3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2024, 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
Size

1.8MB
MD5

e76fa1b7d9173017cb88049a1ed4de3d
SHA1

c806d85080cdc961dcfa54529d13b9ea40cdd714
SHA256

3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207
SHA512

5611abc0e180f901d62778d02ba2ead4775065ca36203b3ad9034546b0303a13484908b2e9fa24cdb624c9082245f7051e1b67d8148871df1d6271b36b22e3be
SSDEEP

49152:/x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAtKpv5Yu5:/vbjVkjjCAzJKmv5

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5000	alg.exe
2480	DiagnosticsHub.StandardCollector.Service.exe
1432	fxssvc.exe
2916	elevation_service.exe
2472	elevation_service.exe
1932	maintenanceservice.exe
3184	msdtc.exe
4752	OSE.EXE
1464	PerceptionSimulationService.exe
4512	perfhost.exe
4468	locator.exe
4916	SensorDataService.exe
632	snmptrap.exe
1484	spectrum.exe
4948	ssh-agent.exe
3640	TieringEngineService.exe
2748	AgentService.exe
368	vds.exe
2216	vssvc.exe
3404	wbengine.exe
2624	WmiApSrv.exe
4444	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a3ebfbc324da5fe8.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Windows\System32\vds.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM539E.tmp\goopdateres_hr.dll	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File created	C:\Program Files (x86)\Google\Temp\GUM539E.tmp\goopdateres_ru.dll	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM539E.tmp\goopdateres_id.dll	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM539E.tmp\GoogleUpdateComRegisterShell64.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM539E.tmp\goopdateres_lt.dll	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM539E.tmp\goopdateres_et.dll	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM539E.tmp\GoogleUpdateBroker.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM539E.tmp\goopdateres_zh-CN.dll	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM539E.tmp\GoogleCrashHandler.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File created	C:\Program Files (x86)\Google\Temp\GUM539E.tmp\goopdateres_sw.dll	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ead9107c665da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016f3d206c665da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6868a07c665da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b784c807c665da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000630b8906c665da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001bc62807c665da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000638ba07c665da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000497e9e06c665da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063e98c07c665da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2480	DiagnosticsHub.StandardCollector.Service.exe
2480	DiagnosticsHub.StandardCollector.Service.exe
2480	DiagnosticsHub.StandardCollector.Service.exe
2480	DiagnosticsHub.StandardCollector.Service.exe
2480	DiagnosticsHub.StandardCollector.Service.exe
2480	DiagnosticsHub.StandardCollector.Service.exe
2480	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	748	3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
Token: SeAuditPrivilege	1432	fxssvc.exe
Token: SeRestorePrivilege	3640	TieringEngineService.exe
Token: SeManageVolumePrivilege	3640	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2748	AgentService.exe
Token: SeBackupPrivilege	2216	vssvc.exe
Token: SeRestorePrivilege	2216	vssvc.exe
Token: SeAuditPrivilege	2216	vssvc.exe
Token: SeBackupPrivilege	3404	wbengine.exe
Token: SeRestorePrivilege	3404	wbengine.exe
Token: SeSecurityPrivilege	3404	wbengine.exe
Token: 33	4444	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeDebugPrivilege	5000	alg.exe
Token: SeDebugPrivilege	5000	alg.exe
Token: SeDebugPrivilege	5000	alg.exe
Token: SeDebugPrivilege	2480	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 5932	4444	SearchIndexer.exe	115
PID 4444 wrote to memory of 5932	4444	SearchIndexer.exe	115
PID 4444 wrote to memory of 5972	4444	SearchIndexer.exe	116
PID 4444 wrote to memory of 5972	4444	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe
"C:\Users\Admin\AppData\Local\Temp\3d6e0db55dc49760633d6373c307dc1bc5ecf123d91845635be549ba5b2ab207.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4540

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2916

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1932

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2472

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3184

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4752

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1464

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4512

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4468

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4916

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:632

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1484

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2032

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:368

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5932
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5972

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2624

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
144KB

MD5
0b3a78d8f97332b16b3069b412c4c899

SHA1
2aeefdf3435be6b45ec244aba69ec8a27d909909

SHA256
57050c7e50c42f5bfdce8c8e70ab659c778d2e41acf80b8f0b409fcb14e4197e

SHA512
29219981eb4fbd522417923335ad50d62cc36e6a6b5d38a3ba62be87182b345fb7b362e82558f67593ce5af71928748723b49e8f44988f6475da57f097b1ae7a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
186KB

