ed0ce5bac69622ee2b

SHA256
5fa350f0508ad76f61aa81ad2a1ba609d791cd91ec671f3a463695ffbf84b1ae

SHA512
ddbc2e69389571a4bc72c9bbc27c9a7e88f416efd52358e4faa7082d8c09ce7cbcfc4c1b37f2531e42ba62724c06cf25227e965889a954510f8754dc94d76097

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
27af8338edfa94307d404a619ce928b1

SHA1
41cbad35e0369c7d8cf5c557b7adb250c5b3bc4c

SHA256
d8d282411b9ecee0d7966f3c4712d49babf3c0a8738632214209b0b94e25d205

SHA512
901c0d72e35e04ed7dd34595b9d2c1996f6f1809f936f491c59c177f8c648153ba05722e56052a75ef08d54aafb7e67294b688158e114cc119ff1435b32ebf2d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
873b7f685534cb6fb7ca8ec929c8f281

SHA1
c9f48a959ba38c09ffa696c43e510140ed903032

SHA256
c8d9d48cdf1dc8ce821ac1453682a89a0152e6517f57daff0d11a51c9703f8b0

SHA512
ddd8f569db4746f242d6f67395db9662469f18cf70b05616780857486604b203271f1ea52f75156449fbf973270692a285fe4fca91c258e22ca60a889f3f044c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3e994fe7dcdc628c1a8876d4779ff9da

SHA1
9321e8dbd979f02dee835a07f0185bc88ae2697b

SHA256
d6bc6d3c5f3409459aa60275636f0551d95a19880e9d3917fedb613dde02dc84

SHA512
2e590eef825a2db3912e71c93fa5b6fbc99f159819f63a3c46b954d67645700fc213e632d932834ad5e89069c88596ebfcc767b5151adc684210daada8d408f2

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
0a1fd55db51091209e42b28a9fe712e1

SHA1
29a75247fb8d81c2f2b5cfa22f3039d627db1173

SHA256
aa2ed73c6c1205bbcf2478a2cbdbb22446db5891f8552e0e1ebf7d211d44d31c

SHA512
985ef5a745e5ca13cd2fe1e31025ff8df5e530e6c350c4fa6e212dbfebda36b11cd4585421212e4f91fdc60616eed58e1439412be1ac1616b0441490a8be75a3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
bcb1220930c7c2898489887a305dc9a5

SHA1
c293142ef47945c04c090810ec46342418a8aadc

SHA256
f0de0432e0848b929dd12de46069423747fff2fb3efed4f2cd56762c28f65f1a

SHA512
a17ebbdedb3096a4330647ee06ed3db05f05f78a3bf2a06cf2aeda1d2e971237a70cb661ba076a9c8bd08fbd093009cd532544e35e4375044185bd91e07fcb57

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
c55f195363c660e3e614819985c5091f

SHA1
0421efba10fd227a63d0754e902158feb0d7b4cc

SHA256
d70893a6e99d9db839d19230e5aacca43edda83e38886da982a7c02d67c4a928

SHA512
d012d99f7c8fb96051962268f8b9f96b145a391c671305dbfa3d17fdce5204f8e486085ea0344c83a399e2166d52db469d68692bd18bd07748ac6e8885b3a9d3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
fd075251eb2bedf6e9e136ff770a7a67

SHA1
7d0c38025bec2e590871410a6a97c06ab2116aaf

SHA256
f87dd9cbb3356bfc970053cd7698bbd35297717a97849350a1abe135ffa109ce

SHA512
ee6e918c9ed0a8b2c626d54ae262051a2bcc43f5ae585801eebe2fed7266f8d53c199d4a20b15dee894a0efcaec445dd0ea777964237ac94f723ca0b465746a4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
cfe2268320f382987a03aab140ec0bf7

SHA1
f074b6305a9e0dab36ddcda998543236224e5399

SHA256
c917368641a9739d5cd6e0598e24f3b31b2e76dfbb0e1b6763d29042c7eccf23

SHA512
710651da5bf5f6645d7cb3bd81bf0d2deb682c1d98cee8ec8006597936082c57342c9dda5d3c575c2c3d412ca83ca865273596a6f9b491f7148eb155d51d73d8

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
1.6MB

MD5
7d53829ea2e98c4f9349e7acfdf434c4

SHA1
ac0f0d11ab8a00c5ec682d41b99c2d187eb86a44

SHA256
65b5ff7780ff209e90c4f995c2c4f2b3a9743f8f92d8aa07ca2e454e187c481a

SHA512
f351e208f4745b7e2957504ce26e93eb47a202dfc597ab3a2215eb91601a18e11aec0c216595f27caaf7dc9877a651e8d11b97b328aa17cb7ca61154b3fd6814

