f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
Size

1.8MB
MD5

e3d2042a91bbd86b9168a579d4fbe600
SHA1

1489590e87783e820cfcbb2aead2bbddcf4720ba
SHA256

f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475
SHA512

27da3a84ed5895ef4ce3fad391cd9b0e6d65102cdec9ddad5abf310b8d4ed5025ab2adbb825b030a59ae0d4829518eec439a727bbba2f9ee8dda999db321568f
SSDEEP

49152:8KJ0WR7AFPyyiSruXKpk3WFDL9zxnSSkQ/qoLEw:8KlBAFPydSS6W6X9lnLqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4224	alg.exe
2940	DiagnosticsHub.StandardCollector.Service.exe
4640	fxssvc.exe
4952	elevation_service.exe
1128	elevation_service.exe
6052	maintenanceservice.exe
6024	msdtc.exe
4508	OSE.EXE
4476	PerceptionSimulationService.exe
4396	perfhost.exe
2780	locator.exe
5692	SensorDataService.exe
1744	snmptrap.exe
4784	spectrum.exe
1448	ssh-agent.exe
4080	TieringEngineService.exe
2988	AgentService.exe
3552	vds.exe
3616	vssvc.exe
960	wbengine.exe
1184	WmiApSrv.exe
5044	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Windows\System32\msdtc.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b2adda7c822cf6b9.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Windows\System32\alg.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Windows\system32\wbengine.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Windows\system32\AgentService.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Windows\System32\vds.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Windows\system32\spectrum.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Windows\system32\vssvc.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75875\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM325A.tmp\goopdateres_ar.dll	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File created	C:\Program Files (x86)\Google\Temp\GUM325A.tmp\goopdateres_ur.dll	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File created	C:\Program Files (x86)\Google\Temp\GUM325A.tmp\goopdateres_zh-CN.dll	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File created	C:\Program Files (x86)\Google\Temp\GUM325A.tmp\goopdateres_iw.dll	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM325A.tmp\goopdateres_fa.dll	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT325B.tmp	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM325A.tmp\goopdateres_no.dll	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File created	C:\Program Files (x86)\Google\Temp\GUM325A.tmp\goopdateres_sw.dll	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM325A.tmp\goopdateres_ta.dll	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM325A.tmp\goopdateres_pt-BR.dll	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File created	C:\Program Files (x86)\Google\Temp\GUM325A.tmp\goopdateres_ro.dll	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM325A.tmp\goopdateres_sk.dll	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM325A.tmp\goopdateres_sr.dll	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009cb3b05e0a6fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000d0ea5d0a6fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011a27e5e0a6fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c1b375e0a6fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c1b375e0a6fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d2aa75e0a6fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000826fc95d0a6fda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f256325e0a6fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2940	DiagnosticsHub.StandardCollector.Service.exe
2940	DiagnosticsHub.StandardCollector.Service.exe
2940	DiagnosticsHub.StandardCollector.Service.exe
2940	DiagnosticsHub.StandardCollector.Service.exe
2940	DiagnosticsHub.StandardCollector.Service.exe
2940	DiagnosticsHub.StandardCollector.Service.exe
2940	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5152	f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
Token: SeAuditPrivilege	4640	fxssvc.exe
Token: SeRestorePrivilege	4080	TieringEngineService.exe
Token: SeManageVolumePrivilege	4080	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2988	AgentService.exe
Token: SeBackupPrivilege	3616	vssvc.exe
Token: SeRestorePrivilege	3616	vssvc.exe
Token: SeAuditPrivilege	3616	vssvc.exe
Token: SeBackupPrivilege	960	wbengine.exe
Token: SeRestorePrivilege	960	wbengine.exe
Token: SeSecurityPrivilege	960	wbengine.exe
Token: 33	5044	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeDebugPrivilege	4224	alg.exe
Token: SeDebugPrivilege	4224	alg.exe
Token: SeDebugPrivilege	4224	alg.exe
Token: SeDebugPrivilege	2940	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 4816	5044	SearchIndexer.exe	116
PID 5044 wrote to memory of 4816	5044	SearchIndexer.exe	116
PID 5044 wrote to memory of 5556	5044	SearchIndexer.exe	117
PID 5044 wrote to memory of 5556	5044	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe
"C:\Users\Admin\AppData\Local\Temp\f0319fb7bfcfb72ca03a270541cf88214dd4274c5949b366801251420697b475.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5152

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4900

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4952

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1128

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:6052

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:6024

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4508

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4476

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4396

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2780

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5692

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1744

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4784

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2056

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3552

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3616

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1184

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4816
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
486KB