MD5
b8a1f4ddeb7c442719d24b5ebf5d628b

SHA1
f0fdad31f139bb3ea403a1afc743a38763d2cf1e

SHA256
81565e0e150f2a68495faee202df3f6f4744d2e231285c3c89df9ad148d549f2

SHA512
99cd646059c338bf2724b93caa1951c976d81d14539e01dda1d4af82d403a6e371b711fddfb29b32cc6d2c15b18b7eb0e7dea7f2500887acd2ee2e382e1151df

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
92KB

MD5
48b95c46abb3f876ccf943486e175acb

SHA1
e27a5c6c11327d60a3bb43e36b44808de4660f95

SHA256
0d52cfccc115d83750fafc5a777b9b21f78b539e148be5343995b4d054c542c3

SHA512
9a71ee9ced35d4a0fac4aa5dafe28fecb0603a66131168f0224e2915826bc6b34b9adb5731dc9253a3e33d2cdbee623365f609b0107a5c13d8137f9952701f52

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
78KB

MD5
23273236c0b7948ace2580c4f4b00107

SHA1
816439d2ba68a222bb52b159cfdf17550d5b21b2

SHA256
1b3467b7e467dfe3809d0cb3abe48fb2550f1d7a4baa0597fc275283ef596d79

SHA512
c17b33b847c78847926cf0077fd49fb98df817f5b7646182e02c41684effa26125db0c10045e4518b23cec98a11a49cbef24f354e7515ca28a6dd8674daa33d1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
108KB

MD5
34d99d35fa57c0a6d8368ad7ca38afaa

SHA1
7921f4584b4d62ce9815fdb08554de8e5a20236e

SHA256
f48873c5fbb08ca6849c8f15b981f809e3d670a494da58baab68fb408e39d882

SHA512
20fa46ddae75d0d9902d641ba0b787bdc1f5c30fdc10bdf8aa2ecdd47fe24e7b8e953838839785882b2efa96d2ccab922e13b004d3a28a29e3b1c8fa9e5ce389

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
101KB

MD5
94104908e4bbce6b277d08c3dce2e640

SHA1
0820f4fdde20ef2f0bdf006effdd445f2f9802e2

SHA256
2072a6f94e973a599c91eb34fd51e497fcba5ee4870fa56cdc06f25295336078

SHA512
a879c45b8bb75073e36c68450b0c2a464506af5a807e11cb80f61545576a199b7bf879f57206926fad79b7f277396518e7709e4abdfecf48f940e57e488cad33

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
85KB

MD5
09583b0bcbbb499841ec7516fe96b005

SHA1
6557b2a14ff5db5c7bd6ff2a4e75333ed389cd5d

SHA256
d272ac467eb3ffcde2d6e35209d98dd1ef88a3b7721d2b4bfd2a5e6e999609bc

SHA512
d5d76a0784d943b2b1db4a37d2bb366cae70419d2239f78fc0a1084ace23a57ccab3fda9345ba9b9514e26fc928aa8a97ae4df5585935c2c6ed90c15fbefaab3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
130KB

MD5
ba742d161b66f9a4c5a23fc2b61f3a78

SHA1
2a6c48de96a091249f33ff32b1d63d6697ac45e4

SHA256
0dfcefff328eb95268497170a14fb5f242d16f173b48e04b7bd413db052ced20

SHA512
6aad4de09f95e8c1258789469337157a24597f5d4018f83da742440f15e467f348700b61543fcb9f39bbc6d86dfc7108c6ba92a33aa3024176647cf1940f2ea6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
234KB

MD5
f817afde3da2fe4e0c339d38d7b1fa1c

SHA1
f9c1b0f31b577701686553e8222e5279c561bbba

SHA256
120a0550b4868144289a5bbe204369c3534ee6d7f0d61083a4c00f76f46aca63

SHA512
add8b54c9ac05f4febf2255236edde88213af64811818aaf6491a95d0179e91fe9e6b1ba55c1876dbeea7271a03f71ada427dc9081aeaa9c5a72718de87ae535

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
154KB

MD5
0588ee2cd640879d8c29e82e092f091a

SHA1
2bbcb03f1bc8baf0214f553eeac5129c1dc01974

SHA256
280baf6d3d0a550ffbd6066a1a5fb04a7f2dd29d4d69eafeb84fb6d8422ecc3e

SHA512
83c56b15d4584e45c68ebd3037fa272e2653d79cf5d01f3db6dd62128417cdfab26a169a8b5ddb6030e1dd4a28af97f741409926c50fb84c16bef78dbf069eb0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
1.2MB

MD5
03d7d8f5b7959371c901eb5a0a9af89f

SHA1
7fc78c176523e163ab0b5e3e473efcd1ace2c5e1

SHA256
38e67fb8c0df606ebc9c3140f179fdb922d244a44f211a5889136e337b21796b

SHA512
b37a16220c073aa6be90a5a3659bba4f3b6f1f6fd0e90dd7580e297d0e0b29d935e415cd3b4882e6a6de60e5efd0849f5a71180fa974ff95b2dac02011829928

