c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
Size

1.8MB
MD5

831b49636c1849562486351c0821e912
SHA1

7116013653d7acbf91f56c57f6c3eddc9df0f47f
SHA256

c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1
SHA512

f27f0b56e0bf58b4ffd25469c599f6d88f8f62fb3070dd3eec3bb4e3bf6da9a9a60d62f2f20d0e4ae3087db91b5486e7a078bcec04faaf996d4f8b19b4ea153f
SSDEEP

49152:rx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAtBtP6+3vj:rvbjVkjjCAzJiBwQj

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4244	alg.exe
232	DiagnosticsHub.StandardCollector.Service.exe
2628	fxssvc.exe
1112	elevation_service.exe
3516	elevation_service.exe
4372	maintenanceservice.exe
2364	msdtc.exe
316	OSE.EXE
2844	PerceptionSimulationService.exe
4016	perfhost.exe
744	locator.exe
4252	SensorDataService.exe
4068	snmptrap.exe
1752	spectrum.exe
1084	ssh-agent.exe
1408	TieringEngineService.exe
1616	AgentService.exe
2696	vds.exe
3720	vssvc.exe
4392	wbengine.exe
1280	WmiApSrv.exe
2444	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\775dcd7c205991d4.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\System32\msdtc.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\system32\vssvc.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\system32\msiexec.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\system32\locator.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\system32\AgentService.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\System32\vds.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\system32\spectrum.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\system32\wbengine.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM345E.tmp\GoogleUpdate.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM345E.tmp\goopdateres_sr.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM345E.tmp\goopdateres_tr.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM345E.tmp\goopdateres_fil.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM345E.tmp\GoogleCrashHandler64.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM345E.tmp\goopdateres_de.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM345E.tmp\goopdateres_et.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\CopyRedo.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77375\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM345E.tmp\goopdateres_ja.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM345E.tmp\goopdateres_fi.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM345E.tmp\goopdateres_nl.dll	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{AFF521F6-AE33-4DA9-91C8-593A92655606}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\CopyRedo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cdb0b9bf1776da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002eb55cbf1776da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000adc4adbf1776da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000850a76c01776da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e243cec01776da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003000a9bf1776da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062e28dc01776da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
232	DiagnosticsHub.StandardCollector.Service.exe
232	DiagnosticsHub.StandardCollector.Service.exe
232	DiagnosticsHub.StandardCollector.Service.exe
232	DiagnosticsHub.StandardCollector.Service.exe
232	DiagnosticsHub.StandardCollector.Service.exe
232	DiagnosticsHub.StandardCollector.Service.exe
232	DiagnosticsHub.StandardCollector.Service.exe
1112	elevation_service.exe
1112	elevation_service.exe
1112	elevation_service.exe
1112	elevation_service.exe
1112	elevation_service.exe
1112	elevation_service.exe
1112	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2372	c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
Token: SeAuditPrivilege	2628	fxssvc.exe
Token: SeRestorePrivilege	1408	TieringEngineService.exe
Token: SeManageVolumePrivilege	1408	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1616	AgentService.exe
Token: SeBackupPrivilege	3720	vssvc.exe
Token: SeRestorePrivilege	3720	vssvc.exe
Token: SeAuditPrivilege	3720	vssvc.exe
Token: SeBackupPrivilege	4392	wbengine.exe
Token: SeRestorePrivilege	4392	wbengine.exe
Token: SeSecurityPrivilege	4392	wbengine.exe
Token: 33	2444	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2444	SearchIndexer.exe
Token: SeDebugPrivilege	232	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	1112	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2084	2444	SearchIndexer.exe	116
PID 2444 wrote to memory of 2084	2444	SearchIndexer.exe	116
PID 2444 wrote to memory of 4624	2444	SearchIndexer.exe	117
PID 2444 wrote to memory of 4624	2444	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe
"C:\Users\Admin\AppData\Local\Temp\c142d1328b13609d34b1b64b69e4633292b51b043005bb4609ddad6dd3a3dea1.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4244

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1244

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3516

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4372

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2364

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:316

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2844

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4016

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:744

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4252

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4068

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1752

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1452

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2696

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1280

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2084
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.4MB

MD5
d68203f4bcb98ba222039e4f0cbff0db

SHA1
4ade6f9ccc971406e844f9f8871614d366513ff1

SHA256
3b673c69a1264d8860de01a79e73b13f5bd765543460efc754e994243ea83fe2

SHA512
0fef5070e6d7e63bfa90f57f7a447bc06c65ea53d0cd5abcedf243fb2697689934292cc3958598791629544f7593075f5222ceaecf24af5d24326f447127d0b8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
216aa8210b30811cebd2e2f7846ffc2e

SHA1
fd625741ac5149add954131ad867ae3afae6481b

SHA256
032429dffac66a6303c5c3021eaf3b95d21a4acac060c3ee79f1c66cd04c2911

SHA512
8e2cd826cfa9247095573172b766fc6caf6e2aefdb691039c39378a60c252abb0835ff7cac2e5ba619b1ade862d5e64252d29163323a6018ff5bf65583d26d92

