a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
Size

1.5MB
MD5

b5af4ab8712ca9234c163eff4b478328
SHA1

7ca3e28342ea01ac68c98f659e7010705433922d
SHA256

a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9
SHA512

1d80c47bd2f15c4e9901da6707e9bd39ae5445a7176303a8373ea027c30e11accfe98d69f555f32aac1bc492c7fc388abdda770d1561c3197e133fd15d82c766
SSDEEP

12288:mf3dK3aAXOILyiYkqMk7+KzubUtYJPfaNiBGwLFzKGMaoQWHMI+XG9:S3IThXbqT+KzWEKS0nFz1MaoCG9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5048	alg.exe
1536	DiagnosticsHub.StandardCollector.Service.exe
60	fxssvc.exe
4596	elevation_service.exe
4308	elevation_service.exe
4212	maintenanceservice.exe
1560	msdtc.exe
1188	OSE.EXE
868	PerceptionSimulationService.exe
540	perfhost.exe
1608	locator.exe
3448	SensorDataService.exe
4652	snmptrap.exe
1540	spectrum.exe
4876	ssh-agent.exe
4436	TieringEngineService.exe
4500	AgentService.exe
776	vds.exe
3848	vssvc.exe
4732	wbengine.exe
3648	WmiApSrv.exe
2740	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\system32\locator.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\system32\spectrum.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b32dad718ed1090.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\system32\AgentService.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\System32\vds.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\system32\vssvc.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\System32\msdtc.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76312\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000888d97eb4273da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038eeb8eb4273da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b84694ec4273da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000412c76eb4273da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e53e89eb4273da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb02adeb4273da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004eca73eb4273da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1a4f3ec4273da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037056feb4273da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000936690eb4273da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e478a3eb4273da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1536	DiagnosticsHub.StandardCollector.Service.exe
1536	DiagnosticsHub.StandardCollector.Service.exe
1536	DiagnosticsHub.StandardCollector.Service.exe
1536	DiagnosticsHub.StandardCollector.Service.exe
1536	DiagnosticsHub.StandardCollector.Service.exe
1536	DiagnosticsHub.StandardCollector.Service.exe
1536	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2280	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
Token: SeAuditPrivilege	60	fxssvc.exe
Token: SeRestorePrivilege	4436	TieringEngineService.exe
Token: SeManageVolumePrivilege	4436	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4500	AgentService.exe
Token: SeBackupPrivilege	3848	vssvc.exe
Token: SeRestorePrivilege	3848	vssvc.exe
Token: SeAuditPrivilege	3848	vssvc.exe
Token: SeBackupPrivilege	4732	wbengine.exe
Token: SeRestorePrivilege	4732	wbengine.exe
Token: SeSecurityPrivilege	4732	wbengine.exe
Token: 33	2740	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeDebugPrivilege	5048	alg.exe
Token: SeDebugPrivilege	5048	alg.exe
Token: SeDebugPrivilege	5048	alg.exe
Token: SeDebugPrivilege	1536	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 3808	2740	SearchIndexer.exe	109
PID 2740 wrote to memory of 3808	2740	SearchIndexer.exe	109
PID 2740 wrote to memory of 4736	2740	SearchIndexer.exe	110
PID 2740 wrote to memory of 4736	2740	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
"C:\Users\Admin\AppData\Local\Temp\a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3992

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:60

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4308

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4212

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1560

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1188

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:868

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:540

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1608

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3448

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2972

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4876

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3648

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3808
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 920 924 932 8192 928 904
  2⤵
  - Modifies data under HKEY_USERS
  PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
759KB

MD5
a6a05e1f6813f33a391b793dbb8a0867

SHA1
46b9513a423a430babfe5939f58c24bb5ae2f4d8

SHA256
1e0518d8c34650e944d9bc9acfb0e0100e88fe0ac133511de640914d38bad90e

SHA512
6e2912e536a8be91406931f8f445ee99593f1281a9759f15680a7164bf35887a51ff970aecd3362dbef62377c46add6be40ed9d26df6e6034dfe492dd10aca5b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
685KB

MD5
9f860b68ee0ff2a4df0cc70181d6b71e

SHA1
8ccbc19fd7bcd677e8022dafa7f5342cbb28ed96

SHA256
ba0c59968527358cde561c7525a2e7b46e86006ca70bbb4eed26c8b3bae06b69

SHA512
b1f3839b81128b124d20d8b9e9ef69adbe932644f5842b5c6e7b7cb4ebb09907b6d22e5f8ddcdb296e05aa0d91400c2ec0e951457b1679d8d6bb53f093c73f9b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
729KB

