751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
Size

1.8MB
MD5

175252250402ee03bfb1eb3a9d029472
SHA1

97458e4842a40a924dd45132c85e5bf055d6c664
SHA256

751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0
SHA512

1c869b6f4b2dcee4efa5db0875cf92f93ee25c0e8dc0734a5f6b6a8baae995eb6f0ec4b481b17cd25611c04db25bb3750d530c8bccc09d5d4bc0150b5d380dd9
SSDEEP

49152:Cx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WADiLlBUKubZrX+ld:CvbjVkjjCAzJUiBSTZL+ld

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3312	alg.exe
1032	DiagnosticsHub.StandardCollector.Service.exe
2476	fxssvc.exe
1980	elevation_service.exe
2828	elevation_service.exe
3504	maintenanceservice.exe
4340	msdtc.exe
1404	OSE.EXE
4964	PerceptionSimulationService.exe
4112	perfhost.exe
4488	locator.exe
2256	SensorDataService.exe
3904	snmptrap.exe
3684	spectrum.exe
4900	ssh-agent.exe
1416	TieringEngineService.exe
4248	AgentService.exe
4356	vds.exe
3620	vssvc.exe
4376	wbengine.exe
2928	WmiApSrv.exe
4048	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\System32\vds.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b520b82d205991d4.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\system32\wbengine.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\system32\spectrum.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\system32\vssvc.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77375\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2D88.tmp\GoogleUpdate.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2D88.tmp\goopdateres_id.dll	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2D88.tmp\goopdateres_ro.dll	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2D88.tmp\goopdateres_mr.dll	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2D88.tmp\psmachine.dll	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2D88.tmp\psuser_64.dll	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2D88.tmp\GoogleCrashHandler.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2D88.tmp\goopdateres_el.dll	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2D88.tmp\goopdateres_ar.dll	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2D88.tmp\goopdateres_gu.dll	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2D88.tmp\GoogleUpdateCore.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df4973f15f73da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c0d71ff15f73da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000017ae56f15f73da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1032	DiagnosticsHub.StandardCollector.Service.exe
1032	DiagnosticsHub.StandardCollector.Service.exe
1032	DiagnosticsHub.StandardCollector.Service.exe
1032	DiagnosticsHub.StandardCollector.Service.exe
1032	DiagnosticsHub.StandardCollector.Service.exe
1032	DiagnosticsHub.StandardCollector.Service.exe
1032	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4492	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
Token: SeAuditPrivilege	2476	fxssvc.exe
Token: SeRestorePrivilege	1416	TieringEngineService.exe
Token: SeManageVolumePrivilege	1416	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4248	AgentService.exe
Token: SeBackupPrivilege	3620	vssvc.exe
Token: SeRestorePrivilege	3620	vssvc.exe
Token: SeAuditPrivilege	3620	vssvc.exe
Token: SeBackupPrivilege	4376	wbengine.exe
Token: SeRestorePrivilege	4376	wbengine.exe
Token: SeSecurityPrivilege	4376	wbengine.exe
Token: 33	4048	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeDebugPrivilege	3312	alg.exe
Token: SeDebugPrivilege	3312	alg.exe
Token: SeDebugPrivilege	3312	alg.exe
Token: SeDebugPrivilege	1032	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 5536	4048	SearchIndexer.exe	115
PID 4048 wrote to memory of 5536	4048	SearchIndexer.exe	115
PID 4048 wrote to memory of 5560	4048	SearchIndexer.exe	116
PID 4048 wrote to memory of 5560	4048	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
"C:\Users\Admin\AppData\Local\Temp\751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:632

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1980

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2828

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3504

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4340

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1404

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4112

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4488

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2256

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3904

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3684

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2884

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4356

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3620

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2928

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5536
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
87d92ae63bbd5a59e8623d10775d08e1

SHA1
7f11dacee5688860f72010ea84c587c734f76fe3

SHA256
99dd545207a283eedefd7375191794d0e7c0df4df722c0239e40cb46620d1cf4

SHA512
594c449b6368ff663c8df50fae82d7ae6349ad23eeef1d09d259a1f90f4f320cbaacb8b454014e5eac9b11a3e51a268c6c67681db95b99a03c4bf4cea42db0f2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
3877b6becf342c4145344e6bb4fad2d3

SHA1
3205b82feb7bd8293bddd86122a36b11f40b3b78

SHA256
bcca8af6dc2948db7f682eee37a702df41ee61638bf3256e65c559c5bd6e28fe

SHA512
e5304a935394822414a60cf9e7502916f9d0522b4e43cefee86f24c60431f875dcf5075c3b796e88ab777da44ec2331ae021f7c2f41c1be4b7c67ed493eab439