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
382KB

MD5
da5495b3fbe598600a4a40593d422f2d

SHA1
31efd1b42b1bd513d1a81f2c5cfedea41fd4b24c

SHA256
4674e39637f03bb611dd2ba8b4eb107f6f59a3ed5c345af0f1a641354bec7356

SHA512
41b785b0d91ef9b28fc1ecb7b24c79de288bbed7b55bbb63f7270c6110196e248d17ce6461e807a1cd87764b34a1570bf8bed1c1c0ef22404cc00ce7dfd819b1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
241KB

MD5
ea939b6c6a3962f2df06f60c94022b60

SHA1
6ded7be766d53676deca32645d965beb23728bbd

SHA256
fd69d44d355490fea010f147b526ac83405ac8a98e9a95a7ae8879b3d4b38148

SHA512
8010a918713bf3693eb46b94ec01a77962f43be95b9e73bbfa4b984e0780296a7d7fee895cb1a34cac1902b792edd8fbf5ff64852c8e2f3a15f8ac0318e9e9d7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
519KB

MD5
2dbe92ed56b940750b73118372581dcf

SHA1
1bc01126ff6b48796a30622a680a53f3bd3d8367

SHA256
d5265a99989e7d85c1d6ebb457c6ef5b82f2dadecd2737102aeefd518870d994

SHA512
9c5c86b1db62874635afdd3eec119dcfba1cbec3cd5bb4287c7174bc190d46438643034e964a2ff459ae22cc12882aa7dbf40e0f10ff437fdc9e0805e5130ba8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
228KB

MD5
6b740e6147f186158265d3cf14969be5

SHA1
5866ecc65378672e34c5307c6a7579a5d5d222f0

SHA256
0da0ab4e91116eb1cdda6f9029d04a4b19d761cb8dd46002ddb48e7fdd593833

SHA512
bff18b85112c8ed4047bd69823edf7547d5da168782fac096a344dcc45978ce7ad502964910e3a4f5a581ea286866bfb633297871d41b299975d76dd629b53f4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
245KB

MD5
049e0451c29e3d5e230d34c105d22458

SHA1
1002229bbe817def3118b4285ef9706b78813b90

SHA256
4cc73dbfc37f27d2bd19bfc189fcb89e06cd6ceed8014eeb56382eb16c1e26ed

SHA512
19a25a17d94613c17f59bc0775edc59690f0089b3e53e9b206a3794e0b007e7573def68b692df0bb178deaf84ab95f852f6f7b324c0aeea452debac1e1f1f842

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
349KB

MD5
76465898fd33b8b3391f591c660c1c74

SHA1
22c842553a252d7dee4fae08508458f4b8b3b11e

SHA256
22fea56827d9f22391f6d1467e6091293a80482cf81a8081e16503163f2a0dc2

SHA512
d15ac9b34506216e0b557c0b3bdec015a1ff88f6d09d710ef5e75f081a049fdaa54b4bca0ec308f0c227822bf9c1fc795db54732667b90cbc6fec21049ed915e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
178KB

MD5
812c799cdde68a05554b2523822d8af3

SHA1
15efd710c439c7f4435b00757f84cfcaef2d1f93

SHA256
ce000a16717e567afb2e7b3902e0e58d19d725b6d97bf0e2ea6ad1f57ba9fb8b

SHA512
3d22e7cd63437ae85efb9df3fbefa1e6ab66eea4c5dd387745ee7434445159e61cf79da27e5b004163d496ba05787c6b034eb0c305627dc863b4800ac7a301ac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
254KB

MD5
5e82fc41fc8ef2c4a2413155161fa1c2

SHA1
a5c5697052dcb9eb8c929ae45ccc66fca421cd40

SHA256
6767af9e11a189f95c92254059b954af41f8c17f685d3c741b91319baac56577

SHA512
e7660c33f807394f0caa2c2fd9174e98468a711e2189409f4dd14dce6fe3265aa4f7282d3fae8d75813dbe2e57a40eee27e407a3fc103c957ce301c6919efd36

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
258KB

MD5
6043727d37a89d8b3193bfbaebeb1b3c

SHA1
4557427e333beb23a06d2d018b7c777f8876cd65

SHA256
631b3e245c2a560abb9911a0bfaa77d485b74bf99300ab350761fa83b984acf9

SHA512
c355d35766d4563469b8e01b7fa9d1188a5ad002bdb7c7d6306de5597ec907fb0cbed037ad6feeaf1505cf9130af9495d5de42d861c1043b948e8d1b31940673

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
293KB

MD5
070ea647d5c33bc5236e355e9f154dee

SHA1
399ffcb56068ef88b3531e6628401575709650be

SHA256
afbc168e89c042f8b65fff797a6ce4827075379a4e0261482b5a4ad70c89183e

SHA512
d69a2bfbce8a16a8eefdb8cbb1037f60d31ad242ad97d1d494d9c6a8df5f971dce06485fd396c910384dde9a9aed8af5d74c512b610cc75fcd0493a14d69549e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
167KB