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
112KB

MD5
8a79106fa06e18d7a5997a3e8711dd97

SHA1
003ac4273e77be16f3a0d80a4c7dc8e4fde01780

SHA256
839021dbf6323bf8cff9e43509e1e3846a661aca17c7f3b41aac0e3195ccf095

SHA512
39e13f5d8911ab00171eb7f37eccdefa72133cc77409c6ebceee16851213b89dfb90ba01381b69ce7bc4bd6a5b60c888f9c2e973568946aebfa1dab2e743fc9e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
726KB

MD5
84caf0dc903623018363f1e7a051cf2b

SHA1
2e76a02b16252fc5be5ede8646eabab66f76c349

SHA256
d41fa72132338ff4b3bd0b1f5143d436caf437e2bfd937e9de469cb8f47febda

SHA512
77360c4170f462ca23160b046a3ff9fc4f30368ea9c5f3d100ca3313143b542cb7a73f433f95bb84f99eb2c3f845487864adf7c8cee882f81051a0cf1a45f88a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
39KB

MD5
e4b64080a9b74c5f7aa70431203ba546

SHA1
acef6f9debb16778f7d758a27e87f20a66a7a2a0

SHA256
138dbfb68e0ccf16820fa55f40a9d30cdf18ad24eb598654f77e67827735d80e

SHA512
30aa21cb81574cf949f3b58a3c34d3329b2922ccd3690ac9c505c55751c474fd4a694a4146a73102763c98e3f04877b733c61a1975a734a777cf97d066b5c235

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
896KB

MD5
9ce71e1bf9936e6c81dab0c4a0e892b1

SHA1
a317a233acf75631b65a3eb065b76cc3e6414cdd

SHA256
b7a1fb7f946c9c8a56fb60409f1bdfa97f1ffc82e43e553f249f96d7638d4eef

SHA512
a138cfb9951aae4373fecb146cea82b68bd125f578a955845d2433a73cc36107016f085b2030b4cf54337a6fd00d5c0bd9880675270d934df246b3326bf1f832

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
863KB

MD5
626df9c06ad8899679b78babfbcf84a6

SHA1
3ddec628dd4a42a01657bd2ac3d5097e6e7c8d1a

SHA256
3cc3f2838b437e7fe7466369e1e2540ad06e272c226aa1b57038f042dfeae0f3

SHA512
dc48260bd7f25598374543c1157f860daedd837214f2136f8cdb3cddb5b8f7077de1497668561332fa648899e81f2353dfcdc274dd356e8b1fc9de38efe01ea9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
933KB

MD5
86cca01a35ff349a21cdff9d2aa6b891

SHA1
b77e287d06c7883764bef8211e775df30eb98e9e

SHA256
61684f4ab650537cbf9890a4bc559df7dc8f652e11cc37f0d284e015469a0a05

SHA512
e8998ed1a1803fa53424d181411d80ccb935534e711228a418e3c148cee50fca852ed8e4a87b1e14144f4afe0257b63bba5f412284113402a15c197a83cb8b93

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
1.1MB

MD5
1f81ad9a3291baeb1119417c235c7e87

SHA1
8eb7189ca7447db77c5df2f0cb4fedc09cc3fd46

SHA256
4af8e4b2aacadf6ff953b04e822278bcae9eb2aa3989693db39b4f6e8b41c1cb

SHA512
b9e547927c970e036fbfa39f0ca58baf1ee6d8af3096f868a9e3a72b676ae02f4ff733a6c091ce957d4ce4c268d16e5fc851642291561c0e7b9131ecbe0dd7bb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
457KB

MD5
131abacad8f6ed8affd927846e051339

SHA1
8a66283fff1ed4a1758e03bbd014bf7b0fc3c855

SHA256
ea799a13cc9b9a58f8a578379da86df3daf40467a71ad853f3c353d4b26273db

SHA512
fcb5d97a56a3aab85a3c22d24b78c49aaf35c48ead81ee2ae317aff862d959b263218a9bd26e7de712cae2c6aec3c0f40838d4365cfe08f200af2d084207c096

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
942KB

MD5
c7cd9abcf1d366f52064a10ad5cc585b

SHA1
7078b9b40bc5cb468d12e06ec95d7df959656464

SHA256
1c6d9e0252e4609d444989c1aba35cbdf4e32c9631809f49b8bd982d4d416a49

SHA512
3805f0c562f30e18d49c98e7e5aa712bc4776a3fd61d45e876e4fcd20bd354a2b9cb8b9b3ff3938f8e025d8504ffc3ebf39ac62f72b16cc7b2e5bbb7c9fadc5a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
777KB