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
589KB

MD5
4740f09e9f979b50d0ee5d91ee776ca2

SHA1
d2fe94271841e6f11bb08fe32cfc933135422e88

SHA256
1826e3a109688fc566665148c422707a1c4fb7d1d9efcada078aa79b550d8baa

SHA512
0967bd3a85460bdc51c3d8df201c1199c1cc2626e4df165ce86186588c3f25ff7f05a907808dce24dc512e431175c2d920ca25bbc5776a1470da8ad633cf09be

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
171KB

MD5
016b7035c042db75e2fde37117b003dc

SHA1
e74ef712b9f681ab042fd419840a4c25b7e7edd2

SHA256
24d52a9028a076becd46d7cd3789913476900bf23187bfd229966da085d90d63

SHA512
af4dfbc0e518c6431332ef79b0ae08cd6f7f43fccde5d76df4fe57b0474daeaee5609214222248421e884e10b7366b7d0e99ba69dbc75a575c6226b36af194c3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
248KB

MD5
740588131f9dc16de208cd120d9603e2

SHA1
f447236534d613b71be960faaff000b5c30e072f

SHA256
5fb388de89639b05deb49608c350ed902d57c0570e677f16d38f65cc0457f3e3

SHA512
8070b7b1bc755ff0fb7cff56c74fa45aae3fe1eefdb7f4355c2b282a0b1d95d1b727a13d152e48cdc086ea00a787694d7600e996e0f8bb60a330ca0564eac3f0

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
126KB

MD5
a67a2a67230fbe02638f5dd5fcd04cbb

SHA1
dc47c845ccd448bfbed977f04c3b00057ceb7b33

SHA256
5c33b8c9bf2ee24e0737338875e71bc1e6d537c6134c10c632445e24d1212726

SHA512
fce9818fbc2ae8d183fb2154e1d9b440a26f6e500c72da2884366c1f898cb01d2427d840783b7476dbd348bc58bb251b37e8f4642d7e7704725527d28b2357b2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
244KB

MD5
2055e146aca1caac738b55b5a8ce546d

SHA1
965c6b93d3ffb0e182df3e231595cb656c6ed069

SHA256
84df1e7067c58f1a14c0457027ad826ce3dc4325284a17985355729d4ab2919b

SHA512
a85d5ca3df45a489eb524fc1fe30f7136fff2c7b18afe0ea944ce0dc325f4e53be5176baefaf331aa4f0ead8c0395ab14689ae570d12ca33ae4feb96a979250d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
216KB

MD5
f29c9dc6d85825f25e2224fe47729eb1

SHA1
f0df9dacb09a56d9ad248d4d9aa1c8f97818a051

SHA256
7319f1f102bf50355d19db0c73c1fafa84eba64d90454cd5cf3026f0f37ad7e5

SHA512
f9076aa120d4458abf55025101ae2586bd1652c32bad2d9e2caca84e6f9b13cfa22d5c58046e3c0f9884c7c665b536c657cacd6aaf85d9b9074a4dfe8aa78c64

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
147KB

MD5
dec150b50b679402d03780266c944122

SHA1
090e74b840f8e83d4ce2710d121779b87b9e1ed2

SHA256
eef6f732fcdd2c543ac702ff7c41e89f9a2bf655f600052431b0be8181c9d48d

SHA512
0016318b62423c6a99fe584d6985b75d28bcc5a8cbac85e17ebb1525ae2b11c21c1f133e1c10ce46b5cbc9df6fbac6f47a1dc47799377b13a9c815a1418cac2e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
100KB

MD5
df1a24203fd538b760022f8a4116df0a

SHA1
99f58ed893b6a6fba29476d0af1597674b5f2130

SHA256
fe97f7272a0cacbdd93b162a42773daf393e46ad97498021acf508ab7f8eaffa

SHA512
951c5578a06ab4e2df2b8279133f5133cadfb3950158907d72966e3328f259767b1f34b108afc54efbe581f742506c9c4d9d81103493d3111fd0e00ce3084b8c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
191KB

MD5
dbac48e56751033683dcbd4474943e74

SHA1
bf20a6f01220b44cb3d94070b357452d53d4d035

SHA256
756fb66eadf87cd92fa4dfc370ce5e2e097f97413013b7d355b566bcd4c3df20

SHA512
6ca289fa31952c55911698e97163016e5e793fa7ae1450eb2f4b01a9f0346f06fac3d758abf3a54bb209d6e16e46568c7edbf49bd0fad8436872bda18f6df483