MD5
dbcf9f959e6828fb3672dd764c3c7435

SHA1
426783e569ac172ae06466e096c4b2b9bf6fce92

SHA256
beabaf116f5e2fd1ab750b3f67ad590e37c1895a301b3fd3c4a47f783058044e

SHA512
bad550ddc94dcfb0f596abc9fae793855955c42808d7d0a9bd02038a0e2a5a6f384a2545a4ca0cac76ce87df5744a8871fa332cfde50f17230e0b91892488379

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
402KB

MD5
804f549e9a9a3b59bc7060eca925c221

SHA1
4b28377e15bfde3f237675721fafdcaafd8cf881

SHA256
69589acfa1e6d70fa76dae04f58af56ce9fc256dbeb7e9c264557685ee27c872

SHA512
52e6b1be12243a18a5c66aaae11eefd278967d79070b4cd4846a8da9b72e8e70df97529e3ba46ee5708d479dbbc3b08e4d6ba80cd960cef760f5587487d7dab6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
288KB

MD5
b887693d5e2b1ff8193980db917841c2

SHA1
b2299fae9339d14783af370635ea43b2e9d0d938

SHA256
0b26723774570f8e5ff3910452bd29a69a68a159806d7bed013500e76d02da23

SHA512
70085dca736c49986ad664e53c5dd209f50131392a15bb59c388c5a2ff6af0aba87fa6917e2ba276df65ecefcb444ee225c03c4f8023000397ffd9c1eee50dd7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
162KB

MD5
a50ec9a9503fa7dfbb12d9c342404b38

SHA1
4ef3d438d50af17f411ed72baf3e6ba4dc3531ad

SHA256
d1802bc64caf12f1df18768ef8be67ee1c630703fc24aff084ddfba1edf50376

SHA512
80852d85816f2045760880492fb831cdf6205d5cd38782cd94834f85b4e9c99f8091159134690fb324b8ee6aee5acc2fa80400737a7748e1ab5c21b17e551f98

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
225KB

MD5
353b7489bb665d71ab1a28f28f524a7d

SHA1
5595cb4ad25ff41a2c86de57a57132f96032918e

SHA256
9318f0d67c84bb6859e614f2a23ef2477ab436902e98a3780e23071b60e3519c

SHA512
1ee5849cae108cb55dccd02c6ab7791eb7578496844ba7d5ba71af332bf14a20b646eaf484a734dc3a7137861a9d1212f9d1a661a9e8685e53875661097656d6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
287KB

MD5
88c5ed90bf4e4541326e55b01123a176

SHA1
e08cd14f2349d01b1748d0987418cc145199082f

SHA256
2f7bb9049854d53d1865d71b69dee5df73298761654fe4d687843efd93007e28

SHA512
fbed6916a702813548fdd5a50f94330c1b6cdae867149e145f287c3b183dd5b4a59255635c797c096877d8d46353922b3084379b426e4a7d425d7c4b95aaa879

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
aff4522ac397ec9f3eb0201a37eca5de

SHA1
2d60d865163bacae834ffd1a532d4c7c9cf8e785

SHA256
4fa30d8cf86de9602827b8adbf858e34943bf0684d0037877876289ab714865d

SHA512
e1fc6e5442c3dc9129c104e484c5209e6a3bc63f9f7164f2510745734ae4e565e3f5ddaa76adbedb1a55265de8d063f80218fc88b38cbe861c012d399e5afce2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
337KB

MD5
54c7b90895fdb79d16a86f601e3db75a

SHA1
aa769fda10c293df24920e3d0e21c329dcd52b1d

SHA256
4ccec6c280b63ea0c5ce4c4150315c82d801c2fb1da8444d0433d28803514c9e

SHA512
1654765de558989bca79aa0a9005722a9b9f8cefcbdd0dd726dbc3543fc133f2c1e9ca38e3eed5d7ab120f7deb86771aabd8b875625928632f4c824ef09269d1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
256KB

MD5
bde8bbbacc82c09789f0f003e620e02a

SHA1
13b70cb074edefca99647a2839c90183ed539661

SHA256
4173f69abbea0563a1280b727fb6554b88dd00dcfadb4b691e8878455e0183ed

SHA512
2e6c71140ad0eb34fedb7a6adb6129db207f718d1080534c7b5b9973ec8cd11340cf0b9b8ef348bbc28f2e2385ffcf82830f44eee0fea3e5db3ce2994179a627

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
413KB

MD5
0b6f78fe232bcbf3ea601b34600238ee

SHA1
07b1885778ca7d4da4a8061fe92e0339ac1fd8c3

SHA256
29f3acf8bac14f60714a0ea4555abbe401e40f1756166db9332b28e4bed7d847

SHA512
58b5ed3a6e179ceec6b01abb4a109f7595ceff94a7ea8446d463ba4a129f95b901a5020877bec5f71873dbd21bc766808bbbe29fcb00e38a8cc129f3d2f86093

