c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
Size

1.8MB
MD5

1a0964d7a1b47559705ccbba6d233617
SHA1

bdb66264beeeddbf7389134f866821cf4d27a61d
SHA256

c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9
SHA512

e502e148677ca31738518b2e1bfef17b009b3ca66b261ac9ee1b55b38dd4a0ee9f93dce5ae8015c8bdec2b2acec7f9eb6535a86c4a9d14b2c442701c9d949d21
SSDEEP

49152:nKJ0WR7AFPyyiSruXKpk3WFDL9zxnSnmgiTd8DsMcDKGfWbYCGE:nKlBAFPydSS6W6X9lnUBiTLMiKGu8CP

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1016	alg.exe
2216	DiagnosticsHub.StandardCollector.Service.exe
4880	fxssvc.exe
1624	elevation_service.exe
3680	elevation_service.exe
3964	maintenanceservice.exe
4812	msdtc.exe
4412	OSE.EXE
4800	PerceptionSimulationService.exe
3632	perfhost.exe
2520	locator.exe
2976	SensorDataService.exe
4340	snmptrap.exe
3972	spectrum.exe
1316	ssh-agent.exe
1220	TieringEngineService.exe
384	AgentService.exe
3388	vds.exe
2512	vssvc.exe
3260	wbengine.exe
2916	WmiApSrv.exe
2288	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Windows\system32\wbengine.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Windows\system32\spectrum.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\66ffeb2e205991d4.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Windows\system32\AgentService.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Windows\System32\vds.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Windows\system32\locator.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Windows\system32\vssvc.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Windows\System32\msdtc.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM69B6.tmp\goopdateres_da.dll	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM69B6.tmp\GoogleUpdateBroker.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File created	C:\Program Files (x86)\Google\Temp\GUM69B6.tmp\goopdateres_ms.dll	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM69B6.tmp\goopdateres_es-419.dll	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File created	C:\Program Files (x86)\Google\Temp\GUM69B6.tmp\goopdateres_sr.dll	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM69B6.tmp\goopdateres_vi.dll	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM69B6.tmp\goopdateres_kn.dll	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM69B6.tmp\goopdateres_en-GB.dll	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM69B6.tmp\goopdateres_tr.dll	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM69B6.tmp\goopdateres_sw.dll	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057ce5524ea76da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ade03e2bea76da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005869482bea76da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000677b82bea76da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a86e1524ea76da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2b69f24ea76da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002054542bea76da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000006371a2cea76da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d40602bea76da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065d82225ea76da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2216	DiagnosticsHub.StandardCollector.Service.exe
2216	DiagnosticsHub.StandardCollector.Service.exe
2216	DiagnosticsHub.StandardCollector.Service.exe
2216	DiagnosticsHub.StandardCollector.Service.exe
2216	DiagnosticsHub.StandardCollector.Service.exe
2216	DiagnosticsHub.StandardCollector.Service.exe
2216	DiagnosticsHub.StandardCollector.Service.exe
1624	elevation_service.exe
1624	elevation_service.exe
1624	elevation_service.exe
1624	elevation_service.exe
1624	elevation_service.exe
1624	elevation_service.exe
1624	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3340	c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
Token: SeAuditPrivilege	4880	fxssvc.exe
Token: SeRestorePrivilege	1220	TieringEngineService.exe
Token: SeManageVolumePrivilege	1220	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	384	AgentService.exe
Token: SeBackupPrivilege	2512	vssvc.exe
Token: SeRestorePrivilege	2512	vssvc.exe
Token: SeAuditPrivilege	2512	vssvc.exe
Token: SeBackupPrivilege	3260	wbengine.exe
Token: SeRestorePrivilege	3260	wbengine.exe
Token: SeSecurityPrivilege	3260	wbengine.exe
Token: 33	2288	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2288	SearchIndexer.exe
Token: SeDebugPrivilege	2216	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	1624	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 5268	2288	SearchIndexer.exe	120
PID 2288 wrote to memory of 5268	2288	SearchIndexer.exe	120
PID 2288 wrote to memory of 5292	2288	SearchIndexer.exe	121
PID 2288 wrote to memory of 5292	2288	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe
"C:\Users\Admin\AppData\Local\Temp\c50ffe1ae4ea96be866574517064d9e5cfd58c396ba5d0d7db3a2dbfd39ac7f9.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1016

