0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
Size

753KB
MD5

bd783801128f92cc21c3ce98f35d8ed4
SHA1

8e19633c5689dd05c04a48b5971bb39306832190
SHA256

0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d
SHA512

dafc7a0d61b755a0be787b8b17068db40dfcb089250e58a07fb251a5cfc9b1230ecf7c44a7b5ae2bd2bd4099e81c5700a3043cefa762dedf6a0fbdea91d84ac7
SSDEEP

12288:ylGcd4OvXkLGHj0qTDzZFCrNDFKYmKIiirRGW2phzrvXuayM1J3AAlrAf0d83QCO:AGbA0UTPZ8NDFKYmKOF0zr31JwAlcR3Z

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3488	alg.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
744	fxssvc.exe
1460	elevation_service.exe
1800	elevation_service.exe
928	maintenanceservice.exe
3584	msdtc.exe
5072	OSE.EXE
4952	PerceptionSimulationService.exe
2572	perfhost.exe
3004	locator.exe
5068	SensorDataService.exe
4172	snmptrap.exe
4384	spectrum.exe
4656	ssh-agent.exe
1192	TieringEngineService.exe
4648	AgentService.exe
5048	vds.exe
3968	vssvc.exe
4288	wbengine.exe
3932	WmiApSrv.exe
3028	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b1a4e68f205991d4.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Windows\System32\vds.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c15920cea474da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002dbb41cea474da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a61d44cea474da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000667f46cea474da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052d332cca474da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd3d40cda474da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001cfd58d4a474da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000593535cca474da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5020	DiagnosticsHub.StandardCollector.Service.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
5020	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4728	0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
Token: SeAuditPrivilege	744	fxssvc.exe
Token: SeRestorePrivilege	1192	TieringEngineService.exe
Token: SeManageVolumePrivilege	1192	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4648	AgentService.exe
Token: SeBackupPrivilege	3968	vssvc.exe
Token: SeRestorePrivilege	3968	vssvc.exe
Token: SeAuditPrivilege	3968	vssvc.exe
Token: SeBackupPrivilege	4288	wbengine.exe
Token: SeRestorePrivilege	4288	wbengine.exe
Token: SeSecurityPrivilege	4288	wbengine.exe
Token: 33	3028	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeDebugPrivilege	3488	alg.exe
Token: SeDebugPrivilege	3488	alg.exe
Token: SeDebugPrivilege	3488	alg.exe
Token: SeDebugPrivilege	5020	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 848	3028	SearchIndexer.exe	118
PID 3028 wrote to memory of 848	3028	SearchIndexer.exe	118
PID 3028 wrote to memory of 4844	3028	SearchIndexer.exe	119
PID 3028 wrote to memory of 4844	3028	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe
"C:\Users\Admin\AppData\Local\Temp\0fceb257957ea28ee298562213f1b5bcae165490bb1a5f45898f479ca5c5a46d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2132

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1460

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1800

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:928

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3584

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4952

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2572

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3004

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5068

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4172

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4384

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1916

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5048

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3932

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:848
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5e9e0bd610633995808fea6fc90567bf

SHA1
d5898fb26278fe0a4519f557307a0b2c92050987

SHA256
0741913b5208c51eec8e462405e28becaf6f6a534cd557861e3b4f629a934a36

SHA512
6b0fd446e7d726fa48bd868626e0076d2909b4e95b82f72939c19bdc829bf26a90b27069c60160404f564c464b408473a64a969cf4d539811658b95ae32263e3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
667KB

MD5
9176771d59d6f040adaf0ccf7f020f07

SHA1
613e3cdd275786f8368fae45e9e6856c92907a12

SHA256
0720f21ab4fff9731e0a2416898f5a005ebeb721536c4a71373ad42b107b77aa

SHA512
9c93ac1ca4d46f6f73661ef3108434c56d7ac20830bbe2b7ab2cd77aa18ff979877e238c1e0867b75821de00a030412ed753010ec3ab31f39e4d694c29daf02d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
b2719d5242953148c2734d4a1a4cd74d

SHA1
aa80fee3a5a076ae0421c1b80125058f1d5c57fd

SHA256
b040bc8d16ed81074441d2008323a7b78575957d1ef774ac6121fcd6be6e71a0

SHA512
fd847157abcf58a9ebd2cc4d4eab1d91456938bed94221d4909167c125325c500d5d3e7164cc7c328f9f5b431e6bd9277f7797bcce844f4f8f0cafad83e6f351