MD5
186d09e4128950e3388a64fc9b9263f8

SHA1
67bea7d85b55a11872f2dd675c1d5904fa0e74cf

SHA256
b4c71492857a58a3f28a96a32960fdb79c32053a13320ccb5c30a6729cd0e828

SHA512
dd962f01b0d3c940194d86d65b57982ce2db9f06d972b3add8bdf38cb67a67a7aa4bcf93208fd31e3d6825f081d4e4e11bf02d9a1cd460664da74dda0914d0e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
c2749b59c8b40a7aad5daf014809b7aa

SHA1
ae432d5e9afa034abc26360ac9c00e0d8444c831

SHA256
0676bcf7f04b313d17df8d0c97ed29bfac5f32f005e55a5f00cf9aecb7cab0bc

SHA512
dcbed762ee8678c4a1edd6508ea2c89b7bc2dc0e4f5c181baf7c32c67379119d97f4773c220d9ee31dbf82e80df83c3615c07da90caec8cce51104786a955499

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
899KB

MD5
e9de574c68c18185240b0aa9d6e48f08

SHA1
7fb2223828661aab8e44e0b8553fc89330e33511

SHA256
eee1140dbeca1703fc6d377e897cd831be7540d57732ebf457c9b3557f8945cb

SHA512
93802f097088ae716379fdca6518f6f0949906a3c7302232e15d35d70b2fd56fba3bb025bd37fd0323786c4f0d09e16af87d4cbc0ecb02c1cabdb40548973460

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
913KB

MD5
218b65cc03b833dfc08b304e541c9f91

SHA1
2b79f3eb025637b58f6f4bfea580e42cc062aa1b

SHA256
cdf8413703a479ed07d090490673d8d928a380eb2cbb46bc27a4bd2b5b454e63

SHA512
d3db0c62ee14343f8304be26210f524fbb95fe407de149704c5aa1814b8cdf8ee5c7e44ae158faee4fbaf05c03ef672a7ae64f51c330bf2619e33e62d57ed359

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.0MB

MD5
b37a306f901edd21a6f7f061efbcdaa8

SHA1
0633736372f17633c3f1e28a9072b2fcd7e0342c

SHA256
741b477f2dcc12fe296bb8c765324c9a076d4d663e695205603a3d09be7b6df1

SHA512
d531c2d1dfef9e169bde6e8a28f51b61c411d587b6a2388a81a3151a50433a40b0e366cad4bf907464e1041a597736d38b1d54637057807b45935646cdb66c75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
856KB

MD5
55783a9addc9cf3aa9999d98c665aa72

SHA1
64cb7fbb2d5017f96ff1908b6778f84975807e3f

SHA256
bf1baea428a16c04ae4ee960e8a3120d4800632f0a1e06a260a71c42010c845f

SHA512
e8befb5dea4a867fdfaac5888cf8f8159e467ae6201b32bd80e34c652bcfa58c9e2e951683e204c174adb95871a910d3547231b19ee03dfb6c3fefdfaba4a804

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
821KB

MD5
becd6d390a739c6dcefc97aac004a7e3

SHA1
d0e8384ca17e50dec7374e5884a266b2f4c4a533

SHA256
152f01a5c929e9c00e881198c0280ec458ed4ae0f3b5ec62b2a62658a32135a6

SHA512
074be1d2802e9c3ed75eeb1a75c6633ea30905232becd8ba951b0fa62364b5334951f8fc48489255a5cc3f95302492c9367aa0945cbbc40c59d01ae559dae8ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
945KB

MD5
a3befbcf479101577ff4553bcc464f4d

SHA1
719f8bee5ef5e3ff2a99e323bb8ebb587ad024b2

SHA256
6070b39eb07728041953aa073fb618f9d4fddd0cacc9a3829610f02ef805beed

SHA512
4528165b2bef0162be80b3297e1350b42c5d68f47c7c6ab0957f3d5bf6a531f58bc9a6ea421fc67a39c1a6ca65740389c738ae213ff22913c723b58ebf332594

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
825KB

MD5
21f57265966c05462f592bf6eed1a77b

SHA1
cbf9e783b0df89428b28c090606916cf0194ee7f

SHA256
7ce3ce222499901a065dc25832d3e6490c8e935a7d7ea2c50aed6f472bfc98ed

SHA512
40aa8ad62b28a48ab0b477f0f7b102e1dcde177a936b986f3e1021de5a7c47b42a7c7aab73fe338b75b7d12220f36e8fa4001163cdca19d2017a2a41f45b9828