MD5
f4c1a0d4b6e4027a20bfbca0163107fb

SHA1
6b6b9117ae24a7af6d95fec147dfc16a4943ee4b

SHA256
c19b00a6aed95b1e19c2ee1a265ce60102a14eaaee0259792ffd1978ab863c56

SHA512
0e8c8a5f236631f0dcdc497d089df3b6f73e8a5bd9aefcfd77de47d619e2c101dab7dc239fe74491415b487502a96b75c695f4f365c31b23e5b9e97accb7946f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
855KB

MD5
9046d31bb984542f9b474882940d0bab

SHA1
28064803ee8b6a1c91f01c63d72a97152f089eae

SHA256
156a7c9065d95ccf0777af40a5c4710781ff65950d4419d60cb12652bba48b25

SHA512
018b8547966104da85d3af3c2cbb9a828842c8fed0cac5b710ed33208d6e2e35df0e3a7de3eb1ba4bfed234513eee91c52f9cd3743831ba5d7ccc180ec613ea6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
703KB

MD5
949646c95b3df91d88f945b1d9ba1fe7

SHA1
b2b1e4d4b1da6e3825544e73a83e58caf70110f1

SHA256
cb8d61116a3c7de7a9ae28f5117846ee822dabceea1f12e9a6cb79c4d226837d

SHA512
0c10eef74109ee3e4a2c159f8a0599fd0b2b33a9a003b578a369a4247595e6eb284d6eed29444b969dda6749b70762cf4fff05e6023907acfcebe365099e31eb

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b365d9ae80e8f6f7eb3b500b8c5ff73d

SHA1
7423a38850963e63975b611ac133c25b7b3f9f8d

SHA256
f8f23c210ea09771500b71f71362675f8991b5f115d8c814b592ca7a1a79183c

SHA512
e329f8dc4ce23fb86a666cc0c56c59f54b95da64c6e5b50825aa73b2a9786b02a0c5ff4ec7ef81a82118094f7dc067bbdf6919f3bb13018b8eb0c8e0809f6bcf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
632KB

MD5
f1686b304b27c8e732f97e749a84d9b2

SHA1
7fe54a4140eac76b3ea6cbb29985ec0264b2d5b5

SHA256
6c1ad78a4d9d3a8c7c4900e214509cc95d7d27e779d1c759bce982cd73cb9c3a

SHA512
caf7aa77ff1e78b0ff6bff3a4e462328c6a4b3d2f17b78bd769491d6b67707786a2feddec5e438ee51c60730c6a8bbcc81e3f20ba3ec4ece01c8f0a1ee4c5b37

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
423KB

MD5
74ae276fe53770390ceaa3397f38a74d

SHA1
7e9bb11b6f0c84082b08c97ff7fd1c1a4615ee3c

SHA256
f44bbaea522d309163890da622d547f25f00d71d79e7771a943806b8ccd9d734

SHA512
d8b70ac7eecb1e08a5cd9556f04c7162d943e40bcb07bc859c67e097f3c601a602b6316c727a4ba9fae5a796a91d1ac1198bac4d335161bb7d2090bbff620374

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
261KB

MD5
d447c108ecadfb89ad5cfba702a5df35

SHA1
d334f79ae9aa6040625c793a16bea82a84bb7fe5

SHA256
3cbff64e66935b74ba4c63e0d494b6e8c46735989af16024252e7b90822044a7

SHA512
bde45aa8d1f3d24f18f4db204b30e41dc73638e563909ed2f0e8b2347f36e1d48bb0040093e4b9353134c74414442ef9afcb7882a5ae9e98bf08a2092fc644f4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
462KB

MD5
a714d25c78759636a188301654db89b3

SHA1
392b6fd0c44334f3b147d6ba7fc6be8f02d65c7d

SHA256
a25657a78f195878020f4bdee44551ddb06240e5432c28488b6d47f255cbb941

SHA512
19c15769f449d36a6e0e577c2a450982f59d24b0e9bbf097455b91e43550f394912202acb5881385fdd6930c5b566cec4142312fb49c103572a2a50871686127

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
334KB

MD5
d2eb4f48a61defda64d097b726085301

SHA1
0539bf1e55fbadf4887676254474727f9ffdd2ee

SHA256
ca8c2d4eafaa58b5fe36d791dbc426cf19373e63ee4f67121b8e984f5e5c51c2

SHA512
9a39646ed42e20a069d2e36bdc20dd609d003032a344edb82c728674848844005e3f28376c25d50e5cbf00f878523fcd9538df6de367a5bf58712adb35b6a310