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
518KB

MD5
7a1d66213ee03b430ac21a39f180936c

SHA1
7abc45e077c2846191a8967ede67b2444812803b

SHA256
c6c51f803b70181faa9ed891f0d6b77c0f5a37d427260a9e162faf37e5255bbf

SHA512
ead3021722be02ab898b8ce0a057beccf98e28f4e92c66b664a5a2220c9807e13bce8aadc2039d84759d4659758ad7ad79880c1c5c722be21bcb1ccd9e6a8f73

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
544KB

MD5
46c65f1bc0475dab1d93a1b93e0bb1e9

SHA1
c98fb9e6cb6e559afc2a5a5bcd94033d550a406e

SHA256
20f2d27aaa0d5830e25eff928af71cd00bed270f791426e4c09b3f423f9cab12

SHA512
12a51cb9595b3c16244479d549fbf59367d38c937a3b00e05be241f3f977c2e2935132be19db25259c7faf5a2dcf2033d3fed7360a2651fed4ab709852bbbf2e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
443KB

MD5
080ddc6d8f86bb55ee59d400ae304dcc

SHA1
bae80cb89fcc60259df14f7b5548638d358b0213

SHA256
4d2fa1fcd796c2b5f24121780d0a66d01e80fc387e2be53542fbe2ae422e766f

SHA512
6a969dca67a1eb07587258983d7e3718134155144d53dc18d2e2e412467579a588e4f24e42caea02d02191eea3c4d833c2c10e59946ed037c752d8041b85dac6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
239KB

MD5
2f0977d9ee48d623b00ebb584438c3a4

SHA1
a9ecdece7cb591d0e0cadbd2a986d29b31e190c2

SHA256
311e299e696d52224be23c06e7edc70b17c49eb67e3897520be160ce51f57c81

SHA512
f6712fbd8473148d4c15f4c9ae81ae9265b538bc526b180bee250207fc12884a1c1d1f9044316587283aaa3ed412078f7ac948c2dc4540c5dc196fedcf0b2d16

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
293KB

MD5
1022ac24de4aa8465a877de512faa004

SHA1
01c20c5db18ac284040ab78794eaca45f7c4b393

SHA256
1669283ad410b9322f57b5f92a3363f3294609d4b4be6176c46ce60fc2b630a8

SHA512
d06473402a9439d40fa1b08db4bb5485faba31d0f1da9d0e6af2dc6d069872dabee3092e5843bef2c5142a37cc5e35cdbbf7e050f7c5e0219610fb2e4b35f105

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
211KB

MD5
117894b249c2bbaca26beceb9472ffb1

SHA1
7b0d62c13c31ded0f0c61ac7f683a5ff7fa73b01

SHA256
63061565fc8152ac37c0aebd68490ce20633afdaa501aae436c02f71ea4e866d

SHA512
3f2df855c62ee8f2cb9e48a2b81ba90ac1ecb0d1198240a71ceee0aecbd4a2aff1a40f3e1d1d437c45be5203b2d46a68756ef843f687bd1e5466cf18df55bd75

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
312KB

MD5
40e67fab71d5b8fc37fc45a47996d1d7

SHA1
4066f31ff7599bf1846d642bc89451eb314e3680

SHA256
9a381d37a892a5872808bfc9742d2a882c921d9b68b686dfe564249721cd036e

SHA512
bdb6abd01969f723cd3db92154d07335be109192cf2efbc61e29bd3962b0179ad240420355f76e2710fce1c17641b330d7ae22fb6e4050ae754b33bfcfd94d88

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
143KB

MD5
990b4ff93b1df0fede68df899e74568a

SHA1
e6d3a878c41d4472735c3eabeedf31828e15e1ff

SHA256
2968c50b5a907926b45489318e2558d3e1f96bebd13298ea14a04bf2a6ad57e0

SHA512
4e4257bd90d7f7cb4651a6443e03add2fcaab254c7e08d8b1ddf150cd294bba6fb7727e986f00e017c9416a6f84517d18bb61d51a99534b013be5e041458f1a6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
197KB

MD5
4e13062b4bb6c15d259ce7c7467cc48a

SHA1
ab92e1fc23c410f05eb9be447d84dc2a0aad741b

SHA256
dae6f204bf7f3ca9e64df109534d67dad16c5f6e4a7063aa42735998bd8608f8

SHA512
91c15d732f8af6c8f4aad5e937bf6c77d1e529acce5c92540fb3fd568e2abe59321c39eb5eac32ce83668f2b93fbdbb88be15c82684ee85f64a1b616ba2e849e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
41KB