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
153KB

MD5
0e9e013b3ebe2f996b715257b461b107

SHA1
ebefacf8232e272d7b2d0aec2e4ade11a6435489

SHA256
9e441ba16abc7a936a30a01e7e10d85934d1242210c34f7129d418851968d208

SHA512
d71226f1abc0d2fda46583941cc5af8d5b4b2f122d9e5afd178721b7563be9fb23b5271ec5bcfaf387cad2555eaa1c56ae5205225d747e675ee0ef1aa4d6dfd5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
253KB

MD5
2dd4f5f2109dc65c0bca08c22fea8d1f

SHA1
e8ceac0f84c202bd078253b7f90d642647982461

SHA256
5ee5261392de5a60dc343532a60e5c296d2565bd510d361296df64b573202f90

SHA512
56afb1faeb7ef3fe2be4c9256d1be3cb1d4c93a6e7ba5bbbe4b1af707f712a7b452e58fa48b9c849833d93efd558022bca328ff8c7f11a24a858c2bc0a2feb39

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
230KB

MD5
bee7751ce0c859b180e31e6244732da7

SHA1
a40b4cd9e6ef05ab45ea587918e22233379324f2

SHA256
09b6d0f0383cb591da563853cf99a618bc54fe56b080c963d16dc6b5ce7764b7

SHA512
368d910409048031332575e1bdabd104bc35dbbf650a3e0143f219e70ba783a59e20b27fb9e2aa1b449427e5242dfb4b7e0086c6a971806c1434ff3a67965807

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
295KB

MD5
e33e1f49701e183f9e1a4a9af38f5f38

SHA1
7dcbf8ea8d5bf76fddc227bc62f06ae5873312b2

SHA256
7e430d45d185b50179dbc6a079e9f7fc75bcd0cc8dd2722183847f77e7fd69bc

SHA512
95b305a6e7bc6046a175ce5f78c26a0df6d81ad18611de36917dc96f8b8f037e30633a8a1553803799ad57c95b60602c592c170e37ed0d7c0e5f54945a0bf2bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
192KB

MD5
4f1edce1046ea8bdd47d382e0b0e8e1b

SHA1
6dafaea0bffebf9b9b2a429c49086bb5847e6a4b

SHA256
8c52b92d5a99de0a7c4931a1553ac20a629f71495866aac5c9b81339e4f49251

SHA512
36ed0d7dcba5d2060aab01c930d2e243a961e8b7eeb23593100fa903433d2acddab50110cf5c73a9d361671fdd2a7f326749464146c43e0c8b2bf1bf8dedde94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
149KB

MD5
344fe4e5be24b14c79fd17541bd6a0ae

SHA1
ae464bc98808056b9611fdd3ed395f6b7d8f7f8c

SHA256
2f4fbd57b06e0e94760b861c6ba2a7bfb4e0c9cead2893ffc2f2f7a871866ae0

SHA512
51ebdb4f6769e44f768e2f81d3df3568dfab9c22f11bf539d2d6b295f51e060d0b1b12fccee3b322766cb49f93a883675f5f61f25719b3d73549e2770d3b2641

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
264KB

MD5
1babc2e58eb57ad57fd7337c6f575f7d

SHA1
8da5a777ee9d92df9adf936d23c32cdfe784396a

SHA256
22d76fd81ad67e28b09d14e07dbba218ea01b193233d292cbcdb76705f576558

SHA512
0b0691548e690878f50bad77d59e1ced9ca67da101c61a0af089ebb6d7c0715fa5a9dedb3c41ebb8987a8f783159b9068fb6c5d906bde2fcc1bc32b32ef57bd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
199KB

MD5
7a4c4195ff03666ff1eca3823a1ef7ca

SHA1
ffb3b9dfc7f946ff7a4412f5267c1a2ca65f1783

SHA256
92a6d7c47706462350e27cfabe51ebba3d6d42175ea846247625dcdd02ce0484

SHA512
4fc097787e4e93c79167db1521d727d60d19428db18c744df28b1483179eaca645b384b3f6624229af9269a1f7961166e2725be5f6c878fad1c1cebaf9e2cf27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
277KB

MD5
2907e30c02b64cd0ffe30286935753dc

SHA1
48bf676e7b5f75dd652d174c885804ceaf524a5a

SHA256
aa9ae5cddf3c2b5786087c31998d63e5fbcf0abaccfaa35524deecd2aad7be91

SHA512
2d42489719f49ef1de66c73686b86e315b1cc237566cc614716ab19f2274cdc9ed7605e93568e53dc9ef986679098257919b37892a10997ebe8e6d526864f49b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
136KB