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
181KB

MD5
b01b8266ce8ef64f5ed53da3473df907

SHA1
a921458a5e59e1896a92a425736b5448992005fb

SHA256
62337495b8e72464516d82c78f4ba76adcb08eeca6036486c9912a2efa801412

SHA512
f13b291ab3b142dda446eb9dc854de7b8c54616c8124c44297b2b8fb1cb296238f8882f229579dce3469c31c892bf58548aedffe26181d1a0f2be8894ebb86ef

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
232KB

MD5
dce4eca58b03ba5c36f42c17e8cc6228

SHA1
9b03cc792c4f184ca4a064842a379354af02cc7c

SHA256
7e28f69a1094878a6d468ab6ac42e2839d3b45eb1da3460f9239ac5ea0ca900f

SHA512
7f1f27d88f279dfea88a1f80716c4e099475b8295fa7f4fe3858f3e653827934945f95043d0c9a97080802a95fc16eddb1320f44884bb67040f5e9f73003868d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
425KB

MD5
ca303ed124bbaa117184a559317b02d4

SHA1
00ce7242a8f2f803bec697c5a56fb6313f6a56df

SHA256
6fb2dac032b01daf3bb0ab881be1fb6e6e638c3edded82324d930f37d6daf397

SHA512
00986f3f8bee5ae86968fc04fa23ee51edac3caf0c84d319f412b939166672c1140f9cc8e6b715a60e7ab901ea9ac074012f27d7e66fdd88ef7022274fe5b00a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
189KB

MD5
87e9b9d4ccf24524e0c5a30944dd1614

SHA1
75dff2a1df3fc7fa5134193161a7bbee5cb0e411

SHA256
5248c7a61893913bbea3fc85345e7d96a2391f4951fffb95a3f0b25d39a722cd

SHA512
f44be14e7059d37a92c8a427ea365546ed9c9035ddece27a99f453dec2a61680141399c0b5759e454fc7730b94d00130a2a1a7d28a7960d8de4e3bec80373287

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
103KB

MD5
375870fec21aa0663290d14cb68a32cf

SHA1
da19462cfbf46d1f0f5a4b6b660f70ce90c3c891

SHA256
be4ca9aeef5861d6f18dcaa6829eb5101e54cbe44db5a3a67d203bb785808649

SHA512
02fc61a37ec81075069cd178c8b65b65f9a8ae7ceed59ca9e3e95fed0274007185cb0c10fb0b0e27d8228a463c2d4c7195f02b4819f465e3b83fa5e1768bf246

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
288KB

MD5
218e002abfed0b4e3a70b21ef37bb13c

SHA1
090eb76e006d24fa71104182a70b01f1e4e87bc0

SHA256
d317cae398b509669973a189f3652a765f79df33c82065316eb51b34656d7e4d

SHA512
007510b7db18a13460d759c34df17fde5bbb626fba1bff935b5c9dbc57ac222a320ccabb4e3d1913ac03d326c8c91f9eaacfe2582de0fc4643cf048c335159ea

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
260KB

MD5
8e4d34a69c0a4b963829cdee70e1d506

SHA1
d6d3d15a67e2ba9767e7b435f5c753283f9d3476

SHA256
c06281f39f45d15db859cb3a0b8f4959d167eb695076463474ad17eb77137046

SHA512
410951e5de1cb10415df2d39c40490bae6dcf4618c1d5c9488774b668329d834924250ab29a7e9521e562d67e5dc7d8303bb5b516705d2c601ab88f2af5fe43f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
b5e486661645618beda785aa0e21c892

SHA1
212f93f07902c85e1aea1831e92eb8f2b7527565

SHA256
578330a185ef8adaaa2027bac9f306f3d76ab30056c5891580f089e2c63e542d

SHA512
4af874648981d3a33b0361ba0afa6806c8d5555f17e44df5faaeab18d6a15c87ea11199fee2517e28a0a60f7f4c785180f40c646c4e84fb1e9e5cf358afc0959

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
235KB

MD5
3afc9b90bf66118e8a05868109fab6b3

SHA1
0caa6bdce8212b8200e9b56577895e2f168aa227

SHA256
58f6cfa76b93d81379568637b4b17fd51e7707c011262dba3d52a963a29970e5

SHA512
c41486af840633b67ae0efc1cdd62b6c53bac7aa1c5f011aab024e9414097ed6043eaf9d4d70b6021d627eef9cefda10bc2677ae7832aa9c390dc5b2a87a3c8f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
211KB

MD5
f476f78401bc616763c211e1c4c1896f

SHA1
7f7eb0a3b5b6396b3ff9fae4ef57932e591436db

SHA256
d78723f3edfa5c64d8cbea205eb04daaaf0f1e36c3027486f3716f21d5fffa22

SHA512
4547924c367b5142a090de5fe9bc330d673e363f3f1f2f0f1ef5a9e0715a7ba448238d759393be8a5753793635bba8688c811ac150b130fff21cb06ff88a665e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
245KB