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
699KB

MD5
cc019968382d95381f3855477bdd4888

SHA1
d32925d3ce8a9531907dd68011be05ac8ead6627

SHA256
f0c9aa07e14bf9c3914d3541dffb0c4f1b7ffa379cb2eaabaaae6f8cb5ac05b4

SHA512
fddcb34e4dcce276ab1444781390cd8a4ff99c7dc6364d9b2cf2baffab94a1c49cf8626a850b2aa727289faa8f573bf487da92591b794aca15040c40187688d2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
351KB

MD5
006ef7e44284a6711e53df5647557748

SHA1
1acb77bf0333c5033255397ad0513c14260665a9

SHA256
2ffb523d476c581ef5d518903c3e1f202d90d04e7bb277aea5ef59ff2ca2f1ce

SHA512
6347c6db31b2bdbf1d8420a407bdc212342d1e87ca98616c9e5abac2387b7a054721965771810f18c53e3ab3c3be78f0e1676b836c66bf75d518091baa927376

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
229KB

MD5
3e3ff37c1910719d3eb64e47efe0d00d

SHA1
b7278a87b26448216625564a0e916ab635e1c79f

SHA256
71f82131c5ce44abad6eb2ea80cf30006701f4d1cb746b568178507d201977a3

SHA512
83f3f3572bd9219bcb7ea511c52b7d837993f8e797d5c3070378bb045379e641db0b08e3e1a96b90e658398d6f468910e6d6498d35bfaa392d84bffc1213a85c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
288KB

MD5
7210391eff3879230d680420401074c7

SHA1
65b9ac66d86d26a2d0987ec48e30e2fd546df379

SHA256
5e3198bc1bca03b55553534f09ebc5f7ee8dc9a710c4e68392cfcf719b4f0575

SHA512
bced970ed25e4f268e4841561213b097351588589fbc11c7ca4c613b6a79b65176c18962c069a9ed583c3d8d0658357b83b2a8871505b8cf2a359d2b25e8dbaf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
208KB

MD5
38820a13d6443a02b35dcbd40dade381

SHA1
dce160b05bf772c4e43b8379d08333414d85a5de

SHA256
10b6a73b79b295ddccb02b5f2b07e83739d50511a2f7720d24d217588bc75975

SHA512
ef0fdbc0ff4f7f8813b1a27d347b5d3c56ef16321ee3c18d20c71e2e9f771ca1641c7665bbb4eb01049f44d2e606cc7daa6dd422dddff42f05c2c86301b7c3df

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
149KB

MD5
12d628469ce52c9de0f933b17faaf290

SHA1
deae9c0eee9e08250dc94ce534160e4703ad6ea1

SHA256
f9484ce87b052f0e800f3cf08ab539451819b34ec31e58c158e34a8848d6e2a4

SHA512
9ef501b629559a06e1cd6fb18df5703e12abeba2bba13b2786d9c2bb242913ae62e293a8d95d49c0dce3b7b30b8a1324116bc29de936b771e225a27c86df849a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
361KB

MD5
fc8fdc58f1f7beb435cbd6bb9fd179fd

SHA1
68979160c9940c9bd5855836b6fc4f4bf638f009

SHA256
dda99730322539fc5294f3db036342b84d1d37030b27b3c91e7a5e7766d2b541

SHA512
0e7a013c0c3baf73c0129979b1ec4cc5a31602bfc6bbf6e5973daff7fc673bb8cf88af6241412995634f1c3e00cb2bfb8fcfa40fe64b7edc1ffb6350797ff024

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.3MB

MD5
55e51172f2c15c96e5d4c1ef89bdd4c1

SHA1
2cbbba950562bc2b20c6b6bd6f79f94e9683bbe7

SHA256
382d29b60470105b036eed41f05342ba3719a32eb718dabde7f03b994c8812f5

SHA512
694d4d1c99e985be166bf1ef3b53feaf7cdeba44f81c3cbd4fe20b4ba37587ec1b22d98f8794588ba49578c532b4edd74b4888c6a7715ff0bc8a174b624af28f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
360KB

MD5
a963d97a0434d5fd32b72a065c165925

SHA1
311221a452127c002e8b2521a34203cfa9bde56b

SHA256
a922ad645288242a5ece5f369dc0433addae7214984936f0fc4ab0e600a189fa

SHA512
95e0eebe4c1b8c83fe8b4dd88caae700d943b4d149179a99a3108d2afb42dc5d21899a9ddddcaa471c2b8caccaa840851b4ab84aad35a8798b20fa523b62546d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
334KB

MD5
e4a4304dcba6557cf1aab6a41d65af7c

SHA1
7aa74d575fc4aaff7309b9922fa712989201529b

SHA256
bd36729ad5d61d5874f89a22b565e16b654e3e727148081d01643265ff61a450

SHA512
1186c8d750e632d758002bc27abb4d44dcadafb6340430ef4db96bb499ba92232f6f7a544ce8c1935adbc510b31734c7ed5028de62398806da1de67a281b4c17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
256KB