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
282KB

MD5
2b00cc8412201eacc644e6a8898523dd

SHA1
3f3a2fa38ddb1f0b4540b514ae0347de5b626af1

SHA256
c24e12edf9df7392ea4d0f4430cd3924df95b3dd77c75d1d3e10fc73fd3b8841

SHA512
f3886108f8358ffa9112aa9d2c2bd343f217d11cbe4c042acae84ca4ed3f913a92b53aa64df3c78dd2d234fca8c9eeea6c494cc725c08b50600e5ce5ca1696d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
779KB

MD5
864b76ad44cf765389fa86bb2ca38a3f

SHA1
7a5a000a4ccf744449c1852d1d46495e93fe7069

SHA256
d68c013fdd30c417c88f3349d9f1659ced59eed798ec4c39e8378c6a8cb5d465

SHA512
3be36a718ea1216aed8f1cb3aac75101760239f5e8319ed8bf2ff59962d235e70ba47c654d00eab2d2ef7a249cc82c07af614b67d4a4a8348f1e64a6b12761d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
740KB

MD5
b87f3dc03f511b4317c572458dc76944

SHA1
8616289b60a6b10d5a40420122471c4bb02a6201

SHA256
ae6e63b737fe19caad7643b1e1b2b0fa972e13923fcef99b174855e304d69f02

SHA512
0bed60479e7de93a3cab7b76642731035990d1f8f6492042d8076c84185d7aac547507d7051e80bd2091e8c902dcc11232e19a23e306524e1ab47dfa191abad9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
960KB

MD5
965499cc4576929275e3c5071d0d3868

SHA1
879f3dbf370f924c271d89342cb37be97c02c3cf

SHA256
6d31478d6736631f715e785fe21c4879c1dee8b53788cabdf4f8c7203e474fb5

SHA512
c15f834d1b177e72b32d0c48b452385e5e508fd79394db9ecfe35afddc272d8e22166aab7ccdd8ac72a8a76b366c52b69552b3d52303a2a9c0b452faf12b7a31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
654KB

MD5
2b3b05698a0a16116e403a59f16a6e3c

SHA1
de481642484c59732d9250bb85d800b8bf40eee3

SHA256
df93eea7fb9add89d6b3e46a45f44ae8651a14ac2142f9312940ac4c895c514f

SHA512
1a0203fff78ca469a290b77b74b67525c5fdebfa0e21909f8ede38fd85c5d44584ee556d3a0b38c92d79e8eae44f00150215b322ca055c33a706020450172431

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
799KB

MD5
89bf1e722ddb311f6818fa4eb0796fad

SHA1
cd8ac45a5e25dce36775de4ecc49bcd37492f874

SHA256
fdcded6a9a95bda8324721b5a891676d27caea820364403f72c91354afa6415f

SHA512
b7a233bb09e8acac4b2bab664d0c5291bf2ae90c745f76a0b1091504343b0fad07527c73d5929be6a3feb32379814393ca666d611695a56f148c912ea6558ab7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
794KB

MD5
9a86c1201fc59d2e496fe7e827eab3a1

SHA1
8d4b1e0309de04daf4febca32e10f8ea557fc72b

SHA256
e0ace7dc860722c942816c16ef42cb945bff615bd907e764e54329aec31e0d84

SHA512
666d5e32dc85b66610bc886aee6a798cdd39143b8d5fd881ec345d1e56aaa170d46cd75356eb6e2bb2e56b2ddd611dc4fcc94d24934443d52d7482fe497605ae

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
190KB

MD5
d33db904ba01f448b343c779e60f8c79

SHA1
08902e823b05619d7bf689fe1ed01ac8c4e13a7d

SHA256
278b613e6bec3a516879d585de26a96d6bf85705dc7ff70cd5859fb2707a321b

SHA512
793e77dffb778aff609a0b403f0676d422463baf435194c8e1121e53a3bae72f420a0ef4e5a835b1dc6920dba9f7f751a3a056ad687f8077293f0e41ee008e79

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
829KB

MD5
ee44733cc76328857cd25c19acae38f7

SHA1
11362240bb39450062e187f94b80a808beb35a77

SHA256
94bb3d4e8faeb4569c6800f2ea558cc6b839b52faef62ea6a4861cc4d536bc16

SHA512
145772aa45690f06f08f4d0ae49521bb1eb3742527110c2baac1c3482398c740f2b5f82f810f7f19a82358f94ec5c4990c5709d128be970cfd6604be21330780

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
157KB

MD5
62b79acd4af240dd179ddc985cb99ecc

SHA1
60d6e36485f29b3c9854f062da6783fa27613ef4

SHA256
55697f750f59f58b293d9f2682eea6e84336dde5456f57837df14fecf52546d9

SHA512
96c0215cc7c6a69df1bf56725d4da322d2601d26e01b2b922c9670b9bef830204103539c265609dc5fa8240c227251815175ad790da90edbde09bd40ab4e448a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
197KB