MD5
e852165e0c32166e99f4b610effcf61e

SHA1
4a6f163756a73385efcc9551b1e22bf09b463614

SHA256
710e11e330fed2a5caeef32ac3b6cca7b91a045fe2d0fe7073cade17d5ea7cca

SHA512
a8a7625a63f2706ce26c1d3611ffc0a16a78e7b6cbf0cbb573a3275531c8e263824dbde9d12b693688d209d2f9c9fe2f73381df5cf63ca5fa4257e86e86b154d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
90KB

MD5
c535520e61f4e40a5c952b204ea17994

SHA1
16a77e68f61661bf3594d17ed6a9870c3d00b8e6

SHA256
0481f7be0f615591c8bb22539d07c8a0ac2f62b75a7378a4f75f7e61a5d87188

SHA512
704e0a53a9412e698e990c69bb6d8539e9c68f95311ec3ed154bc3efe40397ee2f39c75e19538eb0577945c6d9ca90c3c5fcf9a062e88f304ac621eec2e601ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
128KB

MD5
8b6d2a74cd26b7a4a3803a527084cf0a

SHA1
3f8ff7d06e3fe639e7dd535ef2c434527c48cc0a

SHA256
f8d89eada48937faa9ba3afc6359f590a54e88b172bd6c17a56277cab0dc4582

SHA512
0181a6a150821e16b1042c87229b91893093418ac033156785afa3c25508463a480b353825334d20be17b8d9825cb46d9dacdabcada02e1d2eecbb1d315350f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
187KB

MD5
6818a1da24bf2626e78e67818d678537

SHA1
9b1c8b973dccbbae6c5e8c120e9ee9f8eb0060b8

SHA256
c5436e593eecf41f762f51c27a579c9410fe60fab8aac2b1e96ec4beea2b67ef

SHA512
709e9b0989a26a441b688a182ce4c4b059dc2ede92d5126652037c8d42706bf91bebcac754ffd60f42540de127d38b33a546eb32dd3492522babeaf40b210800

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
271KB

MD5
18269624e9390a39ec7c47fe2f4b0daf

SHA1
ff65107ddc0a339193e546dcaa89b65718963128

SHA256
be5b22ae92c00e3f0fa04b0cfcfab9c73492e3458df98861326b1a493b80bc5c

SHA512
0858ae5ffb639eb01a2f3a10e055a6587c55134cfcb15f01f5aef013c8f08527665dbe5a997bbc4f8c9146d6a2742da43fc83779f36525a2ff1337cb2474fed1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
249KB

MD5
b8fba6b75daa46f2f9722cfc3cd721b8

SHA1
90375322e3ac554d8d4f2b6316e46264a5fc9353

SHA256
326b513e5420bc2c87b20a1ce9113210c3f8fd4be0714a13f07e90459b2c8fc8

SHA512
83864d91961e8547e09fe5bd9aa93939c1b4f52250251ac8add8310c9b4f3f307a24c4178818458161ef4ab590ca2096d666de86e2d61a55576449576c6d8e34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
28b82d1e60cfdc411c03b5d798c24cf9

SHA1
ef127a9a844e568f47c772fb0812bdc5992fc3eb

SHA256
3994cbf0211477e5632bf214cc3d061ac84bae0acc27418db026dab94fd3d16e

SHA512
2565eede28deb780a6abdb8013daf2ee7a80d28b8e5482267d8e26bc8005b3dc914f4642ae24229e4bd6865b409907e115d2eb923beb217c418edccccf2351c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
d38251106612c3109dc4dad98f6f18a3

SHA1
36873dac060c2844750fff30dc628d6736232327

SHA256
91af4d970c2ca9b9fba356384c0e249f96de335a8babdf6ab962808447aa5ca9

SHA512
6490999bb8d56b63a23a1a06f26c9af5f640e1ff53ede8eb48699723b9f35e6361f55aca237be3ad8a39d25528c1e0752a832421260a7304df5fef44674c9de2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
752649346f30f7f06ac2d482993812d9

SHA1
bff5ed9f8621636bddcd31e12db10ca4d78fcd36

SHA256
644b4be0c4e7ec5f7a169ee6a6975f65eabea548c85bbdca53c063116122c276

SHA512
5f673fa61b7d8cf358a1e9795231ed2c202235d7e666bbf373d6c93f7f8894e421d7abc9cd5eaf6a8765064023cd17b128da828b10cc412879408a9d7e2fb9c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
793KB