MD5
4f3203578c935f9606607c51b670e4d5

SHA1
f029afa779fdd524dce1c10637eba17a9e1f8c75

SHA256
91eadc3216a9c3622c4c8c681a34b6981ed00cce50bd6c0eca36834892f8f09a

SHA512
b67292b33280bf07a4daebecde1220975f360b6a00c8ea55ccb96897b0f3be2e08a6b7ad3dcbfc095a79ffbf501f6f87f0584561ed0a6fe7c0298de1ba1bcd62

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
341KB

MD5
eab4c8a82bf905b45f0b73045a78e738

SHA1
d72f5f762a8f9e67231a57cfcee0ea1fa268d415

SHA256
912f3c595a49cc42ab3d3c24d2be68e115d66637b2b62835aa290d2eb5b10527

SHA512
5996baeb603f4bac49ac58770605c8ef303ac0a05a151bb5eb13c42072af9ebf12dd4b77428284a3102b0b350e9eb141b5bd422191d5722f6c68cdc191aed816

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
400KB

MD5
658bcfc3daae694735f2a12bbf7c76b7

SHA1
e190c907dcbc768f624f448acde1fcf35c3b101e

SHA256
1561dc93e904eee5559023a27c6215d371e252222d579914931619553bcaea02

SHA512
af49474d5308b7f0f77dd15ef1215a243adc3e6aae2c9892d3f28f28b159a44b9c159a94a00a22d503560ea5d7053428993e28025be6a8a97bb324a0eaf22e09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
307KB

MD5
a4f8f57a2762f32bf23dad0aca29c533

SHA1
245b9e3a051cd8ad39a7e417c85ae350515595f3

SHA256
695923bd4024611952364881ebcd0d51f2362dec239377e5e0dde67347526a72

SHA512
23a525a83137ba96e98e8c4edb0cf08184ddb10aeea7e90bc04c33da08b086f87aa0ea0bed955761ed83d8b50587e883392bd6940cde47d1670ddbe6f48cb50b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
251KB

MD5
d1a0a09ad7832db18354a4b06ade3201

SHA1
faa70cae46aac8ce0d4ac1fbd645c50c83a53e9b

SHA256
d17346adb3180ea98804d76580afb543b69a218b878af236dc3480e950e0278c

SHA512
dae1d65f780931950dd30c8ca3d63932fb7377c3d28f137cd735b3f8c6be07f548be4fd77c4cf00bb9d061d0b5ca86836ab21e741c47afb3ef31932e6b0c91aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
194KB

MD5
6cdeaee05738fa389fbca3572b44c298

SHA1
30069fb8d278cf15601a8970c587c99a8f4300fb

SHA256
3cef08a2cd6c715c5deeff067c525ee2e49435e80d0d93b4b82b4189043b2c8f

SHA512
0695a433882f3d160b096a829ebb06f0faa0d8285df273c4af06dca94fc4d1fdf61226a18c6b41743b6d8e2905bcf9d3a9270b6c6edb98228b0c106a31458db4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
296KB

MD5
dd0747484c9a1d9118a2f6c35debeaab

SHA1
cdcc7673f5a175815404babe8b9f517eeea6a706

SHA256
ad2d39c0e7728503da782e521395b0237558bfaa0c5a2529a1a1f50276d33439

SHA512
9e863791a0518af2e0c876ab4f9e93e40afb6defad062af04fb574aed9e7e08f8fbb927b2a486ac716eafa3a4b240fc2f0bb80fb03875fefc437a78848dc4e36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
442KB

MD5
1a5601de53ae11b2b28e502a7b863f65

SHA1
c6ede9af6b14f8f124de319ffcaef6c68c1f2bea

SHA256
bc4753473be35d7199531bc2be2d802115ae83f414cb20ab9d846c5436750d17

SHA512
70e0175248b452db64c2e3085d17bbf7827019f2678116cbb3f1c97a8f99219c1e8c9e9987a5cdb74857e780f1ab4d631819987d66cf43d197fe805026efc4e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
425KB

MD5
e0daee29d8decdd474e519040edcd3e9

SHA1
cfad3dda622256f4edc2d7512ad8e9f9f80faa5c

SHA256
af103b3d12fa2ca05e1433521c8ff74329196a9c6b472926e84b02ffa55a7304

SHA512
5baaaa0ce7f562fa152caff0d1169b91fef73719adec0741311b1bfdea88d5efb79095443050d0fc8f567a9fc8720e6f662f88a30e6652b8136c38258d8271b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
280KB