MD5
f3c9658d0bd8fd80c534d8a8cf473259

SHA1
2c235a448839cb3cb3007bbcaed82634bdca0818

SHA256
1a7eaa15279eee213438edb45f8589c8491644bb0221713736703ef63ae0216f

SHA512
94dc5b62aa7ca19aeee58cb5483f9efabb015a4190891be08047f5d5442f10ae1c37510b142c9ece5aa21e5a14f1afde47301c4a72be30180b978da59c099c67

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
7878806bc53b6a28d9a1d270b334786f

SHA1
5d7cb4f8d6da933d497b4577327ff05cd605a6e4

SHA256
e7f1037fddce32abf13bcc5cba8991ff318fe1004bd2f84a3e564426f7bc686d

SHA512
7575a07dac0f64e34355c831900103ebb64801c5485dc05fd835f0f55ed7410848db0bf0741d8e27a34eff883f80e6df2c5c2a48b30bb5993f14e68ffab9bc31

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
470KB

MD5
b2921388fda72340571a1a6bfbc6cef9

SHA1
d99cee16f7edd9bead2c3c65bfe0b5eefece8425

SHA256
df36b21ace1048f69d4c4be076a41611d154aa075fb50749c6792f34ab51a545

SHA512
4312315624799e962e1b94fec60436350483cca05ce81a8578ff47d66ac76378009bfe5cac9ef62758a3a45af4dbb2eb598b7a5b5085e7a08894f00c5a5c36b6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
559KB

MD5
130a2b6321adcc79d8c32a442b1fe711

SHA1
005a22f3d3f51996b2892f703426220a9372cf16

SHA256
9394200d71516a0194d4ba907181647e425d491d3cf3ec9caafff5e9049e53dd

SHA512
c1d30e523c5be40c6a44d6bdd28bacbd28ef8ac13240212fb61dd324d92794b93a626d1e266d65eccdd7ac33f9933271dd6e762a068bd7a7d218c8069f845ada

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
303KB

MD5
b47d8feaf56d4af80c0afeec1b0a7ac2

SHA1
11b19ee40d64a160504647cfa2fc2130b6cdf7c9

SHA256
843ef993e3a2186c1e91dea235847e4078a0d8285545a39f242e5d5ff2f3db2b

SHA512
0c0c27b1dcdcd901fd3648fecc0ea3d6a8be1fbd113f7ad5c053ed086be47c1fa1b2bd7f26be689dbcce258b7aaaee26fbc6c51915b8d8ba39ee261a0db88b0c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
784KB

MD5
4d61b85dc0897f6072b1f34fcf328166

SHA1
f261e33145571d433d9254896aa76b4d07da047c

SHA256
035c038493f700eb7159be23691dfed924c3d0bfba7e0070416e83e68cee0e6a

SHA512
7494c3be6cac1b5b03520f2401ba0b00a2c17271baa2692b6200c7ff07da41c2269e48f47680b5972efac8ec65751a6b78aeae479ac199b0d3584b187a9ae85f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
448KB

MD5
b94a9b77127d4e5483ea9790f4a98862

SHA1
b6c3c2af9665b5af50e3a4ba30ea5791ecbe2294

SHA256
a4a7597374de8031f28ebbfa6c2a5ee544812beabcaec2f38f2820aa2c813064

SHA512
e031df374f4b8d29804c57e87f0f444f7639b5b99b9a13209cc805cde2b5112213c1ca54fc0c3052c34e337c21e0b220053f091664cf7c6ed8bb28d2dfbc2819

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
326KB

MD5
6adf4c77963e4c7aaf55c12ee4ed4837

SHA1
ece45743d3577915e2954709966e2d6768509c4a

SHA256
bed880bdfa26203502bf3aeafc5b52ed7f13f4a309939f4d26dcb4d3b4a0740c

SHA512
50ae8f281fe07a89e3212df1c4f2c7dc8e5aee1dbd6a47667fc6f203eac7d87c02e884614f1dce1779307ff0c61e86199905cfaebab42069553842a9abcbeef8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
428KB

MD5
d010091687834519ac8677693e7b5fbf

SHA1
41c6b07db956a3d4e077c7d28f786419f88f8498

SHA256
301b083906e80b80f774f7de03f80a6f15472115c0d1edf6b89fd56942a74407

SHA512
f00946f24a294859456ce8a12a46ef5f85dcc11e8888595a49e55ae892ba180b2b11f576cf482b0d56bd31ba364fa641f826def6c899695f7e80c38e8b6385a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
314KB

MD5
ba62d2a63626dc3d3f269602698bdf4f

SHA1
37074ef0b4b4235a4b2930b03a2ae5755937efdd

SHA256
b234cad445193767f585896305d0282c88d5114887841dd12017f5ca98ead53b

SHA512
e851b7e371d39bd95bde6d92ae409f0787b43bac61bf01cc1164ade2aaef53961c8f8901bfbda4fcf4e5009e3bf2f7f8965e25f67cad18ac04c1d7637e206eae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
462KB