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
128KB

MD5
06c3c8cf51a5a37877b50da8ce5da14c

SHA1
2aeba77a63f3dae7cc2728bdeae2908d7a8eed2f

SHA256
cd80bbbf58a50348fe57f1b109545d0a8ec226bab0301f2dd43d0080c7fa4585

SHA512
344be3f42d818fab3c969358fb4dac1d2116cb77992550407a8965fcbc6f8b3b46da62ba39120792b2c2fab1781a455b310df85ea764568f53d01b333d37717f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
320KB

MD5
221659d947dce9f582faf15e289d329b

SHA1
351bc1022db2c97d01d498ef61eba1668cd5145a

SHA256
048ce8bac31c4929e48149892541f783ce6151ef8a60ba463948c00f2be87b8d

SHA512
085af56b740c33d38607bf5b5efd269e831a95334d5c72cee55732a9c2ea378178c0ac1fef99226bd7ea51993f17678427c3d2944b315a38901a0e3a3403693b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
128KB

MD5
205bbec0f400dfbc3dc0fc2354b16a0a

SHA1
a59c1f93ca25be9117907ecedf5daf1e7484358f

SHA256
ccd1be32ebcef5d43b3a37f8f0c34c47a28c2b1e2627f0e77206148a87009f87

SHA512
75e853a9873ce7392c61b6d9602fea05f3d168a042b6ef3db76983a5fd0a846d88d399fefb40dd60ac0403fdc12829132911d3d4c94971e960f33e886204fa6b

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
192KB

MD5
24808eda8470d5a9028c537a2447fefa

SHA1
ed7bd9a0e7609582e08e52a5702dd86a3a199cd9

SHA256
4567a103f223b51b0eec87b62444ba936755ee0d9f5c9746e23ebbf998db3525

SHA512
661e54ec2b85b2e129f300a593ce53dc5fd79554d9002f32a65c0167ce0619c2689629e3fb061237faf4933635d05a258a022ac31ea384f7381fadc2e9d5c870

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
128KB

MD5
42a5fe39b62331dfcaa6c18bc71a3199

SHA1
8505737e4d5c778dae7ee3a44fc78c8611a13c57

SHA256
151cb963424704fd42e36d4d6c419ed4ecbdbf9fd75bdb21e9c47edd1feb6c0a

SHA512
bacae5e96e4ed7a49b652c22b7a11df1777cadb0f254ad46d1307afa8faa3cff74b279911bed3692bb84d7cbdb770f3cceea84f4622f2fa98a73dc05b1383d45

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
8f72ad656efa8199ac9596601b9868b0

SHA1
99888fb3e1fa262e4ad386cd42242fbf748cad53

SHA256
57a6d7a21489970c8ceab8598afe62486204eeab75d7b73d8ef272bf0c6bb0dc

SHA512
883fad7a31f3cd70e29a450c69f09405eb2a0e949a8bd6f7f073187d10b48aca0d69d881b97a1bab1d6133f9c053d3e4645b36f0f5088f8d4eb62b869ee43cb1

Download Submit
memory/320-364-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/320-372-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/680-281-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/680-214-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/680-223-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/1100-311-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1100-243-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1100-250-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1416-320-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1416-312-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1432-360-0x00000000005B0000-0x0000000000610000-memory.dmp

Filesize
384KB

Download
memory/1432-351-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1796-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1796-132-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1796-202-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1796-139-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1948-303-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1948-308-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1948-309-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1948-295-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2040-160-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2040-96-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2040-94-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2040-101-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2264-210-0x0000000000780000-0x00000000007E7000-memory.dmp

Filesize
412KB

Download
memory/2264-268-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2264-203-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2668-337-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2668-270-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2668-277-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2988-282-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2988-350-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2988-290-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3140-106-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3140-113-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3140-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3140-119-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3140-116-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3284-177-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3284-240-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3284-186-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3756-326-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3756-334-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3920-145-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3920-152-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/3920-143-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/3920-155-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/3920-158-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4120-6-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/4120-131-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4120-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4120-577-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4120-7-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/4120-1-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/4468-264-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4468-256-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4468-324-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4576-163-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4576-161-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4576-226-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4576-170-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4620-263-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/4620-192-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4620-253-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4620-198-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/4680-12-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4680-88-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4680-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4680-144-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4904-294-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4904-235-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4904-228-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4912-338-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4912-347-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4952-189-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4952-122-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4952-120-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4952-127-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download