MD5
969588e52e969673ef539f5ab87dfc05

SHA1
dc4b542af763ee36560a5292f07fca60eda2d3e2

SHA256
1f5ddc9b5d1ae848715706f34436360e2d1ddb31e484933f4fd0fd249ce8d203

SHA512
b47e770fdae76e773158fbfb015b89a72e35186e26e3abae8ec3e455f4695740d6315f1b0ee71adb284bad75825271996c87af30da56f72f0498a34162dc017a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
424KB

MD5
82f6d8c5ca56032dfcbc7fc26e78558a

SHA1
354c56ae1abf6ff8481b811076675bd3b0dffa55

SHA256
4fad5640482a0d0a1e020771fd26c89ae2a5b93a740d080444a2b61e371bc314

SHA512
d11d768d868ed3f124e270ddcbacc5a0f718ffc26a17bd3846a3b1842e80cb17d7d00a5fe584f397e1f17351ef65d757da8304f63632e21384ad7607723bc05e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
258KB

MD5
70f7cde05ca348a59965a681dfdb1dc8

SHA1
8d6a5ebe5b8d7aacc72323e112c5b7cdd72408e7

SHA256
aea5f01c8687a25e9ef3df2877f1df7e3fbd664a33fa6cad0c72834a13672180

SHA512
cde46e46d749e647e592ba4d6aef0d149b5b62f0d5f308a95326419d7c99b3337f6dd11b0b426001c582707c4446c2710e9418708b239e361c55c973ebf4859a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
56KB

MD5
c0112f053a96e7bd2cac76364fdc1575

SHA1
a982b514afd7a825736d0883c8923c455cb8b49a

SHA256
841d055f56237ca2f29810d7f776a1fb620ede5889cdd9b06735fe9c200ea0e8

SHA512
edbd4ecc1d0a0b47873ef24b99276aa0386f587a722da888316f0bad7176b78b14ce149c370d712dcea4f4cf8f7fb55a5dd740fc518d81c76018f98e4f8ee2d9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
53KB

MD5
d4d75551b748c0bc205ba016aae947ed

SHA1
b559080e97a92c3023de7badfbc41123a1e564bf

SHA256
3a7be7ca0695b4d56467d77322cdc9ffc964a1083c0d6f28067e35add006bc03

SHA512
7f9a84ccd501c69127993de6241ce5e863bbe91b5b3c4d36c42ff31a338c2e49ca10eec6456e3e9efffec9a3c8004fedd1d0eee45ad231efa0173c8b61fc93a7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
229KB

MD5
5b425b1e5da0381196906c5dae5e4ee3

SHA1
4a1f165a20473ab23cdb0c1dc9d8a07af869e3a9

SHA256
d1330346b54c9b13a7d62b3b6d667b5964f2491cc77f8d66a14fc245152445ff

SHA512
745878841f7a0a2f36eead1c0027bc5fee8196d83a818f6caebbb7c8b122863b0fb1ce650237e9ff6fe1f98e71101768314b591cf1ddee00a5004e06d868551d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
46KB

MD5
e797ff877af6eff057571b1e6e19dc8b

SHA1
5126e616b9c01e4698a37ba57e0cb7f1c74cdddd

SHA256
5ccdbf82e8982be9a97f226de275552bdcac5314151c60cf4a0a4dddf91a8f08

SHA512
ad09a05e6569f5e7870e6d13a62861f5419adf53ff053b32586dd19f206e69e356fa8f9496cf822dfaf90ac5c8287395f1d2fd143dca7ce13154c05154e8810e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
257KB

MD5
7471dcd42bb5ddbcf5fb0c462917a585

SHA1
48f99180bac3a4371831da61f65027b1e3501265

SHA256
b3144680b9bbd833b7b17085d6560430a6ada37253e0246a3b568d9d1735c00c

SHA512
3f753a051e486bc66b65d70f97186a96afbc5b1524ccdd040076b616b87a0f3a9892be9abc0bd0014ddec33dc4da8996c8464870ad7f287fced2572412cf4ebc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.6MB

MD5
bf1c60d5a6d5188a20305615ddc8e4d0

SHA1
0055c16a3ccb2d2b1dca562dd00ebdabf7530ee1

SHA256
555889eb44932e72ee811a79c21f4020adafea5878603933b41e93da0f748439

SHA512
e4d6fdbf939e6879a55054b3b03a0263f41e1a755ecc970cb053b38fd3330e607d7e1b5872cb255fb190688c976105b3876a345ac2b8626bd47b94cfcb49d44d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
82KB