MD5
a8ca98ed2121a3a40ed1593ed7f30028

SHA1
fe1d88f53f3e3a3ab95a1bc37a635bfdb675bd6f

SHA256
c16a1dbe0a16ce1858dc3e3c061865b3578e56b43c1bd8a0959f955dd7c60e2f

SHA512
2c3759b3911082904703a9e9a168659e0b2b61e7846ccbbd1b30b3505ca699b8c9abccf284d36ed1ffd65232ac4506da444f81af64ff367e4006103d91a823c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
147KB

MD5
2704147b6931ab2813215b17def06aff

SHA1
4d2c520d2579bcd64686970261b8f9ed716c1501

SHA256
422a7a74329e7ffa415a33da3293ab4d63309faf3d8e64b348aea34c6e5642b2

SHA512
bede6ad4184221d34f7af3671bd202b47de17f08a7423cf88c0cfbd15b00636c879320fa8e7ac46c2d046249eb114a90264daf953a59b6981ca80e4eef8b8e66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
208KB

MD5
4fb72ad35048419bc0731dd09e22190a

SHA1
b99fdb1aa1f57c431c0cde87a6d8f877a1066cdf

SHA256
fba95f3942fc42fba45d302e4789f0e337f4c12060898f226cd3f4e82a64dad6

SHA512
a9ad445ccb5d795795e9099c2bbb884fef7184b178fd052ec33c11ea582a4e7f49c9e5656af2b3ed38835936fd47f4a7f3168d27a0b9c72f5bb17ff79e0a30a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
238KB

MD5
c8f79ba8854caf9baddbc7053171033f

SHA1
1447a51535dd01af1e1ce12eac1ba10e8599e655

SHA256
9da8c2c23b24381e68630e1eac626e709382f9378ecc59a7b73ace4863c1fd64

SHA512
075b53d3ab71f06ce8684d82c384d60025d8c1197b394b8f85acad0c48b54c84edcfe21252483b37265db8ba73db439e3a3444ca3e0ec7cc475c9ae786a6deb2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
315KB

MD5
17f4d033886e2d5d5f67aa0757ca7666

SHA1
2035738feba09573d89f3baf6970690c05481ba8

SHA256
196cebefde2978988097fd435d5298295aa1c0f1a7a007644213c4b60499e124

SHA512
79beff2e23de9322bd00293ed68ea1d5a60e2d60ac61facff5dc5437ca33b914dacef5ec10373fe74451ed7d70073c87cf31b18ba3e6bdc59a82522b86baaa24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
296KB

MD5
bdc23d5fba04cb3c307b1ec08c7f28cc

SHA1
d017eb623a246af8cb1853061006c43eec1cb22d

SHA256
9bd4d78297b2a5618ce993c6d5c96dc110152dbd9525c4184cd29f4c34620a7d

SHA512
2184af28dedba06de84fea04d2a23998dc3b492d2efef77cecf83544014c3c0784417e24820f2c67a2a20745cba76fc4ee21b45094120dbbede047347ac893b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
186KB

MD5
355b7d786175a9a5cbf8681f4077d346

SHA1
291a995e0fc6e5971319f464ada5e86971f4e77e

SHA256
a17b195486b6ac096cc98132a3f872f2a0a92dfe3c7c37ac0b84897b6339bf98

SHA512
5a3788ac7e26284eb0d6633dbf543112a6baddfda892c2c82ce1eb6613396fa668048af2037c8cab3c2eb991de4a46ecdccebead9df96a6cd844af60bba9eb34

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
704KB

MD5
0c9b907574d405819e9d03d4c23b990a

SHA1
b562af3b317b46bd4cac90d586fa7277c3ed377e

SHA256
7a4b4cbe0cb02142cbb55e9e5ea39725b58d6fd997af9e6913742edae3dfd852

SHA512
5bcd1fd34da59c9600bb2f886cff0682d37a5368f2368c1d696d3681426878ec94f4464bc8f8542f0400a185a5b44f9ac09d2a8c44c34012c920cc7f73414660

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
443KB

MD5
f4729b52c263084e15835ca930407655

SHA1
e5562361435217c478236018207d5111b6d92abb

SHA256
170377efa4e77af1ad1761119fae62838caef2bcdac80abffe98063815af1048

SHA512
d8e11ec10260014be2cfc326f616b0a47edfc0a118b9cee53c9586a3c3f544861eff3eab581d67269615a5c904250deb3148f11beb625b5ab0f1c6fd2ac4a126