MD5
616e4ecad64138c958b545273dc73b15

SHA1
be931e8ada3469e3b0e4bea6eeffd27a8bcf6653

SHA256
447ca829ad4122db11170ed52e7c315dfe076a0a5b69aca79d8ae474b5c23fe9

SHA512
a6725de6a1d35ba18b0ec6a26d7dbb22c638001e5a1c9b58d7c7d05d3f43006c2c710485405e2cf3fbd5a8497e5ebded5b9d3ff29457fb20c16274719360ae5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
256KB

MD5
5981ea7ddf4aa966a37a111d702d6d42

SHA1
71bd93e89ab7f121591888483df203b7a82352df

SHA256
326ba5117510cf89b18fd68faf751128356925339901852c35bae006d1f1b48c

SHA512
39aec82204ae40ee97626e2ecc3aff20da1996057aaff46a780901c10bb045ea69965877bb8dae098304d9c223e5f59b650366829b0bf931ffc911c91a1043a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
340KB

MD5
79400385d45720caa462a1ba670c7e7c

SHA1
46d5baf35c16c06e394ba4a1d63fe279459a5761

SHA256
92e1001b9e3a202c2f5e4ddfecbadffe3db7a0f2487dd529ffa395eecbff3657

SHA512
0e4ee4df6478e45485c9114ee9d5689c92d33c296849f38f721b39882c0c9a18d53f799c11e4db8a4d8bac8257a35207756ae15e51d52df6466bb87afa8cd819

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
295KB

MD5
649885bad4e91c69e027669eba8c0f85

SHA1
48a61dc28d38e0a29d9f2bae9ea356aa8eed2493

SHA256
1aa81090d8a464236874416c8a2307338cad79cd1669711fb22cd8cad13a0035

SHA512
45c8b452098e632acf17bc0fdda6bf9f3190748fd1891ce1a3d305c981235d887a3fe400e2c1e2d9beb403a5aaf39b0a0f8710606e5b17432a9b666e4bb7b0d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
253KB

MD5
c47492b1de2ecea2e93cde7e84fc2108

SHA1
25924b54b2d0a4e47a67194d94170dad872c42dc

SHA256
e92680d2cd25b4e8c96885e9aa6c2e60c46014b350d574f10edf57bfe42b19ea

SHA512
f67003345fd521fbbf5028660f31afdffbd08748b4264ab83245683c72f02105e5f2373ec18946ee86e5a027a6f228279772677056630139aaba5e38844fe192

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
374KB

MD5
3b5e4ab27c0a999578331d244c0e6e2d

SHA1
948cf253ef3b9838526d86a26eafd0f09fcf2383

SHA256
29c1d4e666e8b243378f8311f49523073035c722ad253232f2858a39dc5e76cc

SHA512
5a1bd76903a86edf11369ab5be5a25b8ccc07e4a8640a8239aca70dda2db34ee04b145483e023924b32d213961dc007c8c6e289b35bae8c7bda47290330089cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
314KB

MD5
85f944a7614476d79038366ae7c7a7cb

SHA1
33a904d93ba2850dc8b111c8afaaf605d3ea676a

SHA256
dcaedf6dbdc058b4bb71e63fc75849d6e81ab24e4cffc5c472267e51ee432a33

SHA512
060bd478347bbeeb4a12b9196892cb7490b766a03566d7bec74273bd18b1641f9e4b63c4a20380e6ab896ca20a9493a097db4dc0064ce72957482da348554e4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
252KB

MD5
0d3dec486918677e22ab8787e214ab6e

SHA1
a90e02181e4a23df245e40421d74d9c5245973fd

SHA256
69051ee910a234e594c8edacde8ffa80872d08c2a2e9e64be76bb0823accf73c

SHA512
625e570a8c3b869abad967775dbd5073d4f055e52f74ff691679199be9b772661a0cd179b65ddf7c28f8aaf671d8dc97366bc906782f37b9c147abaa85a6c325

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
183KB

MD5
ad54d613545b655b7d5446e77f82c5e3

SHA1
c107b1ff3de50e332fc3a0803155c1701fd711de

SHA256
57c7c47eb1469b435d2985ec41b47047f77f4b1f84346300b70bf56eb8c927d5

SHA512
ea0262cdcd66f42dc8f5621c43743b62adc34439fea04ab7195723d82a47b14c3e242bbfda09870bd1362ce8a25bbda609646a2b0d5326d493ecd9487f076101