MD5
b5dc8a130e0f161604dfdd693dfc2346

SHA1
25709dc81ddc240a8cf3b9c7f9880e9893d217ee

SHA256
5da6509a6ae609c49b239d09c8c728ffa78fee6b3a247a5d3c62ac0fc9fe4c0f

SHA512
009b716267bceca9068466c91da792b9388e3dee9256e20a642e2343edf6187776c3ce8bf11444da8ae7b030c8317972c4247d031d32916fb5173c12c94359bc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
764KB

MD5
d027d01e9aa45ca26f965a3081f0aa1a

SHA1
9869917521a4c353e90e219002a949320d7804fc

SHA256
02175e993ee67f145d87abd2cfde2bbb6f3f0d8dc342188a2c4b1cc3c9c830e7

SHA512
2d9405cfa0a943ec1035aa74d2121048ea897a7db8056d98729d058ca7522ce414db651c78eaf87c861ebc3d78f4ab3d6001c86304e030c7a36d14d38f0d5d28

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
547KB

MD5
ba0737570f2a184ad9e97013650c07e6

SHA1
02f5119b88f5a62dea65b65dc14a401fa96fb09f

SHA256
d25d04d13e9d08e5f198d95370eba51ab502a2c294d95593d982813fed32e51b

SHA512
28027e92a2f463246f526f8e914eb85db65468e2212466621a2b85dc73f17eb076f71b293f2987a01a45a8084576f6d4e1c7a2847e1b4bc9d120b6e55ef7cee1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
545KB

MD5
426f38685875571063ad347d7c3f8853

SHA1
406e6607f3bfeb64daaf913f1495a5d9923341f8

SHA256
e2a10a435f6374ef852b60f20e9fe73b61e71d9f1ebd4964b6a846c36de7e303

SHA512
94dcd026e93289836facc870ff94815e65cedf0c3b11c23b71a13d1b96a3b74e015b362a9fd09fb1a2c0c7e669906f560ac965edfb569da2bb17727902040845

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
327KB

MD5
9176c81cfdb736c8e384d2a44fe5806b

SHA1
4b61e5287383ff87d5764a863cdfe78b13ff7699

SHA256
ecec99d2c66b34b922ce153ba76c6fc8e777b2efe9e68b091c09c6a265a54181

SHA512
cf0295afddcaaa48cabed726da0fbc48eec3fbf512fd02b638f6bb77e7f31acdf4c0d7fbb4f955c21aa750188d0327baa198a2e3246590c8f8e9fc6ddbf120dc

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
673KB

MD5
9a31fe937e9055a67f96775248bbe291

SHA1
8561885153370a6f3defae65187efce0f4579e7f

SHA256
b14d6e97d8718310989f4051b30807b7a95bb6edefb1040055ecb189fdf620ba

SHA512
8dac66349a3544a3847539860eb42a21cf255cd6fbe8ce032332b60bfa882cf22ee2fafa3ba127a3a0e138d117d735e461512134d68f10cdd0b48a92a07dcc41

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
459KB

MD5
cf94301a54ac34d9e378ec357ec41be0

SHA1
fba01e86e54921fd172030e12a42fa24d7b5f6e9

SHA256
595e98c37aae0ca9f2dc3c8c44c1c05744776c6696e734f66c9a5a465e74d1c4

SHA512
03cb0740b606c3e39630ed6d19100b8c325da07b4c2a3a09050cb512f50355e869fc0074b72122801f1db8b052e931bd3df5d9a4a9bd34f49a4f090cbb4f7913

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
452KB

MD5
ad941293d1831efae659681025051958

SHA1
f4dd786df582a9e3f6c61580526f05832ae32e7e

SHA256
64e9aa1361f319e516edfcf53467f05974351e7f142afa9825f22db78458777d

SHA512
750caf768ff334459614ba9658611e4386948ddcd47b103073a3ffd0af542da4ec7dc5f83b1c0375a7cde3a03402638f1c14f6a8a1049c38604da7e02c5544c6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
498KB

MD5
6ee802b8d62d060e42b315558b226c34

SHA1
9f14533540b207ae33a38c9322f18b0e6ce60cbd

SHA256
0bde0697edf1dc076446803e06c35bc68bc3ac2e7064021e95a1a98c6865ec3c

SHA512
9ec5f75b104afa36f2f2b3efbc760deb62f19c853d8c068a3c97b83905ac8e4dfa9942f737a158c37c9dbdf16f6524cd497a441dbbdafb465e1a4f8a6d4cea02

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
412KB

MD5
5618d293867dba6a5bc6783fc1e4fc2b

SHA1
411ad358120fd896dfe9d7b022efb9799dea20eb

SHA256
f4d3b71a47d577615b20bc6b9d81291f80bae4f028f06c5bf62c3e3795573785

SHA512
9a074485076d478ad10a4ccd0aafe034a91236670d634589e741a049c710b4ba082cd030735f28f2ef116a56c7b92a0048f9ffa492646812b077774aa27811d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
733KB