MD5
0b5f1252d16068fae9b2ba1b563d53f3

SHA1
0ba4e640550301e08a9d7be81dd586f1b2136af2

SHA256
0af4a8ad0be7780695f496afb5d3b4423ff869ce5639fc2237551bc7cd193501

SHA512
e7c1eb431e92a7ff320e2b2fef7575740a4e4114cace14856d391bce69712332c057f6dff1cb2160e98a0b1ba0bc92ce5e4870ac697d8bdc30a6a61f8286d768

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
226KB

MD5
cb539c95a3da0d946af9670df8d4e943

SHA1
ec39a1eb1be52823d286893db263be5e57877c31

SHA256
20ce6f7e25f7c0f22ea703bbda5bf9b7fada9939c4ebfe4da7304a3bd56909e0

SHA512
fbe2d6f9384e615305411105d7a221112f74c221dcffe72f749d358fd9755f5c59e5f30bcfeafd3acc819dcc492f571d81a671890d8b29c59abb728d01049375

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
96KB

MD5
2a190f3c0a1518c9e21c6969f838dc06

SHA1
9ec6d76bfb7f92f8e05ee2068c309929e5dc41b9

SHA256
f760665d8fb0ecb539de2f7c6cd7e9e6d66ddf3bbd5d646ce2047482221c684f

SHA512
1d693095f9ebf7f50bc8d52c794184ba8ad9e9283f16a8fbb1dc388c85ac7a7d74484e3c36f127876efc0ef72f7ca73746075c82e5ab2ee636a83df955eb148f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
128KB

MD5
2dc0b16f49e91379b461a23eef1b8465

SHA1
da5c29642caf8c2ee256433de537bb102bec0355

SHA256
12e461ba6a527dd1648fda32402d4ffb4429d76cb664f3462b2f8ea5d852b4cf

SHA512
e1b6ead583aeb9e1f8ec29e03cb211c306f8a6e37bf6aa0d09a3c0ec42dedcb3f3f6401ba3a54b62e996f378b3d4bca2697776b92ef1e8558e5d8aa3610d4708

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
297KB

MD5
95849e82ffb47f7cfeb858a367d0efda

SHA1
b72934416ed24921a41b7c3d031718aea6efd636

SHA256
6caa237f2c0286d4588b228153abf835d0544b6efe39c0b9c9f3ac25800238c3

SHA512
0c1e81df9d00fcbfb49f514c7ebaa3c1649a5b64393c6c09869f67cd58159730b45ac34083ca63729ff6ff4c16af59565d830b2cfd8ae0f5a4697c629916b15d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
179KB

MD5
9601b00cc6e7d665909d7c5d715cc9ce

SHA1
3c1ef040a0093f347dc378f0f9e50bef5332b976

SHA256
061af16bf4b297b63495631a8e18d58885b0918bb3087cbdccdb9ce68b4474a2

SHA512
7afe973a02939ef81a003490c738dbd4cba7e2d691d0476f291865aaae57215cfa94480d859faba0f8681bf71fa96514355b915ddb6ae8bbdb72ecddc795e04a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
189KB

MD5
1b838a79c18e80fb1dcd88e22fd92484

SHA1
5697f20800201ba5063eb157cfa652386b544a23

SHA256
9fdbe8cbfa7609a391439501a1f076ff2c17f8927db3692eaea6faf807dee68c

SHA512
959ce97187a9726bb487eb71eb6cc3a6e31eca28328517cfbc54dbef0e3b937fec54cd3560e251b0b27e9f451d3b692d39eaf1f5e3717d162494e05c95ffc2a3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
163KB

MD5
a4ec79f9a1ec6f770edaeb8e8402f3e2

SHA1
be2b8acf4aea79cae8d0ebda6ec25caa117582cf

SHA256
38e1f2c76130a672f1e3a88f67a42d50af83d09ce95eeb2c17080d335b1c3ffe

SHA512
adcdfd432e601552c9acb0987798e061d666e83e204c3f697fd0fe5117da5a344076129890b428fb05e4cc1152290d9903a74cad804bb0d1507c99cd26d6f3aa

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
165KB

MD5
93c30cca6eef7f24c4e823a4ee1e9ffa

SHA1
884a663386c1fe362fdf75c8e31c8d0bfac02ffc

SHA256
b5d1363ec600285dd00a6b1717824a68145d9f7d3ff8924e4420219c967ca761

SHA512
96e7e30862724ef291b6ae85f05292f8f4a52c0b991e118488dcd499024b620d4778b509383badd5333e5313181acec359d77ca5b69b8f801aa3354bd42fce25

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
612KB

MD5
cb2b7d5dbb15a2c0048a14ba2da05d43

SHA1
be398db8ed2cfffb9df0df898e5cb4f2b5448220

SHA256
b703344dd3129a57369bfbfd12eeb664bd94f687b4e5c94ceaee375e5fcc60aa

SHA512
a917209af5f9e29bfa170b4b56a3bcf60f62ffe9e1d6c4a6496a5f228a56df180b8d040fed2845611c88f3b159617874e5e63e9c185710bcac6a7c64449811c2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
a3d6b14fe7ad6ca215507d368cf8a493