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
418KB

MD5
763cd5170af7d6fefe2b8300958a1e8b

SHA1
c1a77e6fd70d27008a07151e8d78b6b1869abca7

SHA256
b7ce0f3613b7765ef0dbec2094d29fc37146015953dde3b20292b0b946d964c2

SHA512
4268673b71cc8056e82ca4e47a6d0e94ef2c6d0d59fc672aa9c0403f1014916e4b921015b91477a39532257c7cd566d3c8cb51444ad98226282b4e6718a308c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
312KB

MD5
d6c004e2b2fe98ed570edba0ffffa05d

SHA1
c9d88ff8c4ab950c202907f9b42a64506785cb89

SHA256
80288f17c8dcd52b88b5d055618480d7a0124eead329b5f2a9fd583a77919972

SHA512
75c4e8c97e581f35e042a02d959c2fca0af6de437226965184f9394d9e0d65761f4e3303ecfcf584627cbc1237780659fed3dd17fdfd79b42d48f35c1a3ebd03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
202KB

MD5
0d05b6756e990f10028b487f3ff3d819

SHA1
6a9150ee354eb018ab055a90e8aeaca3f21174e6

SHA256
9e7622003b1af0eca4d86ed62578f2137e2cf45d1b725d4ccd33e0bdd457e326

SHA512
ccbd9ed9f9bcf127ca6896ba68919012801bf0be177d4cab2f1460ac5bca355b16a42116c5a88df922d6ce4f56dd542634164e70d4446d3878e9800cb2fdad07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
167KB

MD5
e96b9e2f8e68f750a55a1f25cab2e976

SHA1
48e8da8dec29bd143dac4ba7e46648b4cd99841a

SHA256
4e8d1bcf81c3e8046eb051727cc1fc17ea5a2c171a467dc9b0db35cd1cdbe70c

SHA512
983c72208af8f4ee36b1d6b2229baac4332a18bade2451a804f6843adbeed18bf00b2ff6e240a99ef5d0bad0920550b330096204472c85955708123e4ac561f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
290KB

MD5
dec2f88f8522a8cd738fc96a257b8cad

SHA1
a68645e0c74f5e4a312e02a15bd2c326d3d73e6f

SHA256
260ae964232b57d0d25b4503dad6369a8acd4785b0c4d8662255f56bd4b27df7

SHA512
e1cc0986b53b639de0d29fd96945732ffd48f5741ab45601d157594ac7cce348260c70f5cc5d4744031ecf1465e3110525c28c2b0abbc91d4958d115f64464a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
177KB

MD5
e8ae4cdffc8bd0d67010b510e0f043fd

SHA1
c068196ccac44d99de598835cb01c7606d074f1d

SHA256
7510a079b8d91e73fb513515ede3da32eb22ac1656c41f3bd46412c8bff154bc

SHA512
cc9a3cc0aaaae55461a7973d09c30610391e17b6f480de18c758d7cba0b193cf58531c59129994e6451ea9bf4ddcd39fd0b662552a229d94948970b49973d153

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
471KB

MD5
57136c759133f89eadaf7e35333ceadb

SHA1
f4d0f0410f245ff2dfba6f4bdccee29d550e83f0

SHA256
193f5b8b341e4b2204055083016ed6950de4958c5b7032f760586dcb79c20f77

SHA512
babc10aed1d2a5b7ce1065af0afd97f9922edee294deb2d26d2ea5d4e59871aa636e513c90cc6b0c16a6dfbac55a3b6f9ca3a5a69163ca83286ab0fee6d7b37d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
260KB

MD5
cfae6652aae6589d92c11dd0f2be0d36

SHA1
7e753c8020fbc3e971db7722c22b5cafb56bcbc4

SHA256
b333d4f4413663ffa36a7c9b407eb54ab69f8abf183e53bc923358be994994ef

SHA512
93b62381439f5010ce9d2e743fccb920cdd52789b4e46e6d708d65d78b9992a505b50378f2e9e492388c9f418b342b7af6dffb46fd8e15ae764f71cec6684e34

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
ea2cd5ffacc69baabd9e0bb098d4a2e5

SHA1
f26f87edff0feeecb8fb14f9b79f8a85b6eb763f

SHA256
327f344891fdd24b11e37d79d8a3d750593bb67aebb905540a4e32a9bd135c16

SHA512
674f6336788a39cbd198e5c86857fdb2e21695f1f315c3998e7543290fc994ac8d0f1648e331b924d65821cfdcd8dc04bb63a0c876d423a3d1fc839f97ae5a3e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
425KB