MD5
6a4638b3bfed5d4f8b21fe77d1a51beb

SHA1
41c59a7db5c371d07f574340ca16495ee0de3464

SHA256
9375b88b0d904526180683019a14e99db1720b24fdd3d9717f42989eddd02283

SHA512
2952a0a90af766b7acb479a435601623cd005b1c26b8544f9146a5e329eaf1278b78e8a73df06ea3453a7024593beedc6af59d4455324a7392233a3f9fe84692

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
431KB

MD5
6f58c8657b8dd62c2a76a80c4ee552e2

SHA1
cda61fe8603f07d7cc2ee958e2079c97ca86b5b4

SHA256
e5aecad420762df8af35fe58a1adac0d11836984bfb174a907c6181423d0a761

SHA512
3f8cb8c276db4eae9e9ea08b2f449f75ad674208b3debf878cc92b797ef3572168105aee98c7e98a687c6747ed1d254eaa87a79bd8f033325a12b5220235af76

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
334KB

MD5
fb2283e5b10a46463ce9f3ad985d266d

SHA1
4e1e71efd255c938577ea0f7b198b0402acf0956

SHA256
a793ec24192f24da7a5d9ffb042570b6437d44564e71947b6daff800cbb09e46

SHA512
e8e3968b909dbaa616e622f1a0b0e0f767fda1a02300b3f0357481c6ba9e9edf5ee0f4336b11b5c56d5d6bd86e5f80ca9814a8583259c96272a58bcd0dce958f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
271KB

MD5
f754ace77421f19ce63b3937da47bb9e

SHA1
da46039fb14d45deca5129756fd564b80786402a

SHA256
deefd84e45a2350f5b0d16506ebf58cd3da39c0b2023f0c17ed88b9428f3fd1f

SHA512
e11006e9e0531234ad710f3ed697180fab24c4becc2af69268ed6ed4d9d556910da093f16de536964e9ca6f7c39f82907a658e426329eca153acde702c3f79e1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
357KB

MD5
39922ced6df6e62f9f46dff7daef8726

SHA1
6833c843170efc9f21333f15f73b5cd545762490

SHA256
0bb00a54f717576248087e7eb5fee2ac1e67cd52d454292694d37857177b8c91

SHA512
8e9fa89bb90ff546f089df403e787c25d74dc20d22b5044f6926da086033bd2aa891aa6103fc95f2d4707c11134bab1492e2e82499637a52c98efa40d234922e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
267KB

MD5
60a524b89f7f287aef85f491067bbfe2

SHA1
45a19071b355950339a6125693ff44d1cf4f0ac6

SHA256
4497e9dbd0411f839a93bc11139e11df1b35fb73ac136a391302de93772886c8

SHA512
b4b4d269d0299935c3ad95082707ae08637d78dd93ccaaf6587e8028f4c0d6781a374d29214a0d77d22cbbe70d267e504cc3699e8037469f5504c3f7a3994470

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
373KB

MD5
c80298edc0ac23b52ea8ddc4751fadd3

SHA1
8576f5a5504a00424a7bdeea001ce89f8a196a81

SHA256
d87e0bf43bea036d711c310da331e01aa3d244df6bf3f10967fc25ca126ad320

SHA512
19b8970310db8e56d3df53c34a5368634523d4be23d3ef006860b5dfa85dc642db2351102192cd1d19c3d859289d3d840f9970928ac2d420580c68a9188dfa64

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
51KB

MD5
fba5c7b7b68561fc08bb2fbbe6af4403

SHA1
adcc4af80c35554c85d124b010067dc5fcd36fe1

SHA256
29c9e0940e3d4210f5a31ad56ed12c7fb5f746aab742a04720e6315cb4ebef47

SHA512
2bbb98705654623d7272b6aa9807d1d40ed2cdb3e178fdf8a09eb4bdf681526941fe87ff4e92d40a66aeb07ec8ae289a57f7ae31108fecddf6c90875fda23ddd

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
425KB

MD5
6013952a96ea9094efed56ec3f55209d

SHA1
4bd41bf1ca9ed86707f6631d5fd18f4332172194

SHA256
e5a72625a02e03e89bf7c0503b1839ea6c561680813d225a461af6131496bb3d

SHA512
a4d03ff41796f25aadc527f4653ac7c8e12dccfd49d4f9f5ca99160f58ba9ebae9f2c8583c2e1902b80c618e1fea027ba0b15aeaf927e65439675e6ae310e1a1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
436KB

MD5
b7312c735970aba378244ec33d629778

SHA1
8804bcd3385c0ec317343e57d8c2013379a5d148

SHA256
a0359f93f09fe4db20cc356a81bd1bad0664e26279ff0abdfb8adbb5f6d8b7ed

SHA512
f23c46e205e18ff7721ef9672fc657b62cb8882bbcd0f98ef2c25ce75381851089773042e967f1c001672b81fd6170618e5c2633bd3bf983ae39b07b457b4e55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
317KB