MD5
a78acc8d09dd119dc032d8dcf9bd3db3

SHA1
c34cb95d80d20cfb238f9c785119c32fa929dde2

SHA256
5222c7362384994fd84decf9042e132b862f5ed9958f29553709b57156f22368

SHA512
e3c6dbca7997ad6ce20bde6b4bc7698b26a41efd09867eb614aa0844b2f4b6a5519f65749b4e0fd02b27aca2ea8ecf543e2a20fb171cb27ca9a1faa90dd55844

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
177KB

MD5
1d32f6bb0f9280707b27af76e7bf4999

SHA1
99328233bf6542710782f14b7b110c38c2d2edbc

SHA256
9238946672cab4ff635aaf389ed5415af674a5b42b0bbc59751310103f2c1a29

SHA512
9c1d0c1e2f02da06381fc8661629d083c600bd1c25bf6284127a424e7d388618a161877217a0538ac49f9dafb9e9cf35ff45db64b71ec1f8cc8dc89687ff8800

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
96KB

MD5
4196da613dfa7aba3feafd2cd0affbed

SHA1
d91e146af283f9d66eae2f90d4683ae8a065d71e

SHA256
be2a4071e65e1bbaf60c2076aafd2993ef179f8618d3f6da4c1b21addd0e4161

SHA512
7f803fe9725fdead8c6018fe113dd197c8758bce42f75ae1fd0e852f8a41d9c47ca23e275cef4d598a12bda1a3356ff2ab53095ba356402d458733078c63beab

Download Submit
C:\Windows\System32\alg.exe

Filesize
235KB

MD5
8dc551f7ff578e193f7d1018f3b0ab0d

SHA1
5c871a686fc1c034b84e75a66f3b6f0b745b6cae

SHA256
6a8f75ae745d73169f879d226b02d5e821a9a331c9fc775b139903a5ebf781ec

SHA512
5e9790e0b7053badfa62f6d9db14a00c2d42e3f0048ecf1ea2c2629bc9fb00818b9112e8b0aa6490861d5064c4d99cddcd72432baaf68109f71b80b0eed3123b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
129KB

MD5
57f0a95ac0a8aa3e7b8676e6fb05007a

SHA1
697a8fc1132e389981d0df406cc1bd4a7c3a8922

SHA256
61dded23f3b5c899acba3120f263224d8b593fdee16f503ea4de19ae36471a5c

SHA512
9ab77b44229f1c6e7284abdc94785457d0c081ac046d2e12f74caf4cfad4d2cab2a797ecabee71c7ebac979971cfdc21d4cbf03e2acaf46f5c549d6ec2ef491f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
113KB

MD5
cc8cbad17a31afc5555b41b21fd1e037

SHA1
6481b46724d4f72c65a7199312af5d32e0977593

SHA256
2c32f4b96ae4f8b135c0729679f413b84a8bcb7be6ec57f9034c3e0730a0068d

SHA512
ee7f387b293ea8d9b5dd146d36913e35baaf5814b79b3a8f36ab39924d52b7724c82b9f49b935a410c9c0205a93cea2bf4db1b8aee3b0e04fa6f4039915cbf42

Download Submit
C:\Windows\System32\vds.exe

Filesize
41KB

MD5
358b4bf51038bc679b8bbe14f89b0d6e

SHA1
dbbcb29e916f0bcfbbada603dd608130d1d93501

SHA256
be0ede10a671864a03a688b09467055a967ab046df93be9ea08563f3861be171

SHA512
945e445e1b07131e0ae597c653f473bfa5d71595a8b4833a108dadded7106e9feae11224f57bcf4b61ce5e2fc80a749775a7f59e442ccfc19ca6444e8072c9e9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
57KB

MD5
33e79ccde5776a6b97accb5b8b7b2fcb

SHA1
8dea572f4f5548e8e4c4a0239622efbc99473a94

SHA256
396ba9c6385c194a1ae24bf77e90fb78663c817a8fa5359dd14f0f71ce3515df

SHA512
ecc13c7eaed104e3f6b9f3fbaa72c98fd2c242b0f824f02251f89c5d725c769ac197232ca4c28930fc523e89f43f98b15f9b3e0ec94018ccc5628fb12315ddd5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
243KB

MD5
b7992689998bcadb1b1f39828916f162

SHA1
f559870d07ce0f2f2c14d2e2cd0a26517b0f63c3

SHA256
36e97262c7f39fece54dff4bc58f50f9651a4439f8f495c5c9691c002781fe22

SHA512
0afc45b3a46ce376fab471351b59e00b74bd3a8460d8fc0603cc97e7402eeaa274aa2b521826694a88fd1212154f1d3bd553eca2f52c71f0be6272553e47a50f