SHA1
423e80809e6d4b8be777ddb89ca5df97f5d2939a

SHA256
3c50086c64044a811fb9c338ff1438c7fcc3b15d50b825113ea7886bfaf912fa

SHA512
aae0301913709fee3611643c886f9ed5c0ec1aba89883765ba9df5f575dc197131fe60e094a08c2309f2d2354528537763fd37c0d4a0b20a41450b294917c3e4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
28b9c156f05508d5e494455229a4712a

SHA1
6422bfba118897145aaa9f11d0dcc206ff2b4b50

SHA256
92f39e6ff5aeb03d22d1b76b0de9bcd408da6403ded74bc17c7eb8a51c0a1e44

SHA512
40783bdf623175227995df15881ce883bc6a227655868db18555c728f7f635f30886c187e2194cfc1d8a7e83202a225438d5f03c23073889aaae2f45d9b11184

Download Submit
C:\Windows\System32\Locator.exe

Filesize
192KB

MD5
4acfefec1b873506275f0a0b11398184

SHA1
4a5a91b94ded61a45c37f5230493c78d17055cc2

SHA256
13d78814c0d361578152cf031e2c5a6e8c99620a4269659826358554a918379f

SHA512
d3bf84a4daaacb520b94a11768678a63e4f70132806addd0f9a8ff97f997075ff8c0ff7a986a2e13db56cda33af1bf105c628689926e0c9b80a6107d8d56d93e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
40KB

MD5
060d460493a1902fb93aa265cf506c62

SHA1
26de3c914159346f11ae86fd469eafe02a14d4b2

SHA256
0c50da2025599b52443844b94e297a01234cb2526c6f7de7158f1575d1c35268

SHA512
12322bc9b620d252c57537a97cd28b93fd1814816dd446f79afff8629db4a463fb30838008c1069a54760a015ea4bfa1372a760ec210f240934995d35528089d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
14KB

MD5
88e6bd74c8f42fc7ff73752d2e7cb54e

SHA1
d256e87e619d124fc1fb0596a5119b281c389533

SHA256
7b71f93ad7349ad2cfdbadbe79cc5ed5df04a0c6ac481a497f6c0510e30fde71

SHA512
d90a3fb6a404be6622be4af72542fb99fb214894e9e020c7e9829678b0f2880362f6179c666dd7d6c2b1ac3a284b6981c02fea0fdb0a0074cd81f1ee95e8fc51

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
302KB

MD5
c83d7c2c51f5384125788d5ef61caef3

SHA1
f5920c573f9e1c520a6bcf32396509821c3feec2

SHA256
73ada2004f0cf5ff1d43ed1ee3758ba57497a6df64d14798f793662d0511714a

SHA512
576c964b5900575477fc61b8df58645dccb59375dd460bb7408adeb26862dbfbdb151e007d41c8492625e0085711a4fb27ebaebe9b0fe38b5433745e2690f4a5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
215KB

MD5
1406acb498241788e64a4dabd58884ef

SHA1
257b5f0556698db7dc40cef1474731d6dca7e753

SHA256
6f6f9d187d6d4b140ed94b732bddbb9cc3bfe18de1dd838b11c2ed681ed9d2a3

SHA512
0915ac1a4580549db33158bc3e54e55975b79e976af7f1674bc07f393ad3aec989a3b27064b76a7bac6482ba5a5f1ffba22b2ea527016f062ad002bac3f4013d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
241KB

MD5
1ae1d49760b31aa0040f3dd653d7bc7d

SHA1
99810d41659402a5d316c797a7d2b6efdb2e3f57

SHA256
6691c295e358fb77f4edf5918365d446e744def663710ee81e4331094f382108

SHA512
3dddae6586eb07b0738fe52fcd452c23d64be48c194f9ac51bc4bd154829e07711ffab9351255875f54bc890aeecf81b89993859f68d02eb6b96a82f251a6b12

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
149KB

MD5
969aeffdd2e5b00be01fdc9a4ef907e3

SHA1
e3011ccddcd120da9793bd75170ed0a826d58968

SHA256
02b7309863d5defec8ec668fbb297ea2faa33704a0c00ffea5c61e34bfb04a27

SHA512
d332a3c7e29a05a571d9689be5388c37c7043423ddac88d53453f60237d43db32bf2a703cfdf3b4f3cbdaf277630b23daf0cc787d3ff67fa5585522ad719b2d0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
244KB

MD5
45f4b56e2257bfc3c14afc8f68940ebf

SHA1
a390429091ec1a1b88916db4d5b7f9bb4cb21265

SHA256
d5ed316ae80ada0b5a840389cb4b8ad204ca54312e3f66f7433242b46bb3c0f3

SHA512
08cbdd59bc498a3cf75c3952bd46fa1b7b64a12f5c6de7fb1124b26f2b733d7d0cfbda90d2e526c48ffdd79c51ced811c9ef4709ff37cd10f8c635bb3d91e09d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
505KB