MD5
299e0f0b48674172ca71643463df8821

SHA1
14721fea7bd60a928c91782135f5dc60684991c5

SHA256
6d42618e00f509940f519d2f6313597d642584cc452872af2fb7d4a530d9f75e

SHA512
53afd6b8288d1747bf1a9f3c03fe6b39006726602650c859ec3f5268f62724391bb6f5c84d2e1da5a37e2a4e7c186d6cb6673d3ca38992baa8216c475bc4c7a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
152KB

MD5
278e6311da18eac0649ca29f89e7610e

SHA1
e32af2fcec869cc6be7d661fb9a540456f46c15f

SHA256
fd9205dd151743437d9655748165478fcdfb6339b4428b3c94c5192cc3635f94

SHA512
a6121e4541299d72e573f4a5bcb204e36de5462cab3f6b0d8916003584112ad80a3b72a22954c910c0828369bd2fba950563eeee7353a0388cce3017b31eb805

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
316KB

MD5
7f7e931dcc0bf94e24aa373c3e9a4986

SHA1
31df5a886ddb36775cabc8d01b8eeaa4ddf38025

SHA256
db7c901e3f34e0362bc940d8698eb4af55035e0b6e3f09aef89efbd31bb73e95

SHA512
dda0caeb2e6c50584afe70162a7d3225c1dd49c5e140c6a21be3a38721a83629b278f758b50ec7f94a1a8d89ddbc7d3c4a5005dfa70dac3d2090a37b85e6f1eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
329KB

MD5
d8d288bb7a9e7b5a6b1070f9a089381d

SHA1
dadacd0f41b7070a8a3308b3762cb7f9cc998988

SHA256
efea22eabaf353779223f818ddf5856d9fc12485d38d6a24aed3f3821364934d

SHA512
fce32f0b090fbd36037b293dd5001f00dbc977d1d5e1ce0ac6e6442c6dae663eb531d124f2cf1b587d75a1fc9130a4ad4f815bf1118a6a9dd8cf6c7fa8191030

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
298KB

MD5
74c2a0bb96fd20f8f1a6adbdb9279d98

SHA1
f333aa88f99807f20ca0227ff1cee9b1e66daad0

SHA256
f0eb247067a8580124af6a11e89128b5c90bd30112822a7ef63f56aa378a01fa

SHA512
f95a58fb3070faf80674c9d87e482d9885e75745ccb4de7171fca95ad44b49c3689e861e5aa9dc451c4253f7403816a7ae6a95e6bc0139f98d84ecde4c624aa9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
213KB

MD5
9c55b344464be411174d6860ef36587d

SHA1
a3ff599dd9073b74817751e9650cafac4dafcd31

SHA256
a03a23d101691e3ec4d0601a3356b6216dbcba80a4a57b95b4eb5fa68ec3ef83

SHA512
83b147cb9fbc1aeb4a713ea0bb0fb2ae1ab64a5fe34899cd970b8e4a38c565853bb1e0f033c53fcaa800167176e95fede62c6a340ecf438c7341fb3618ce6085

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
187KB

MD5
e7b5961e616bc8bc08e4a473b8c05456

SHA1
810fc19de4d6e8e2d0621df047f2e2718cb3e41b

SHA256
01acfcc4f38b726aaef28e4f0bdab324dd837cdca84e6566b928bcd070e2f20e

SHA512
a82826f5d60fb4fd36fc5be870165d499ca2040abe61ae9db639715e3bfbd444b16670eaf7877d26f5693766400ef5daaef0b7878993245c6729d2d67169e180

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
206KB

MD5
8cc6e1ff3482a23f8e596644d1570612

SHA1
b9f10a12ddf5e56dd3209cd039bc36f303f463f2

SHA256
e6e48666d73c4aa3ce14319d41832b35995b0f40c03c984b91fa4d8339b8ecc0

SHA512
a5bda6f4ec5065df407e5ca9cf804211236a0221d4bb34b6cf8fa8f850f8a7267502432f7f0ba2f3c9dd6cb56dfd6e4bab68109615c6924d221009535ba530f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
145KB

MD5
5efef997779e5234ac4481803cb98267

SHA1
2bc2f6375597af2b7d7e0029f9950e2d5e8c6b1b

SHA256
94d138d04ff0f7ad376254b3d3b2863c4595883ff2c4ae68f218263da18b3aea

SHA512
9cfffa6fbb5ac909f21ec6508007527d638a922a5ca92766ab5f6676706ef1de18bd433a306cd5ac770a37c37766ab93edb3872bf253e95796baaa22f30595c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
215KB