MD5
c8adceee5d6119b50583e73093ebb024

SHA1
beef8a7d620ffaf2b3cce3681c3efab324f3fc3e

SHA256
43ae7a3ce3e882d87fab01f109378ffb353b01c30b094f63b063dca8cca0b298

SHA512
dc0cb4328f872f0c084ea70d79647195bf96cd333fd9050cc16486b8ee11a7c28a84ed84ebd401ac9a6c513aac6024fa614bdc57e259759069c6b192fc840297

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
c3148391418ca83e8755b97dd000a098

SHA1
c0e54561f8f49f88b435aa92bdc51119ac50ced3

SHA256
321dbced1d7b47f57d16e18db4cdc6993f829d73685bb02f61d6d16f06baef8d

SHA512
1c978699c2b8e28cf365bd67e83fbbe0e9bba68dc401532b47d64838dac243e196cde134a95a3bfdf42eeb18d46a76a2d8cd63672e281d7fa842fa3f5213dd68

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ec059652c5f3a652afd7549110a02835

SHA1
d2979fc8aa0ff5224dd0d54269d4aec187de807a

SHA256
d9f55a988df2b0b6fc98f7aaad145709547ec6e43c7dcc68592d8b7fc1ebe4a4

SHA512
7a078cca07d27aafcd1afc7d7a74ff127974e4084a273d8b82a5f966fa9cc70f196e17f83b80d8946486761362a7c356f61c812fe2d9f7be144b43e390b9174e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
396KB

MD5
945988ab7c94a4a1e1fce6ffdbaa34b9

SHA1
4cc1e6127f15614a5eccdfca83c59a6a2106d8d5

SHA256
2717d9e3e37ffbaa3424c6865bf8c322cc5ef0c35dca1d472f81a7dce7b190e3

SHA512
027b5f9712b9a9752e86c8405bfc8317a4959b6a13838c42abde850be85983b2f96553613fdc1f2792fe1176dcf21118f73785cfc73fa3f93a7bd8dbbaf7d251

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
515KB

MD5
5ccd8ce8666f1bdb78d3c00943dc00f7

SHA1
1f36df5216655b8bce0ce4648c867d63cfac3e91

SHA256
eafbff24eddafd4555d9cef3e2e68a5e216044ce66cd539a6d686a7258026397

SHA512
82f46a6ca20a5415ceefd8d82e79eb4569ca545b9c5e4069775bbe0ce64ca5134d7ccc649a4348798f01d78a84a992c93d349fb8b3e78fd3474498eda184c618

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
744KB

MD5
e11c8b173e12f38af1410d9b934af05d

SHA1
e48c5428dcfc614d5049b20fc1307017ee6a53a9

SHA256
3cb5f81c483147782fb312118a282777f948672e14dd6074621f22959bea1440

SHA512
182d11662e2d556815e26842d69f9f7918ecbdc7c2ae86524cb3e71f8c80817c02937ed10c1a42209d83680116a8370b3f981bd9d3336d37a92aeb40475c318e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
063d2b03dddd693ff8e8f9db046dbe7a

SHA1
e4c97b8b4e977cdeb57312931094b952f0827a5f

SHA256
5eeaac69dc46496cf588171feb58efd6db3a248fbd4f50abc5e971e639d028f9

SHA512
5e7900e93c2afd82dadc03dcf6badb72cd04a94b34f5335686182ed837b354847e94faf9929a794a74fe9cf24706075cc82c782e93c353a5ac656c84fc088a9a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
628KB

MD5
aebacde574704ba3345393d468cbccbe

SHA1
fdbd8b6ecc35eff82fae0cc4eca91f36f7221a1c

SHA256
8301fbbb7bcbc78e4c7edfc8fe57fb538d3407486ca5fe5f43bccbfbeab8178b

SHA512
8ed3831a800dd20c0ee1c5363df88f6a9995aa5c6ed495da23f5053022665274dda0f3f9f15f549ae80bf5165f582dc0cb9e18260634c2aebc16b0d95b653fba

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.3MB

MD5
4a30610bfe8ca84835e7b63fbe5cce68

SHA1
ba3fd2b44648580f6ead7d441595e2d8e87f8dfc

SHA256
73825829dd5eb50b0516841dded483ab5c24f6391c9aa6b0327510bcbcfd0fbd

SHA512
f3f892bcd6035fa83114aa0b412fff1c7a48b230eac47d4c8e6d7b2a86d809ba6459ea5e73c0f8b054e29e33cd019003d04646b40840f6091a943b495a7d4c09