MD5
dcc08cd629087ff2750e83fafa77801c

SHA1
cba171c6da117a49790c1e900d43f151c7f2460c

SHA256
e1f4b35766b3b9373dd4c620ed254596503f5b62de992cde87b406d96d38b16b

SHA512
fef6a71787ebf82381e1bfcbfb92af2cb1605ba010be2f608309dd0f3bff9f504b51797ac0c16c6dbac74ac737afdf1c6e6ab35aedb83dc1493b457fa1268450

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
4a9d26b88e20f02c58707d62c5f86755

SHA1
437a1bca742cc3974955339456479d0c2489fa15

SHA256
138f33d4db16c5199e6933f0f09c43bef41e6f67f1e503a9f5ef2ff0e3b91f75

SHA512
8ae4d8b8aef6736d880f17d28ec44b6a96fda17b980924ffee3a5641482fe46105378ea6b220a0a9f2ff24f8615beb258c371719d86598038d3ffa3beccaaf17

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
489KB

MD5
8ab4119872e7f8c95c0f532223b9c320

SHA1
b5dadc9e650d988c776f2051ae03353dd551e5f7

SHA256
e34ce844d4df064f8ea204f16086c5c3724f5c2559d5d1958d211b0a1d9fe982

SHA512
58b5f36048a2ffa12f483ccc1c65e4b3bfbb9a8ed5a11249349a3ba9a3d2b188ddcb01faf6ada610a6b1fb0fe73d6620444ce5c01d07c6d29993bd3a0ed2148b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
185KB

MD5
3fcbcf9b03211f530e8baadf01824ed1

SHA1
72f9eb8fe2ce782179e64df17681efdec6c06d91

SHA256
2c3d469c686ae07e37b155dfa537784589684d80fa158ad7d781c8e9dfbaa414

SHA512
41dc44b72ccb2be24f826f3a83a70b4b074ac98f4b19da5e98f5d1d32153b149775db7108e38f5e335790ed3f18c65696dddacf2f16e041ff2aee98cd4817c40

Download Submit
C:\Windows\System32\vds.exe

Filesize
366KB

MD5
7fa80e1aa75155f57aeb89d1aee4091c

SHA1
ab108dfc0b661dda750d5db53f49c65a5bee2f8a

SHA256
0ae629bc0216585c2c234260d99f403915f6d6018b9660f51c2a3f3811dfcae9

SHA512
211897698e4f9ee9e9f799f438fd2d1c179e36cb4b07450a3304fc6727ba222fbd7ca3538c94b56a8ba04c8dd5eadb86b5d1084e77a4aacb87bab4999e8905c8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
443KB

MD5
8c61c5a633e43fa6304b41dcb0b03d3e

SHA1
e52b86ea903f89138bc92bb76a6dcb90bfb722bf

SHA256
29d15236774976328c733976e9f437fc04c2da435e827bb91bb3238615970524

SHA512
abfd1052f1478a3e8f34d6dd0d657c460772d3b420bb32005d83922978023cd68602d0f1e7f7fa17f00079b5d104daeacca777ca7061402700731c7c19595643

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
133KB

MD5
01efea29cd5cb7a9560e91a160e9279f

SHA1
e48d6f409705f8f96c4e1a2d41b36c1dfaa45708

SHA256
f413d78ffd03b6797c7449fcaf03faaef7a4fc47d61d0553f816e73aba98ef31

SHA512
5945117060bb2b59cce5d3a2c0e40129da801991a2e5fa10255bf918b8f178992caaaf70e82f2189cf86c8807526ef8f3526222b98cdf7369aae7258e041ac72

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
254KB

MD5
afe20b8d807d2d755ba93c55086c0a26

SHA1
c639fbcb1bf21f51d6f451a0bf78a51a63cb8356

SHA256
9cdf1d815b36404da5a9e7b3fc937b38e5594d08cc41da8480853f76ffb48ade

SHA512
c4adcfba18fc872c41afece8375d8fb19f02d2b6d3a2d0b95754aaa62031647e61611eb2cb71ec14db9af09f2138cb410191b1c6eb85f983e99b1971490905fb

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
178KB

MD5
04b8015ad1c8b41e678fde7598f37e7c

SHA1
b0460f1a8110bf12094fa4faf8ffb160c5208aaf

SHA256
25a76bd77d9c8fe36d9093b3a55df9f5aa999a2496754b7e447a46ee0f1a6324

SHA512
81f8acff61bb247b12723b1b7a41ada5200fa7f689c6d692456150f111d98305b0b3c141db28a949470d373c349d91c987dd50ccddfb295761f7d6492b06ea64

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
418KB

MD5
898ea2ec3839d4d1dba196beeae966a9

SHA1
e3c01db027420c4ef32fccc8cbb52f6e76034bb2

SHA256
69f428a78bc1b3ce55e880d28d675d1a0ebf79fa5d64639d0a4502fd16396998

SHA512
630fbb9db172a66dbedd6f5f64fdd92c722dc3da08e8d960b9ff65eb1da4bf84d72e70a53cfbe4620e8c104da1be2ccfd1f7991934a987db20046479d76aa9a0