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
119KB

MD5
98812b0e43c265412c3a9eddb366a742

SHA1
8ed74e534a1dd5a7bb9c10acd7533b2e9bc8e733

SHA256
48ae18628333450e9de7846bc8c53e7bf1f478b5f33ed333fdc4a216fb44cfd8

SHA512
4c5535c4210d92fd1b5e322a3b4177fab9178c2cca8c44769dcbd0c68642363e77cd754814aafe3d5b2b4958a60b8dcd0069b507d92f6a04f9564304c350a462

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
143KB

MD5
5486258132c38f5038f6d52aa3428f62

SHA1
588821d7f949ab710f01cb2fce70883b79ec6e68

SHA256
5b8cac2faddc5d20ab2879cb7e9ad1f90eebfc045faedd5a6a613a17d9996c1e

SHA512
f84627a1b877705cec593fdf5135b8f653c845327bd32adb3dc20d31f32953f5d4f862539cd0eb87c73c9daa7bd3cceb8ae02dd4883c2bbe29f00b006ffecea9

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
87KB

MD5
57eeabdbe531a50729c5fd0fd27ef8d2

SHA1
070c6aba53ef6da9762ed053239ffef546d58305

SHA256
eb58c11d8c73603386f6c6bc67e527213646a43834e23c47f0fa933496aac0f1

SHA512
008ec17e46965ea9edfa23cd8f1d048fe9487b87228cd580844d8925e22ffb91f1dd1c0d36033381dfb6567ef1ba8d4eecad76e7cfad8ed4c4cf9ab1f4c02b12

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
121KB

MD5
c055db0fd9740146ba4af96a3136a0c8

SHA1
90b11015d8aedf268b21b66ccc6b3cd71d714932

SHA256
098e4721430a70ad748c3078958017dd69af85f1714501398b837a41ea96c3b9

SHA512
24aa8134d4468da41632e4a074fb55d22412809855bbf247295b8b014df18f273aab198608440360d80cdb00ee0531eeacdd1f0a1ab3b6d8302bdbbb25577a68

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
148KB

MD5
74c0b140284fbf596846878d88b08f01

SHA1
947288f1812c602c95b33326593248ad84a137fd

SHA256
4ecf0a9dbe2f34e593e71befc370bbd8b5d157ee04657d6d39abece52ac7817b

SHA512
06ddc1399739968d4a9539e6c6395fcb074edc9c6c44ff6a69011c637f5b38491693448fba34314ed2af2f05a25a922fe1b76ff0bfba2133276d8f3e33d5a3b0

Download Submit
C:\odt\office2016setup.exe

Filesize
104KB

MD5
920f1d6ef126550858fd276623f20ac7

SHA1
4f121678cbdad74f45f75382df7ac3bb629082b2

SHA256
958cb2f4ebf681d823e1fa21d4bfed9c9f2cd102eedd4e03eeb64cad9bb34501

SHA512
7d60342b25608946b564ca8e35c72a7ee42ea71d55b2c01df7b1ef285012a59a0e843bfb1cf26058b434acf7c87bc490ba3bd7d68a1a6b7ffd27d029530ca345

Download Submit
memory/368-652-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/368-319-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/368-312-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/632-249-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/632-242-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/632-310-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/748-131-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/748-1-0x0000000000B90000-0x0000000000BF7000-memory.dmp

Filesize
412KB

Download
memory/748-6-0x0000000000B90000-0x0000000000BF7000-memory.dmp

Filesize
412KB

Download
memory/748-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/748-481-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1432-111-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/1432-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1432-103-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/1432-122-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1432-119-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/1464-191-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1464-197-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1464-252-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1484-262-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1484-254-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1484-322-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1932-153-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/1932-144-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1932-157-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1932-150-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/1932-143-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/2216-332-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2216-323-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2472-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2472-138-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2472-201-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2472-133-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2480-99-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2480-92-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2480-93-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2480-159-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2624-350-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2624-358-0x00000000005B0000-0x0000000000610000-memory.dmp

Filesize
384KB

Download
memory/2748-302-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2748-306-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2748-309-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2748-294-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2916-190-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2916-116-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2916-115-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2916-126-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/3184-161-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3184-229-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3184-169-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3404-346-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/3404-337-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3640-288-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3640-349-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3640-281-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4444-372-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/4444-364-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4468-213-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4468-280-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4468-222-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/4512-266-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4512-210-0x00000000006E0000-0x0000000000747000-memory.dmp

Filesize
412KB

Download
memory/4512-203-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4752-177-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4752-240-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4752-184-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4916-292-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4916-235-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4916-232-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4948-335-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4948-269-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4948-274-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4948-345-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5000-142-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/5000-86-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5000-12-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/5000-11-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download