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
187KB

MD5
50c0f94c1fb2197b33c4ffecf56ea8b0

SHA1
fc5becf33200d562c63e5e527d7a13d8923c14c7

SHA256
46e887da1bbf0f7d706c3d2468128dd8bc45e2ff5b45bb01307a857f35ad468d

SHA512
5ddcaaa7a7b45d59ac29f69ec0e7d71a08154b98d6a135beb904089253e3a9e473439216284e1b3596d9f903f5e4a646e571f89280b935066733b63a8651fa57

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
201KB

MD5
f03315d6546f798d63b8ed26a67b9984

SHA1
9ad665602cd6f516d621592d91c1fff6ec00dcd8

SHA256
dafd98cb6933a6f4b5ee987dc4743ae038330f9ae5e40cdd4e99d502d4d224fc

SHA512
5546eb4cf9f0284de7174502c5982e6f7bdde430f092300413cb02a625762f0f21baf2c3fe29a8d612e30c0077808980a735ed0eca7db6a3430ce40ee179184e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
719KB

MD5
6645d0858ca89820d272611186c719e2

SHA1
daead6850f32f7dce76cd9b87ea9bb4560353004

SHA256
9e95fcb966f4c005d016d1abab62a705e198565f6fe0619579ec0edcd894a80f

SHA512
4abc3319cd4b2ea08010fafbd9e67a18719e73aba6adf1c053f253c94212c84fd6a4c0690a7759019be7040962eb9831251479e69bc71737ca66624c148f7e19

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
259KB

MD5
ff15038e3b3feaaf17c6af65cf25fe9d

SHA1
a7683946ff67a3e44b0aacdebfc49d342fb4e158

SHA256
94175729b5bf8fee5bae072055c84a0a73286e618897da0f7aca87c47ac8c63f

SHA512
34d0c3ea135ada3765ff485555ac6a1163c71e6b09e4e41011dbf2176bbb173bce27603907a6e221bc88f8b421292af35af564e47d3987d8fc4621c6f51edb77

Download Submit
C:\Windows\System32\Locator.exe

Filesize
227KB

MD5
8645a52d9430107f43def97d55a0c809

SHA1
e9745c5a46d02b3e857c2730b20049221455e369

SHA256
a0b8ce5164770c48f33a7492949fde7e9d685ba3b29ec7edfa72ebf8f9fd19ed

SHA512
2725ddd5c48d4d3253857caecb94ea356baa9c491c2f581b7c882998b9d94210cef0fb09aa64addbee5a66dafe5acf47b27a6053ea331654e7e8ff2984a421ff

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
288KB

MD5
2f502d78b3ba8a421b18b35bee27554e

SHA1
71767a17e9cbee40de3de210b2e5cb2a34e6a883

SHA256
03170d892c16b4a7f9dc17661a19c66a5d3ff871ab498ce8a6ced11283372306

SHA512
3cbd8158e8f4e5b3cab847f461189934552d2565dc66ca323c165195ca1464824fbca8ea40eafa736600d93d1f87eaaaf2580147439888ba5b5edd0a33d9ba3a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
530KB

MD5
cb3371e3ba19ec9929767d670aeecb13

SHA1
99e1002c83d336fb86c472739c4cb541aeb55765

SHA256
282db7e79435cc3566e356d77895b8d4fdd1761de8850b7fb7e3e5e2c930bbf9

SHA512
3eee2867ed4746a4099aeb00188433c40d5b822f2738cf3ba9869afa60038daf52d33407ea1917596d1a8cdbc673867d55cac0b5d067972d60d47acfba0f8d5c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
134KB

MD5
3ba31a54f865c94581b34c6042c92bda

SHA1
8b5d529ff47e5a69f4c135c62e43e7bdfd18d1d6

SHA256
5f98364802b972938d2fcfdd8f944bbb372b8b7da50cce91ad79303751281b80

SHA512
f2f31ae7937033aae4eb0f6933d2da2b6c234762519484fb3396ed7b4c1dfe1632ede1514b88127bc9b6e3d9d83e6ef9090f984dfab86b45ab7e14a93ad2fe5d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
498KB

MD5
cfc96c01a3df4511bbfb01420923b0a5

SHA1
c8ed5886cf23525252b4ed288b24b1feae6472c1

SHA256
743d669154dde7728b72b4edf37d30dfbf0e48032ea040720fea8a19ec5951db

SHA512
15608719ac2d4c4ace930cd3a2c786ddcd9c580215ce37a2f24a13b41b488e21b78b3ef6543013e70113607d651600587815f587e36866defff025d988c0f8b6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
57KB

MD5
14a0fbfd12e6df5b8278a55c164c8c74

SHA1
5d7bc4504845f48f89baeedc9ffdaa857abe71c0

SHA256
0d4eea043c363225430b7a4a00190917a10e3318b59f5c69654c331c2d6ba286

SHA512
21131d034f00167a047ed77f4a26251cbe99a115e1ab4a501f069827dbaa6ef7412048458df0d1089a85147d673659c4c569ce8681abc1bab644d5eaeb09b7e0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
396KB