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
149KB

MD5
2587dfb45ceeba6c8167d39c5bfa9035

SHA1
f81dc9171e34d415223cda0bccc83e6a4ec4c9b9

SHA256
3de81f3b97775e3aea227690bf7322dc35a6d18fe62b485f24042351eb96df6d

SHA512
4d2372be028699bdae5590654923009e490ff51d186563dc66829f5721343543b052a7f148fc6a8db1164690ea8609be0a73734e4125ec566e751e02074c1809

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
204KB

MD5
f2fb8c87ac8f994f9b3c602fc4585c42

SHA1
036f74d1ebabe98334b6817ce0ca4e22dc8e7c85

SHA256
5ae1b1c87a2a5e90d89bca9fafa7cf263c44391c70e5115142e4aed6bf6048e2

SHA512
79056459cc9f6dede63bc2fba1687b9af34ce902e29131a9b02bbdc374d5f99698b2bef59a4159c9b0d85bc297d82ffba11d748d8d4b3bdde2ec2d9cb53fbae7

Download Submit
C:\odt\office2016setup.exe

Filesize
181KB

MD5
8b0ed29413ab67d084922df1de905c8d

SHA1
ebef8540feca7243fec6e0465bc26e50fc509d81

SHA256
0d986e1faa850d3a1d21b5cd9540ce4fd1190f1a86452a0cca076a6d3248c747

SHA512
0e67cc25ae221464145170dff341f97f259e873b8fe3a82acf9fa68c7a249c030bb13f02152c40be1515eb416ff60e6256ac2e6e956dd2901f20ae8abccd109c

Download Submit
memory/232-147-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/232-16-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/232-17-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/232-92-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/316-204-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/316-148-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/316-159-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/316-150-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/744-187-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1084-579-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1084-221-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1084-213-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1112-109-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1112-101-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1112-102-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1112-108-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1112-173-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1280-243-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1408-604-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1408-224-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1616-229-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1752-206-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/1752-200-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1752-246-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2364-196-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2364-143-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2372-7-0x00000000024D0000-0x0000000002537000-memory.dmp

Filesize
412KB

Download
memory/2372-1-0x00000000024D0000-0x0000000002537000-memory.dmp

Filesize
412KB

Download
memory/2372-6-0x00000000024D0000-0x0000000002537000-memory.dmp

Filesize
412KB

Download
memory/2372-125-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2372-524-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2372-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2444-247-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2628-99-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2628-97-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2696-615-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2696-231-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2844-163-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2844-220-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2844-170-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2844-164-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3516-120-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3516-121-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3516-113-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3516-114-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3516-182-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3720-234-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3720-618-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4016-181-0x0000000000760000-0x00000000007C7000-memory.dmp

Filesize
412KB

Download
memory/4016-175-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4016-227-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4016-176-0x0000000000760000-0x00000000007C7000-memory.dmp

Filesize
412KB

Download
memory/4068-242-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4068-193-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4244-142-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4244-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4252-191-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4252-237-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4372-128-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4372-134-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4372-140-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4372-137-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4372-133-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4372-126-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4392-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4624-626-0x000001F7A5A90000-0x000001F7A5AA0000-memory.dmp

Filesize
64KB

Download
memory/4624-582-0x000001F7A5AD0000-0x000001F7A5AE0000-memory.dmp

Filesize
64KB

Download
memory/4624-611-0x000001F7A5A90000-0x000001F7A5AA0000-memory.dmp

Filesize
64KB

Download
memory/4624-629-0x000001F7A70D0000-0x000001F7A70E0000-memory.dmp

Filesize
64KB

Download
memory/4624-578-0x000001F7A5AA0000-0x000001F7A5AB0000-memory.dmp

Filesize
64KB

Download
memory/4624-617-0x000001F7A5A90000-0x000001F7A5AA0000-memory.dmp

Filesize
64KB

Download
memory/4624-616-0x000001F7A5A90000-0x000001F7A5AA0000-memory.dmp

Filesize
64KB

Download
memory/4624-593-0x000001F7A70D0000-0x000001F7A70E0000-memory.dmp

Filesize
64KB

Download
memory/4624-577-0x000001F7A5A90000-0x000001F7A5AA0000-memory.dmp

Filesize
64KB

Download
memory/4624-607-0x000001F7A70D0000-0x000001F7A70E0000-memory.dmp

Filesize
64KB

Download
memory/4624-606-0x000001F7A70D0000-0x000001F7A70E0000-memory.dmp

Filesize
64KB

Download
memory/4624-605-0x000001F7A5A90000-0x000001F7A5AA0000-memory.dmp

Filesize
64KB

Download
memory/4624-580-0x000001F7A5AB0000-0x000001F7A5AB1000-memory.dmp

Filesize
4KB

Download
memory/4624-592-0x000001F7A5A90000-0x000001F7A5AA0000-memory.dmp

Filesize
64KB

Download