MD5
b4811e15d700e092834bfbe903c90d64

SHA1
9242772c32f99fc489e7acaa0c9bea7f81c954e5

SHA256
0392401a82323c10ce6623aeaf8cd9390b63d920a4ec002f5c54a1a35f793c9c

SHA512
9c6d2423428b555564e8bc24c2f226ef92198c4f1c132a5a5f846fb21c0bfad8fbd87ed4c6f9a55d1a64a6943a7d4e2e98a5400fe1f73873d5814ba678319c7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
446KB

MD5
4082b74ab3fb3d33e110ad4ced1a596d

SHA1
780b8750b347939a18970edb8118a90f17b794b6

SHA256
8790a846f30d6303fdf4a091bc836490b1c63837b375a8744af0632d6866e42f

SHA512
f0922f94d084990d13f20b69abc260db03e9dfc4452d55ffa204694c833bb2e7ae1dfe82693fa3bb05aae12c7e646620779de33fae15e782cfc0344b85d6b428

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
348KB

MD5
b6d5d1fef6a794356bb70a0fceba4cda

SHA1
0102141bdd7c2b136d804a8de04e20335fb104e5

SHA256
60893f0cca9510b7895e797e9d4bf3aa6d95b9826dbc0da500535152197c2f15

SHA512
d6b0c9ef76dece0fb982787f239d693542ef241388761f130a3b92592b925b21f8d29d7b3c57db5055bf9565598d97ab8c734f17d282a1f4c06491bc0a60bab2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
923KB

MD5
e3d6313d05ff329070e334e9771e0df9

SHA1
6b80b407db54c17c0dd0d108c29c629e11f8b2c7

SHA256
c488e691c436c620e4b65d5da65ca414eb703c466515e63a91234da2b6c66ad0

SHA512
e274e6e69efeab8d6167bb385db6de8fd1ebdb53020eec546717ba286fd28c25d117d02bbc9c959a09126d6f2bf16941fe3911557d2d7fa7e081dac2fced4bf9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
671KB

MD5
065c734475cff725d1767f0ef41f55d2

SHA1
166318aafe62a949f2c578d1155b843df2377a89

SHA256
c0a0e4fc427e1f582051b7d7185d022fd647bba21010c7d3b6eeae0c977cc3e2

SHA512
c7b10a12803c293d2cedc8bb3cfe722468a503c2117fae91d03e7b23e4f5e2afb59c913acd4e01d293dfe337a7c83dea0d6722d01096f3144f8664bdadfa1e57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1KB

MD5
7c7671018761ddb215665041da64f452

SHA1
edbaf565f4c21cb2bf13d70a750a726fad6b8275

SHA256
66173675ad43ae8b981faea5dff0aa9814f85a9138ccb7d2079b4dac532a8047

SHA512
c2fa7176de7eb64eee2184b1b6eddfac163edbbe171863345e0db0a9b70adaa28cbb0e4597e4aae6e5210358689b9f107bb8f66c8a3745a274b5150ff68a0622

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
592KB

MD5
789314b0417ba79fee8d68d946acf6ad

SHA1
6fad7e2ae72418fa969d7f15c7580271a7539ec8

SHA256
e7018ddaf19cfccaf586b2a2e3f0a9cfdc9d5fcd4876293d9f89f6a078067335

SHA512
3b256d150ae377b55c2f1f7f9b55ff5f5a382bb016650a8caef0217e46043ab40d55a9c960c6c26b1307f0a50e9a2edef9e81e69722dea11b6e8c76cd7b33643

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
95KB

MD5
5cddd04287f3d2eed8522eaf2bfa9b1d

SHA1
9cd2f0aff1b3140cfc8e5717c47be17662c5f0c3

SHA256
6d848948efcead1e808c8ae5497e35b436f719b470f16e9e816be57af71c4361

SHA512
8dd4868600c0d1971ef1b58601c2b7fc329debece55ad530cd0f292498a489041a17a125aa6895ee5e1088b7cd64bb6d0f09f23b79ca71b96133a3213c46ef55

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
c9d01fe6f6987fb14dc393e5a85d97d7

SHA1
a23d77b996e7460d06e976d79c5d5a62c555c2a5

SHA256
db0732c39ea39aeed6edf02aabbfe456803ccf80b9394bf16724639066242290

SHA512
378f6901a593344b4ea60fc86ccb8a5affa048f6d8d47095e6b329f61171d9f19229552e987344c79e69502604ffac956fd83d65becaaf2836e2712ea8bd57d3