MD5
00ddfd4c367c5c9435cec54b48d45e43

SHA1
3dd5e408ca05b0c817eeccb7cb1e3d47f3e7497c

SHA256
62712db0b2fe0e19d66c724f69cec4d901048991293001491501bbeb75d34e41

SHA512
9cf676dfd4cce7afd696860e18d152f6f0949517d23696301fc047630b6b09f30f1664aacecd2d4b9c125b4377fb2a1d84b5f50671f8a1ac24cf3189dfb1ba39

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
345KB

MD5
415e5a0163dee9730600c4009fd980e0

SHA1
ad6775e84f5d4378f6249ba53700cff41d578eda

SHA256
c2e8a0952457eed9544f16ce8248069b6d9cfc828f6dbfd6a621e75881511b32

SHA512
b91c79c392304686d88aa8de93b6aec9390200e5ae0662437fddca6e0c13c665d276af3ab6bbd3a58a23df7b42310fc5878b85909826324e3e9ea3da4bddc3a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
179KB

MD5
b391eb0394e0413ce53c196d32cecb19

SHA1
aa0449d6fb22f73a991244c813729d7001e4bdbd

SHA256
ba79cbde15503748bcfca07970a5472bfb33032d2bd8028e1dbb6b216a1bd8c4

SHA512
621d29e28cc771584023b3852762fe7093b48d0037777b5419d000a68a0d3551114e842ee4a0e329b6bc0713f1d1b0e3cddc0f8693dc1c519fe6a6d859407fa6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
331KB

MD5
514003f6203445e24d8a8fe2a20f206e

SHA1
1927d82d780bdf1b8699f84c8dc9ba7810350ac5

SHA256
926007fdc3d5c1487647902f07967e55c375091fec335bd0e2ec52601f93cf16

SHA512
7c3ca97ddd2b58444f694f9dddbcbe5e5cea317c8917826c8c2cf037a21e603d68ace48dda6c3f5a3a5b4d68fe35c80ed778a37c85b3f49623ce28b0ca96afdf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
445KB

MD5
571a2286a8dc545aeb58d08b51b94615

SHA1
d338b76d37409ffb6e9252a7ca3477baa5b4a949

SHA256
6ca0f92997acbad64b446c64cd755d4bd360467fc694fe5ccf5ca967dbb28860

SHA512
cf9fb8bc6311fa32a01d812b444dc1a3c8833553c2f6f7d4fd16496b0f37caddfba32f7e86a681e896f05ee8965cb72cf1dda9c6f94cdc749869311a2c80e992

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
270KB

MD5
3823c71e1a9bce4b286e7a4bb282901d

SHA1
297cce5258f707126bafdead9cf6282babd2690b

SHA256
561d50a46ba2cd6745318120d4328b8d1d3e1e60c0e8569d23564f3cbd991a9d

SHA512
422cd611b70b445beb667426d0dcd11b17fa69167f737078e001e9da4af8aefb887ee2228539baf940068ef9ea3be9ae165467134e2e7808866da05ede1e4051

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
466KB

MD5
9902c71cd35d64f565e8a5a178082a88

SHA1
0dc1919ac12e59cda779ed9cf31fec4d757df076

SHA256
9adc19236e53a96177fb52c6d8e13948f0130071d36802922b57f18645ca762e

SHA512
360ef87abb4779d0974ea69cfe23d0c4da9e8ee677b48264f77aa227ca3e404b684cc1cabb79d8a9802e4d22106e51d43ee1c103ef7236aaef75747a1d804f44

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
490KB

MD5
0321484f3f71c4f86f2cdaf4f3b7aeea

SHA1
cec107bc4b1a97c7dd5a49ee9df142a7189419c1

SHA256
f0b7d17f102cbb746e7811362c74daa11db49777db869e9835d8495bdeb9c877

SHA512
eee28cb8382601800dd47be2cf53b3de6c7f584f594c2a4c4859f45291c827b385e7794472310430cf365c1497817a24d0a0b9b188aa17a3d092203109d44fc0

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
487KB

MD5
6a0512704e34c08a44d9a709167e47a2

SHA1
88d05fc6fccd836f88462997abc30be6d6a09865

SHA256
95aff9c03b12f9caad6a582f1cd9d999c7296061f67ec304c33c5b40a48f217f

SHA512
ae51bbf03e69a8635cd3d17efe80fa7ad72bfddb39bc4a55a87161bf3adee0dbb09f644b84dc8501d9ea971008a8598b113b060d40c1cc96ea33d38569d7ee49