MD5
0d69938a16fed97b5f608e4dd0fa8dba

SHA1
7d66403b1062225f38f7f2ff7865982712df1f56

SHA256
51268464696ecd89aa7c38095db1f0f47e6bdfb7028290a0a191959915ee3647

SHA512
1ab85a056236efab15e2caab375cd355688d7b80f4d85957ced85d8d7567ded4b4834ae698c38fc1efee626d06705230e81644d25f6d3ec28051e6bfef891df7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
237KB

MD5
dd1941b4146c4f94ac3aec994a23ac1f

SHA1
0811f5d525bed6663979ee1e232fe95fa21a02df

SHA256
62a2435b704b7e5051b3fde00619e68cba98254818149298f870bef922059bf9

SHA512
65efdd42cd752fc97f52ad8cee98a74ae0ba60607ee625e181143ccd718a2cc8388703dffa61d39353099816108bb149f2e82ad95cb03c2d51c0778b9b8c8ae9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
52KB

MD5
a2460ee9d9f2a48780249d6a87a6a8cc

SHA1
cf0ef13c503f13daa340e12b3ca64658bd64e73a

SHA256
1ba9766fadf850c0091241426db5f053337349f9b9f88dc6ce39b22cfe5499b2

SHA512
e0216d606fe38fd9978a5fba7a78b1f0f96c8420045248060e0df21833fb81b1d37eea8de66285ba32666e37478effdffc81b2ff2c060d77a21d7c7dd3175b16

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
1c113edb9bb56dd5fa72949ce865bbf8

SHA1
18f7f68ff074a6bb10997755d175983f966532f7

SHA256
d27c6860e443948ff1ecf471baf9d5d6f03cdbee2b6fff8567d968a33551fe98

SHA512
9ff1cc57df6d48ced29d6105f619f31e6792b4082415c07324532f5bc95e2a3014fe791500d832688ed8b284311932bc29f59ff7760145e94c8d4dc3fb7ffbc6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
522KB

MD5
31cb99aaa992cf3ed5b852fa25685255

SHA1
610e6176af72ce946fe2dfc9d5428b40333f8361

SHA256
5ef35b69a505cc4e444fb5ee3dd85efeb43b02cf6cf4a116f70c5d1f8150a120

SHA512
0e1625250d7f50167e33969a32239b8306b06b7a1b8b187ab021c1e7daa5825b67cc62a06543e314de94a0921a6c1e681fd79be0b30080061eb31852b54767df

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
548KB

MD5
cd946ff390172963b7ddd4b0c32e8a26

SHA1
c6ab002cfef99d938ed3b82626f8a5e33b8010b6

SHA256
15e5a200b6b1ab6a28608909d0d69ceefa6eafbaaa209a21a389968dcf381082

SHA512
0b7b60182757886fe0ae67fe76f9da987366e4512d33438a664cbfe83c4e9e0329de46a163276b81c77aed3b6ec80c6eee18362fbb8b65f51f5603b434badf80

Download Submit
C:\Windows\System32\vds.exe

Filesize
95KB

MD5
33dddd55d0aa9f66173bdc8d3ffbe349

SHA1
7a3a15aa59278a8d7fa87ef27e457134fa514e2f

SHA256
3e87f41df8a788a06662c6b721bc12838dc72a68965d46cfa204361d585d8744

SHA512
10988e52a0414ab1012032c44efdeccd7a3210e3ae61e172f362c8f820305e83d408aa7e2dd5271216e9c7dac43c357d088a75a868fcaa983401f86ffabd3dda

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
355KB

MD5
3a8d5f248e42755d8d0735197c608233

SHA1
bfcc221981d6d3453a93fb84abd5c76f211fe2ae

SHA256
dc570cdd1802e7c1e3cd9afd08083b63052cf8f8dbde7eede4d1c10d7d96c343

SHA512
69cb10bc9612497537d03ead9c4e5d02fe1c0653d4f66f3fc4ed4264215f41b0662e9826877f046609423f3dab7fa55912f8813d1b078a261146f65e2fae9ea9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
306KB

MD5
3a8cc47467a764153dad23e64a92ddc8

SHA1
b4314b2d4f92e70d5fb1f7d08e1dca2b7a85c473

SHA256
99f86bf305060fe88c693ffd67d448cd04b63e5df4e9814f5a4446d7b8db7917

SHA512
51b0abe925a2337a6134b88195f334b3b0d65d84c90478d19a7f405559d06c53df7013fd242d56592f1af841b7f1ba326261239c8867493f2271691c5b39902e