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.0MB

MD5
53f287c79a7aa3d20221b59480d061df

SHA1
580df21505aa4176a59414b84c40b60f6a68394b

SHA256
3c4bd93603270191383ff1e5fb3e9b19069398cea0871fd96981b782944230dc

SHA512
456fb9440b0ef2babb5f4356df2ef7b75ed00697618deff1ccf19c6a4b83f195866c82aeefafb67d1021c2fd0891f591a9dd4c988681f7e57506d2faab6f3a40

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
a6d6e2deea233d945e4c2700d65a4f7d

SHA1
53175e6a7024d9de7d066dbbd9007a7ab9967497

SHA256
9a05318866245161b8592f6a643f74554487575747ce6f30cd9863ad3a9fac05

SHA512
253e9d58e086a36bc72003ded57314d7715b377d71a91a5606c46b787f293de96298e556ecac94bed57fbadd3616be2bda45ac92bf42da4d14f23dad03e86bba

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b3bca8a05fe494f87670c7fa8d60b585

SHA1
7984a7f20d38b78fbb77e4261e75398102bba6eb

SHA256
736d705c892e96e3051f60aa618b95547ea2dc266b3c063c9894d8a587f6cf6c

SHA512
21c1a81c5640837891de17c36f994692c5a31ed09a6bfe67b0dc550a4d5aac3f3f8f102471f05b982d3bd071910a37478aa37730b9e57dac7398a68155001513

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
1e342af6de16f7cfe0944a1daf5a9002

SHA1
72a4db2fb97cae50fa547a8d633105d211ba0552

SHA256
2d3cee9089b45b2da6d78e2a0a95229d490d24c31f4a8cffdc4ea47a2e09ad51

SHA512
21c75de3b64dc9a4925835f701f517b4ba983bcb5c961e1298172292e7a7358148e9f6f40de5743cbeb350ccc8a0e8bd49746d9538ae22cefc941255292c5ac4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
233KB

MD5
a44ed909a0e69f4230fda6a58857f651

SHA1
ff4fc83b26413026494abc4d43055371f7583832

SHA256
09ee3465aeb7e9eac29f75eb3c41f68ca4ed3f1d1cf158137a9835286b3488aa

SHA512
556fc207a7bafbc43051fac66a2b39be40a8da3a8bfae0420617c9bea717f757904312adc756fbc14cf7e265acac335ab900eed6aa5ce9c10628c5cbfd52b815

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
402KB

MD5
f6019d425a784a2437e163378dce7a60

SHA1
98b570e7d299a645039ca23069f41b7ad8322649

SHA256
7969de6768d57ee52b830a7b0ebc99da3840e7adc0266f202adca785e0047583

SHA512
d9c78ae9fff6580086fff866c3d70403e605b01c0b79fe7e3a45c1becae02dad0d25a8e7fd728af707eb838db039298e05298e7d6b1fb311e2a1145972aac44a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
6abb17955c18607adffbd9e69959e2a6

SHA1
a1c8cefba2ef4cec53db2a91e4c03f93c732ae6b

SHA256
38c4bd20bca6a03b9975e386f79410e34810fbc479c3d68c3484598f8f31f58b

SHA512
ff9204e769f8a2ae91baa354fc51240332b7a4ddbb518c1dfba1cbbafa67842d74c908dee0156beaa329cef47dcf5707692df14c65c3a25524776c9d566a3021

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
200KB

MD5
32a576baa0b4e627bc0a27e7f256a560

SHA1
a423833864713157bdd9f01742ed40af4d50be97

SHA256
3c488a1f73c3cec8ff8809a9ef8f4d487b57ec8413afcf605bda9bd2e8d94302

SHA512
46bf7a50fb3c08d74270f3b5fb102274158b49401b24d85745e7aab9f96a8c12465557846476c4fa480e9e072710049eb2fdff3829ad5794ba533907871fdbd9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.4MB

MD5
b3bb14a11643ee41cd2d19a8eff9d415

SHA1
01e688417f0dce6161f067cd85210d8a0b9f14eb

SHA256
f1425f0db9c346e2684ace243e6471f94ce3bb7ee9de76e4d3a4bec33b4bcc98

SHA512
e99e01110a88e2a7eb104b91170dcacb714408b52fc95b5563ca4d59ff53c0f35b920280790f0d082783542328429c3fb4ba79817c7ef46e6e1fd248208457ba

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.5MB

MD5
995b30f444dd8406ecfb02ca37b37b9d

SHA1
2c42e03bd6432b468e40ae698f8014681f3a7c73

SHA256
ed7221e8b0e7b347ae4faf8e07db82283b0ce2002e89c59ac7caabed48be3e44

SHA512
78184c767beb356fa14e39bc75d79ab7dd6eaca631f1714c5b1746588bd4ebadae2d8c567001933e769533065e7e553a84afe37771383d9430601ac5bfa9e803