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
223KB

MD5
cbd9fea8af5e1b12156446f897c53480

SHA1
30aec1e0b6dc0a986a04cb03594f8d59bc3127d9

SHA256
77f4639beddcd6f3772e695805a0f943b70fcbae29eca5e2d1035212d028d8d9

SHA512
ff61c581488b4df4b80025bb323e2da1aecdb141625e0cb540eaaf510fe3de0b5d629f0736a3b66fe4136f563f9306397858b64c2d7cfd0a8d87ca22210d90a9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
340KB

MD5
1c547f2e2c59b4635601d02c8d1d737b

SHA1
d4744a654560c4a5662f3d788293eea814515054

SHA256
4d88fff0a9c1f3c3f3a6cf9625dc142eba7c6eb03216637e46d3eff3ae8fc2bc

SHA512
57166194bfd5a9bee30498bca1e219f13502ad82ad14f5b239091c01ffcad37512bced6d91b33906b4c9d4f770cde12a1856e7bf83179e87b06723d8e00f914e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
420KB

MD5
2486283465a77c3260553171ada51196

SHA1
a3d95a12bb854cfc57881cb02eced8ea2b7bb450

SHA256
0a4a10201a45993694f53f23697312024c3c5eb03cc8f367fccd10b0040b933f

SHA512
5e04d1bdd5cd743fb3da08e5d1158f8f603d7bb1bda5a9ea995cb0da3698b644f14d57758c0031d1747fe73bc1b7873154984602d4e624da81f5c38f4db7f803

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
242KB

MD5
bfd580e5bc259575b22b2a7a676ea10d

SHA1
bbaffb4146571059bd49c036b5536ac35de7cc4f

SHA256
a7cbbe60332c7512a0a82f9a8e461f2ead69674be0cdc0a04b520c4e7e0adc2f

SHA512
036a9c000e42e850ec830c32956c9c68ed3e91a25d55bb855bdb765e193c52d3a347a61a3e08bd949c02192e2021d6fd2eee17fb94d2a9a9c836f4d9dd91b2b2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
199KB

MD5
31de8e9f620b106e2c2c4031f404e9bb

SHA1
cb916f06452cee257d5fb6e3da360266438d1dd9

SHA256
133ab5682c018a39d44be4cf8638df2471a38b841a042d36eb6cf9829e546743

SHA512
8107c373dca5507069ea03246af0177847a2d2415bab4ac5684109ff60c42dbaf42719f4375e90651852966a3fa0bf33097aa68f783411e30fda8c913d8dc714

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
653KB

MD5
09609919b530891a77d907eece83a51f

SHA1
03c0d362adb32a79c0987e947c2e216c56226ec4

SHA256
9bbe5855a52780277faa4fd5e03963f6055d8990546a69d5e9b4f83e80503cfa

SHA512
8fbd0ba9ba31823ca91dae14363740ffb9b16a279b0a96ef5ec1f25b9a153fb63e1d1591d2df5cb8d0c0925247e6e42632abbce2a539309869091c4dd95fc51c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
493KB

MD5
4ef6e379141da9b8dbe7647c28b2e89a

SHA1
5a38918a8142d0b481dcc16cdd7bdb544e53e7cc

SHA256
0cc20159890da8a9c3753beb7e7a1d8c02f7f8cf756915b81663b1b93cd18f17

SHA512
ff316b91c7dcd93e0df37dca7ce0ee51b66734e062b06ee456ba9774ae2fac258e5e492f39275fa3e76f551979539098092510d955addf6383901f6cbb7ce120

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
401KB

MD5
9390441a4f41373e7347a34b9bd48bce

SHA1
43101c210bdcfca26b7cd83b73735c33730fd593

SHA256
ea3cd245561eba53fdfdd23cc2d6f27e95e470c2003f72560bcaf48edf81ed58

SHA512
3cb423b9366b71de2998ddb511847fdc7a55afe830c145ed55d4b92e83a76acac995ea1f390d5ca9c0f2e5af95ca25b59e61165f7c6747d4d5bb343e5b90c072

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
53KB

MD5
b0e087a9eec5cdb3319bbcc3da26c566

SHA1
55bf59cae820348979d34c33eb81b569bff36f35

SHA256
1f80259232556e8005f18566c4200034876b3ccbb6909197f6f68a7d59b55c63

SHA512
869b54d07fa98deacfec6d63f3c60ef19ed40be2917b6cdcefe1178e45a3160fac9033709b945fc5cee230be7468a31ab7d8343c8f6cb43eb390ad33bbcf5470

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
133KB

MD5
54dcd89d474273dc148ed89968e574e1

SHA1
52aae162440341c6e03362ed638bfc9ac47b9dcc

SHA256
8dd2c472ceca782c53a50ad4b1f27881e4eafccfb89af56a11b74ecfcd7c119c

SHA512
f0f09646c12459a163a039376e631f088bc6a5b60e0d89b238217d48e90019582b5c1d93baa1e4142475fdc9b857af7fd6234a6f86b8e8f90d9a8d0f59db40cc