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
867KB

MD5
2fc174a0b8e1e3c97b327a419c07622d

SHA1
952c8419d44a6a508ecc8013ca364c73968c5fed

SHA256
737e7cc6fa75723f17ff189f1a4d96e1e55d37692b5982e36ea0677c80bb6d93

SHA512
0cf64afe689586bc7a3a240173b518ed0e6e6caa878263c740cac883772701e62a6ad8b90bf78b0a5e0a3fdf1cb49f7734259610e58507582756f4982bf3aa08

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
691KB

MD5
23296abfc65a2a7e121e0fa60b5608f4

SHA1
13b1c4e686633617ae1a56ac18928ed1c6b0ee52

SHA256
9ee41ad2d0cbfff497377ca151284052839b18dbab3321febd15c31ace47f56e

SHA512
4aae31703cff3830333dea20cbce8722c22763d6c55b9e0855467265111d7f356e5a7065e04bfef48f4810082bf05d8b1e607d10be32c769527321959c988acd

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
123KB

MD5
4c2f580c00a785d08695ef91722cfa30

SHA1
d3378b6daf166f2fc64a5e595631bcc82f14db3e

SHA256
21762a947242b06fccc867ecb8b2b9bae5d85c2c94435d19169988506ace83b5

SHA512
5ec2f7c25c6489c62e0a4afd0ca4417bc8d1d5c7b88d02fc373247470d853019fbe21cad879c78986439c8b78c62058ff510b8661dd102bdc5b58113cb7485c4

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
59b578153cbd665b8415b699a834afc1

SHA1
997ea5641f6fbcbf85703af48ff776370071140c

SHA256
37c19b5a936c5ebe99303ecb1f207d94086eeb3338206140b9286b42d5e82507

SHA512
fc16cf921d56679e61cbd5fb14d4bffd592be5f4640079fba096c56027f654309473b141061dcd00b613823b6ecab06c9ad70a823a560024f979129afa9da860

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
22d88260817e6700ca94421c0247b70c

SHA1
e2406c0fccc682d34e52b3165f6f66c6550bf85a

SHA256
8e157b5fc976f89bd5857777939741f2b2c369da1a1a0a3bbe05c48fbe828ac6

SHA512
dc3b62f0b23c4f12acac829b35259d40aaabb08d2df7b6ae31452ff97ed327e6a08f1d62630bd5cbef77eb8aef44ab0f563259a98964e70afacbda70ea185bff

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
9f49c94562af445311bc1e56b37eb040

SHA1
79a5ee625ef138695417a18f0ce0bcd1f792053a

SHA256
2dfc9c86c8ce2f3d03bcdfd524fdedf776e2b44c249bc97866d24e89f4288e2b

SHA512
cea1c0f495d942d027d90196b909064201d56747552ed86d35d676fe07312b33c3da341f16fbe764dba0668a03321b442d584afeb5dfe13435517627e74d4306

Download Submit
C:\Windows\System32\vds.exe

Filesize
118KB

MD5
3730ae0e2136429a0b37ddb154dba0e8

SHA1
56289fe2cb6baf01001f67822fe88708d1c94b1b

SHA256
603c9160b0b96a5e0d77a1f30a63098e035f154cb0615928cf26ccf92590b261

SHA512
4cc7c7eb4041e7812250fa6177bd2fd031664e5b99f0eb6bdadd5c71482917858b26befb2ba51e1a584538be8c7b5f016a34bd46d1713402cc42bb4f964834d8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
413KB

MD5
5b15a4946765f673cf519556f712e71c

SHA1
5f3e83bcca857c97b669a94e52fa60d4e8de48ca

SHA256
56da764df6e2ac226dccc48dcab8778a364552c0da80e068cfdb4318b7a02e19

SHA512
8d0eca3184e1bce10685f55ee188d95619c03bb52c68b8f0ab36817e18475511bbdd5769f5bd70e6d39b4edb4b2ab3cc9f7b2618c085b773e754f49c46fb20b3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
76KB

MD5
6d6abfd6ab6b50caa9037aac1450dc09

SHA1
548a65d8d267def9dbe1924bed9bd3d0a1840b5b

SHA256
a90af7a9975d39d16d22f6b90dcc687e4391e27f203d61e7985ce5fb808a331a

SHA512
62a6bd2419ce06b7f9c23c45a1a69250093508a46c6389e154af50487bc2f852133b3cb049e788c1b1d13a45d04ca1884db6cd7285fad396d9ebc7fc3e46e06b