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
912KB

MD5
3bcb2dd2a309db5f2a1e14a63114d7b6

SHA1
7cdc02a84434fbd3fcd8c3ab8a1b37f05aa8f460

SHA256
a66951c9141934730f9dc9695cc1948105830611b7dafa028e2ddc008997944d

SHA512
6fb9e5e2aaf81ed3eefd54cb0610d3a4632dca3b87c1e6a13aab262542776b98c9a5e42cbfec0afd69096bf4c9ebc6111bfddb8e1b284be58f26187ece0f1663

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
180KB

MD5
517fb2dc51f930c1816b8934723a0daf

SHA1
f4392a52c05b154ec82e600a2be90999b8f96878

SHA256
fd9b5f6671d05f5465d6b53189b3f29889a160a456f39a26468c3cbca7640084

SHA512
c81ca45e6128dca6d5696354f789e1995f6efa2b23a77772567c47a4749e5690473d6b612ef4a8b818246632907814795a7fb4122eb897a86a1a39db29318ac2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
500KB

MD5
3ba78a667cc2c291d861404115ee94c3

SHA1
9df2bc573b8aeecae2fc13ccc404480365360529

SHA256
6000c136ad9cbf64453d56e9989cd690b217d0e330cf65e4905feb375a4a01a2

SHA512
375e7dfdfee1747486be4f8782902393f8a833a02e14ab58501849355c9cb4ca72918bec5a9459056c73363e0486a891097a421a4117af23b5132f4488c48605

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.1MB

MD5
8a240d916987456637281f83bd6f4e78

SHA1
2240790a77b9628ba90c59f4e39ab70c775a1ad4

SHA256
20b440b3b5e42a3209615a6bda7539e96c23f233c4c4bd36b6ecc262ff7db0bc

SHA512
bc0d9d183267a8d9b8976cd7f2cae9addeeb7f42dcefbec633fdc6ac3f4553afa67969a0c3780dc283dcde4e97d25bf1cc4f3fc4d61b3876217ed7acd1ad549c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.0MB

MD5
9fde6b945caee666926ac4d9a2fe80ec

SHA1
0cad7563e423b9b30b043472d567a70aed0e0560

SHA256
6e91fc2fe7ddf74c65c0a427e99976855fd6858e66e3f9fb28f723b8ca3097a1

SHA512
62be144e96a82d8d772a4a35d8d9fd11f9f9107d14608db4ea1bec4a1e8924be53601f589d4161f4121c1de4f46cc7a0b13d3833d875f58a1c1bf6aad64f2ca9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
925KB

MD5
4b422ef0da37b2957a925d7acdc9d52b

SHA1
37b0cf364439cc31e033b42e37c0a5e7844d6dad

SHA256
0480222706ea00464958b221a81affaa5f1673433c1fdb6ebed3be3241217184

SHA512
e692cd6f7560b2aa6d98c66d90d3b593fd71d7bab63587d68db98c9f653ecf13593f227a45529e97901ae049415d0fc5129c58b167e258665acfe427a2463476

Download Submit
C:\Windows\System32\vds.exe

Filesize
359KB

MD5
af320b0b23657124770aaf47347748c6

SHA1
5e26df9f1e3050f926e6d4752dfac529a2dafb9d

SHA256
37366c330b823d8d982187000019a7995821e1139bf5ce8ad03221cdc2864b49

SHA512
3ef6faa8ec03f373f9d331a242e995d1abc02b870010b0997cd6912c6f141e5f66f725a9b429311c2cd0e2fbfd44f0e345daf8c5c71bfe8735e3e4b9edbdfa4c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
274KB

MD5
2e97bed50dd7aad642ba49db455ebc8e

SHA1
1825427956c677041bcc98cec922769f31203ac2

SHA256
3a3c11ab653298531bcb60debb222c4e3df90457f2b2472b64839e7f0a960a45

SHA512
d4616ac17cefe56606df03009fc810ade8b338bf4131772b052bc31549c01c963fc523ea285d11447e744a9853fd3e700912467f058985f150693c730e076180

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
182KB

MD5
ba87d4c0bdbc9e48517042604135ffa6

SHA1
ffff0176b8c116e953111e1074ee0dcdf9ea8e9c

SHA256
7a2e0d46ce9455322a3c724c1a38e00db5f11fa06cffe549bcc683677f0ddefe

SHA512
01550058dfbeb9691abed5725849768067c89136ed0622c23996539aae0aca1de046600aff5fa67994ba2cdfcb31e098e04d59148f6d02308793cd79c35bd3a1