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
500KB

MD5
e1430f1cb9236427f734e500967d2bcb

SHA1
fa2824313d12f27c8d5e0ed505239bcbaee27785

SHA256
584eceef66a0b630d341b4814b03381f0fbbf527d519a6393d7108f3c46cec58

SHA512
08371ffb8f15f9820ae8559a2dd07c848fec3433fe390acf9b8952914b3c8888af83be7d32f02419c04e816bb28f69f18463ee2aa05f286c2d6c4d247f9aa4a3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
347KB

MD5
cbef886ef170a4d813b20b1aec374dd6

SHA1
6c96e6b1baca6bd112f3cbb11cf756d3713098b9

SHA256
3ba4e8378549419ffe9a1913947849f4f04750f1c62d893081d2e6f39cf03b24

SHA512
95c7660fbabd1d511b53893f891b8f4cc94fe92c2f7b19c2fbceab09cc41cd9c43c7cbe44817789e39aa8dacb518b33d07a5e8215395c7d609a1394769809508

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
277KB

MD5
3622355e00d7119fc7b3664ac596aac7

SHA1
1f8b6c7aac042325575f699fe3b2505bafb0df36

SHA256
ea157ae9c3fe77c1d53a55b586bb65400e6c67f6136f0d86b028520c53c5152a

SHA512
643fc2573334c7876e64dda05d5da5d31eed134159b1f3cc7fedaca628070e2bddbaf1fbed0cc317ff15924a673fbffee5c49ac57c2c2126298bbe5ca0a288c5

Download Submit
C:\Windows\System32\alg.exe

Filesize
785KB

MD5
da69673556a7551051d16d20e07b0d8a

SHA1
39b1372ad31bfd3537e3c8678629116f2a753bb4

SHA256
cae8d633e902c386010fa3abf09b8336ff178b47050db1ff613ee5e036675230

SHA512
53d05ab5309b46daa407bec0f3a771fdebb404ecee1555722edce6b5d6946136a49ee6cabac6a51845fac71aadf70249b6f585c964a247f83ba891f44764a94a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
451KB

MD5
278ff70648b846c98994f78e8689a6f2

SHA1
554e3914d79e544c4c150ed96edfba00c0f17560

SHA256
afc57f6cba59e2cae97dc501eeabadfcd6d77b795f405ffbe41d13925f729488

SHA512
a9854773c53e87d903373d61dbbdee0e566e092d2c52875006e591d87497c756944590dc5d0ad8d33142049bb82bfa47c8e563edbbcbacc75b14140b25a1f1fe

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
93KB

MD5
30b564dc5ea1af0d8f6196d614dfce47

SHA1
f11ab4e67c407900f6d508a6e032de35aa4cb2fd

SHA256
d2e13f9409a32ebdcc6e63a88ce13efec5c3a2cc669191a01601fc1e323055a8

SHA512
917561bc199fc4a16e1fc1b9b7a15dc208f7f4c3c014298b542047c261fcc634249a6dd13d1c2d4af68fca8e5ff795532623f235c37f5964d9fe41e9be1d5c8e

Download Submit
C:\Windows\System32\vds.exe

Filesize
228KB

MD5
f66e60f97ff7b620e2a2e889918b7d3c

SHA1
ca75d430adf3f1904d38d0df0e0cc3cb2de5e29f

SHA256
6358f10bccf6ce35c9690a101fe1a5abe75cabaf8f3b7aa0825aebfc5fcbb4ea

SHA512
e133c7150c798b8991cee41927104a4114cbc0fcab8d41df5f3e94bceae6ba98085729556e4c08f72d335680b942f1e6962e188fe1785a84031a133e423713d9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
67KB

MD5
67e3442542a9960ab818688f19bf242e

SHA1
6ee0613a2d3df325b3cf531ef0c6a7c54acd0001

SHA256
55ac4496b5cfddbd3f06a754c340fe9ae1857cbcc01af86c896cf00f57b556cf

SHA512
6d58684af79772ec6f1a7803015dd310a2be28e92288811d7f0ec0bb3570f7cc68cac9bb67b92666c4af455b8c522e53fc1c8c71183836b5332e2e742e81bd62

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
186KB

MD5
ae98bea20eccdc6ced50f48200b62df2

SHA1
9f2d7d62c06eba70fdf4307a8f65ae363b28fc6a

SHA256
495f30a5876679f5c60ddd31811ca4d66f4abb2d81f3c019032d646183261a36

SHA512
168f01032919617caf2c6bfee7334ebe62bf5c79acfa86b4f0bd65b73e402feaaf56164054faddd66efbaf7f119aed9c6647b08d89a1c0ce9ee9774044410583