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
678KB

MD5
9017fefb24ed1fee02c98bdfeae9cde3

SHA1
bdea627fa4d507c2577690a88c09e2b33f4c26cf

SHA256
ed07f8483c289aacb20bf48649d7caecf39dd2d22d4dac603332e79e7647240a

SHA512
1f9ed64424b2ce97456f00332f0168515634d62c153b25262acaa79aed2136e4fd6792a43c5a269e902aa7794fbfaa47683f209e1624b929ac1bc8761e13da86

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
223KB

MD5
59be2ac31bd6d074d0ade5d69903d86f

SHA1
8b75ab3ff2210331152a18c983ed10ea0f55caad

SHA256
8c8f75e82a5ef18cc2fad06e53329c336d78ddf37fc69a553cae55fe34e87b68

SHA512
ba1cf5ba31fe23c1a67412e31d52632b845a03cd3663fd76bcf9aefc349f85094e693a6f36eaba028cfe92893ad4714432aa62a7cdbf60e00516c9dddf70852a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
698KB

MD5
556f67872794e671caf755dcfb838bae

SHA1
4dca23d5c4a19282b5a575af14979f05d9a833ff

SHA256
e8cd1a6f07f508e60332d2e261f8853530332a093e9880f5bc69e3d831f43ad0

SHA512
f2035cdcf62c0ce348e7bc9ac03fb7a05bffb05365ba5283a2a6564f3a444c8020379628d84db7f27adbab43fbc2dc840e176e1f46cee5b6403271efc70d433f

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
581KB

MD5
2e232ed7e87fca8eba511282ab6e9336

SHA1
b3d213255d84cfa5de67257f19d3b53741f20b94

SHA256
0ead2e97cffc9514b437a3304de043852e4340058eb6939169bc4b63bb50a33d

SHA512
7388322e2d5fecd770a52628236d68fac19d9f0d9319772b976a77f0b519ede8df11c1984cd28970e0698aa7594a49e1b35193f8137a3080009f9812c9589b25

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
510KB

MD5
2ac2b9da10ccd8440b5eef0083465015

SHA1
cc605733b426ae083e2f169aadb1888ab4523446

SHA256
bcd85d7679be883d2442c286be6c8a01c014c259a5284c0c6ce6d351a6e69b40

SHA512
237892b287272d9bbfd50f4c45644f7639382c345db3398ba188b25da59b0aaab81eb1d17e385ee11305e83a13b3490f279de3797e2de8f6c7258b774f5e6eb9

Download Submit
C:\odt\office2016setup.exe

Filesize
514KB

MD5
7b1acffbd8d3363b98fba50cf263613a

SHA1
b68c3f9648d602616fade2522898d3848b7dd273

SHA256
ee9d5a6053caccf3f3662644893ce3dc6f11c7dbe31afc454fe148f51815fed5

SHA512
f9ec9eec8ae9cf4dc050a1d279a7af3955c34d12af09c7e60caf562920629d5696df1713f692e4c7caf4de13c2ca6a5101aeb756ddf887a5d2dfcf112b5bbb4c

Download Submit
memory/60-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/60-37-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/60-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/60-44-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/60-43-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/60-51-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/540-201-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/540-136-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/776-245-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/776-237-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/868-131-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/868-125-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/868-187-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1188-119-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1188-174-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/1188-107-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/1536-93-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1536-32-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1536-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1536-27-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1540-249-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1540-179-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1540-188-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1560-103-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1560-159-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1560-95-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1560-94-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1608-147-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1608-214-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1608-141-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1608-205-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2280-63-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/2280-7-0x0000000000A10000-0x0000000000A77000-memory.dmp

Filesize
412KB

Download
memory/2280-1-0x0000000000A10000-0x0000000000A77000-memory.dmp

Filesize
412KB

Download
memory/2280-6-0x0000000000A10000-0x0000000000A77000-memory.dmp

Filesize
412KB

Download
memory/2280-0-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/2280-405-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/2740-289-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2740-298-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3448-155-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3448-161-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3448-219-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3648-279-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3648-285-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3848-250-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3848-258-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4212-77-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4212-79-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/4212-84-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4212-91-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/4212-87-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4308-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4308-66-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4308-135-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4308-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4436-216-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/4436-207-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4436-277-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4500-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4500-233-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4500-229-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4500-235-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4596-48-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4596-58-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4596-59-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4596-49-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4596-123-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4652-236-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4652-175-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4652-165-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4732-264-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4732-271-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4876-202-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4876-262-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/4876-193-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/5048-12-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/5048-13-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/5048-19-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/5048-76-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download