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
544KB

MD5
a6dc5dbb9c285ba25ee519237945a84c

SHA1
a6bba87bf11a9937ac3f81bda52a205fa34713a3

SHA256
f63e3424c91e67010c18230444cf3bee36a0fea4605de9fcb4dca63b9d1fa49a

SHA512
d292e73711a0064cb017c1a8397d7a067455d9074458e8ffb597d08727435fbb9645700f73c2e24eb2b2e31120f16ce99a7a0e5bb3124ecc76b5451f15e11c73

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
309KB

MD5
e50031faff4f60c9d9a3e2966e885b7c

SHA1
ff949c8dda7736556808ca696a476c30835920ef

SHA256
1ffeb7b0947532bc41498ed0ea96d437928e775a9f0dc5c60945c70a644ef950

SHA512
eadfd80ace3f6d9f840d92ee2527df3b37ed98bc8cf08402d0140cebf15ee147656e37de9151bca9f472bea302332d26f1e4815fab8e63122727c5b80faec7bd

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
662KB

MD5
43d2903901321a99541fb828a22f1c1f

SHA1
c147a1a7018973b1d73f0a84e979b882379ac1dc

SHA256
6b5c34bb9475da2b7a7978e3f893b3fa9480e42e654c7e4cf9eb94a2297c1270

SHA512
e8fcf04c49422cf2fb120d9fcf3f34fd8139633ce3b501d1f8eb5e366759b19515e4105e67b1cdee6376cb9c3eaa9e0e584ec9ef5f78e565f9078ff53c1a5c52

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
848KB

MD5
fc6da0350eed6c3714418ad2a483572a

SHA1
5e53e6606ec6a6a6d080d1dc2736778031e77aed

SHA256
cbcd8746cff6d99a2e6430063c5848092bce2547ed5c09cde7032b072be978bd

SHA512
ec4330e3640afccc7229cc7fa6abf7ac69515786436a4166b99faa9de1b05a7603f201736758bd7af608b79c252252ae88b290430b209d56c2abdf94df07c419

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
475KB

MD5
461ecbb92b4859d6494a846b5a5e531b

SHA1
3c3a85bd847c2d3a3b270d903c6ffcd08b21193a

SHA256
39008a5b92641c41244bbc45942a9f00834c6ac4ad74e01cdffd1a2f8d132467

SHA512
b6cc7e45fabe5d057acb11bb68833e5d262b19456fe6b7392c4b90e20cf4f08ae2a18ba459df63d9691e515164bdb0da10cf85957829b1d04cb4abdffcd83cd0

Download Submit
C:\odt\office2016setup.exe

Filesize
374KB

MD5
c36f16d437107b1318049c9b87a3fd94

SHA1
a776a12c9d05fea1e96c3a050d7aee35a2731032

SHA256
35e6aa6189d36dd9c7e3d2e68d77ac782c44eb95be4d90ba6c25937593de7db4

SHA512
42dfa182a0517b1b57c303761bd5d6c09bf9439e4fd5bac00b41bfe0f5402db5d9e7cdb03329c8f4f66b9caf87d6780d813e0fabd72225349608e92214fd37a0

Download Submit
memory/744-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/744-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/744-47-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/744-43-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/744-36-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/928-73-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/928-76-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/928-81-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/928-84-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/928-88-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1192-220-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1192-213-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1192-280-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1460-49-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1460-50-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1460-120-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1460-57-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1800-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1800-132-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1800-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1800-63-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2572-135-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2572-197-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2572-141-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/3004-145-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3004-211-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3004-152-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3028-303-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3028-296-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3488-18-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3488-74-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3488-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3488-12-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3488-19-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3584-156-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3584-91-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3584-93-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3584-100-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3932-290-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3932-283-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3968-254-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3968-265-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4172-240-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4172-171-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4172-180-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4288-277-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/4288-269-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4384-191-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4384-253-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4384-263-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4384-186-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4648-232-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4648-238-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4648-239-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4648-225-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4656-207-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4656-267-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4656-198-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4728-464-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4728-0-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4728-6-0x0000000000AF0000-0x0000000000B57000-memory.dmp

Filesize
412KB

Download
memory/4728-61-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4728-1-0x0000000000AF0000-0x0000000000B57000-memory.dmp

Filesize
412KB

Download
memory/4844-570-0x0000023077E30000-0x0000023077E40000-memory.dmp

Filesize
64KB

Download
memory/4844-571-0x0000023077E40000-0x0000023077E50000-memory.dmp

Filesize
64KB

Download
memory/4952-184-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4952-122-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4952-128-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/5020-25-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/5020-32-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/5020-27-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5020-90-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5048-242-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5048-250-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/5068-166-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/5068-223-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5068-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5072-106-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5072-115-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/5072-170-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download