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
758KB

MD5
bbf81409be3d214f876a1c6c4a5bb3aa

SHA1
36c5cdac4ee5a3ed1f021ff10fa900c9123b4fc7

SHA256
0b02c320a29a4c0457b3ec6b266bb166c4fae80259607c8a98c81840e40bd302

SHA512
c97aa1f200ce5d9e0817aea620cf2dadf3c2cd5128190741343f1bf3f74a7727102ecc98cbc1f5b734971314316383d531b21e8b141a5f669143feebda3d80d7

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
396KB

MD5
871f3e5ebb88072041d8c7d611f2cbee

SHA1
daf0cc3f4602b59dd74bd665c7e2cdbfc18e44d5

SHA256
eb1787e7800f537e96b7c4d5ec4fb6d3758b6268f4a6852512a04b4be686c0ec

SHA512
c01d1dad6f13faabb959bf96314d9dcfa3f6273a296a398593883eb268b58714025701c9cdc7a5bcbfa1e25a7343b68451d1495d0bbb1973a858c2b926f248c6

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
864KB

MD5
766e674eadcedf22aee336c20199e679

SHA1
796066af1b47bab84a96d3b2b95c6b6c5d10dd41

SHA256
26f8f5ea3816c7e35bd99dbeefe24c7a33a7ac99abc0c2eb458fe63871238edf

SHA512
c5c4537b10f5912de58408ebf18d551beae7df36763b56dbf0cacb053e1952f6fb3b3ffa2d6ee27900fffd4f788ccb2d3bdf8e5d28435939af7f2f2f7b0828ea

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
614KB

MD5
61fe2c063c15c3130092ad2d2e37ff7a

SHA1
dc13a6ac3e814ff5b2233b39c15a4b1c80432100

SHA256
74c18ed8a4ba8fbbe247062a639af8ca94f2544018b64514f1015276328fefc5

SHA512
bb274e005211f638461d8898d8a724b427e5177352bf928a2e4830a8da912d4c1d5f3921964dce590e493f0630d67ad8fa77c38b088c29828664404381ca356e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
811KB

MD5
d5233d979c6318ed2e63595a6e38250e

SHA1
a0f8a6eb4015342a8987d4473e9c939176fbd78a

SHA256
5e063d3dc2df47c2a64b340c9a080dc863bff4e335973ac506f5827edcb77bde

SHA512
d9b5f36df7ea324aa1ffa001711f674591bb46903014dbfdfa246fea04f8f37b3cd06878a0c1e9bf0bc70d1c7f3e1e0ad4f93aed3f1df172b3b18f905d3f8006

Download Submit
C:\odt\office2016setup.exe

Filesize
656KB

MD5
8e6dcee1a2fa64d162bb89beed25155b

SHA1
5b7f0cae2344d99dfc1c8cb3b99ca829439a9814

SHA256
18f2305307830f828a5f38214bf4c1e684493c0958211bb140286c386e29416d

SHA512
cad72c21f6b9151553c640f0daebea29d2d6c09d555fda167d7d6c269629ae0d17f050ee09fed2dca8a6d0e7d347e96915b4f1d0d2c1a6a5188aae5bca4cbb22

Download Submit
memory/960-339-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/960-346-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1128-132-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1128-202-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1128-139-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1128-133-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1184-351-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/1184-358-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1448-276-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1448-337-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1448-269-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1744-243-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1744-310-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1744-250-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2780-223-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2780-280-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2780-215-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2940-95-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2940-160-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2940-102-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2940-101-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2940-94-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2988-308-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2988-307-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2988-302-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2988-295-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3552-312-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3552-320-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3552-681-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3616-332-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3616-324-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4080-349-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4080-281-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4080-289-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4224-88-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4224-13-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4224-143-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4224-12-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4396-204-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4396-267-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4396-211-0x0000000000800000-0x0000000000866000-memory.dmp

Filesize
408KB

Download
memory/4476-200-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4476-253-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4476-191-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4508-241-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4508-185-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/4508-174-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4640-107-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4640-119-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4640-113-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4640-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4640-115-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4784-263-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4784-254-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4784-323-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4952-127-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4952-120-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4952-189-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4952-121-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5044-372-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/5044-364-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5152-622-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/5152-131-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/5152-1-0x00000000006A0000-0x0000000000706000-memory.dmp

Filesize
408KB

Download
memory/5152-6-0x00000000006A0000-0x0000000000706000-memory.dmp

Filesize
408KB

Download
memory/5152-7-0x00000000006A0000-0x0000000000706000-memory.dmp

Filesize
408KB

Download
memory/5152-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/5692-236-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/5692-228-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5692-293-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/6024-162-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/6024-226-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/6024-170-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/6024-161-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/6052-155-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/6052-145-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/6052-144-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/6052-158-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/6052-152-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download