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
775KB

MD5
2a1399e3710b858fcf2c153eee970dc3

SHA1
21f5be006d2a246ba943fefb0ecad00e61523cc2

SHA256
f5dfb64bcfb47c2620ad6301774476223985bd4d503183168445207d0ce31aef

SHA512
2c134ca5f2417628252bb2587d8dc8ec9ce1f58e62eb32c52de433b536ed04e51c6dfcfbd3962e2a3902eb188200e760f0204d83781e0109d13d7761591514af

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
449KB

MD5
77b907cc43cf8ee7d0143f3a07dbf24f

SHA1
578255407f23c89fc8f2dd47a6648af4a0b3ee61

SHA256
ed1fb2ad2650f7a065dad1b0967c9c096ce0b954555f82653b2ea87b465135fb

SHA512
45d53b46eebe24fbe3362c1a58681032fcdea97cd4b945266807d124e6d5b0d3e54289b9b5a625560644d2cdb4722ab334b00e4a0c0a40f1e4be4a1fdcfaa612

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
509KB

MD5
a8843332b95a1831e89e835a59f12285

SHA1
55496e47c998c532d93f61b91407507174036709

SHA256
4fa1b17a1ecd5a8eddc95f4d95563ad4e49d575a637ee179bda28cdeb5601e13

SHA512
fe9e21aca020a94408663f3734f8ae7ec084fa75f675250f1ea4bf55583b767c9a9658cbc6591934244a3c0401afe5d40d3f46c06790db4251ed0bc00847dea3

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
489KB

MD5
d1e0a84d56ae36a0886d5e7d594715b8

SHA1
8de48340fcad1557fa8f4e3b082f69952f412da0

SHA256
dda981716e51104ba2c248b5337209fd22190672abf59e153f590492f333ac1f

SHA512
c8c2487ba82e628d70cc72cfa912a77a6afb519f706f9725e8ea31b81c76582eb7ab650531df3bce1f6be28af0136e9e9ee26a9df62fc8947a1478726e1373f5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
579KB

MD5
0bca8dc2cd2b2671f7702a8ae181ce06

SHA1
1ca0c2cb091458bb171d8e3d30159a011639ac2d

SHA256
51fb7dd0036f57f28e0b7d1a422a3304742fcf9f54d7e8eca5f1fa794eca5f78

SHA512
042c0625a1b1c7c14e2623c647bc9f2295b2b8c92a21fd45512fdceb716375e7ed9953e39d39f7a708f0800b287a6347511af3e7a612bfc27b1729c8165b0987

Download Submit
C:\odt\office2016setup.exe

Filesize
42KB

MD5
c4f71d22846141e7e884b30a25c001ce

SHA1
c8a86e67e59f2d1e58b2e430efd32aef5d15756f

SHA256
f9ae6fa7f762214e48ca37f191991f1803f94a76ecc9edda8667457d3ccb9e1a

SHA512
393fe264a7e0bb5c3ad24b2d0746ad14e77f6fa6ebbebcd57495738de571de90015ac2d24eb8de288ed8e21961ab787d8422bd12227d6bc7276337a8ebd5b257

Download Submit
memory/1032-100-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1032-93-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1032-94-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1032-159-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1404-185-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/1404-240-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1404-177-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1416-273-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1416-279-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1416-339-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1980-189-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1980-116-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1980-115-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1980-125-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2256-284-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2256-219-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2256-228-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/2476-122-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2476-126-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2476-111-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2476-105-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2476-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2828-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2828-133-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2828-138-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2828-202-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2928-340-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2928-349-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3312-27-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3312-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3312-14-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3312-144-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3504-153-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3504-146-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3504-157-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3504-150-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3504-142-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3620-323-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3620-316-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3620-669-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3684-313-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3684-244-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3684-254-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3904-231-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3904-241-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3904-301-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4048-362-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4048-353-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4112-203-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4248-297-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4248-299-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4248-293-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4248-285-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4340-161-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4340-160-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4340-168-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4340-226-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4356-656-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4356-309-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/4356-305-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4376-336-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/4376-330-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4488-214-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4488-271-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4488-206-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4492-130-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4492-501-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4492-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4492-1-0x0000000002420000-0x0000000002487000-memory.dmp

Filesize
412KB

Download
memory/4492-7-0x0000000002420000-0x0000000002487000-memory.dmp

Filesize
412KB

Download
memory/4492-6-0x0000000002420000-0x0000000002487000-memory.dmp

Filesize
412KB

Download
memory/4900-260-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4900-327-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4900-267-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/4964-253-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4964-197-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/4964-192-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/5560-670-0x000001AA3DD70000-0x000001AA3DD80000-memory.dmp

Filesize
64KB

Download
memory/5560-664-0x000001AA3DD70000-0x000001AA3DD80000-memory.dmp

Filesize
64KB

Download