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3144

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3680

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3964

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4812

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4800

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3632

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2520

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2976

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4340

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3092

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1316

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3388

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2916

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5268
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
262KB

MD5
8277b5d237d6195a4676207e442c7c1b

SHA1
7b1894842f36800576a1c62efc79971e41bbaf70

SHA256
9a87379108ce26378fb4e4189a4a00c9527d6e4a1935931c8e77d15ad115d0c6

SHA512
c8efcba0797d4d4da28fea572063be4d6d688a434d45271237a6670791a8e677a33bd1fc14e387abb6126e4b73ae49e6fe59b68cbdf997db6ddc7b47fe5822e7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
72683fcce2814b1ddd8c5f9719ef3551

SHA1
66b92183ec098dda9adad604e94b69d4f6e8f96d

SHA256
a88bde1b8ebb858e775e0d289aff4e316bff20256e28fe022aaa145be62e3478

SHA512
5c75394dcb946430cd02c855c3590c83c985407832dbe93c88f66e32dad7972dcd9ffa7d48470b704ec5652389f3e8634a122cf22fe074affc343b3aff3d580d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
ea013e245ff675d083d7b5ef0362f8c4

SHA1
293be520007f32892798411a841a9432aee2fae8

SHA256
fe25b230eddc4a3868f4e7adbc37a52a69d9469072f86d4d69e67917567ff263

SHA512
e0d9431d0daa5f830e1ade0763a5da340f2be9145f73aa6e708f3a1dbfdef2ae32372a158a3a6f8e55346f6ccb96487577e371fc936c31974ffce8d68ceb7230

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d0284d9adbbe3bf4d8c28262a5923694

SHA1
f13436be3d1767ac454ff8e21dc14e5304bc82d2

SHA256
6621c628d98440c7de08275d55f303c159d5af233a8a736e7c08d78204fe1c26

SHA512
4d89de34a3c3eab4e5b675fe2690f1dcb59b50a140304210db142a0c9e3a3c9ea96bb0073fb5c57133ac4b0a128aa27b1208dc4266946e8bb685e30bcee120a2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
537bda750c6e260b4ad2dcd52fecbf5b

SHA1
201b4a77a2167da47be1a248f7a70e2f8b46b4a8

SHA256
70e4a709d76af95016e47a4daded6ebee1728ef37507be05b856b32f5be014f4

SHA512
97a8f00357bdf8dc6aaf9bdfdc59a8afdef5d3f935fcc12cb747c053b9641b9ba947713c58d2625782193438ac7f16883d0be5007cbd02ce429bc7d893baa2a3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
4ea59a0f05200b098d31dcc7d868070e

SHA1
bea1ddda94f285ca3b2f47974e68617601412d37

SHA256
8b2747b67fdc3b728871ea1cb3fc205299751c8c89a01fa78dacb65bee26e7a1

SHA512
f695b17dd49698224ebdbbf63e05235819a8896c93eaed85fbda2a21cd83cce1ec839f8dae28b3aecb74256cf24079293e3e035b7061415f817d2fdd8cf38690

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
39a5d093df73027d22e202a89b0c4cf6

SHA1
be05b9151999b6ed5551ae50058428d3b7eb464d

SHA256
22d3d19c754f8d7e5c35623038bde2615d195538c2805f547ccbc4028f18aa5a

SHA512
336def3b87f241d5f5ee8828bc436acb0002980cbd4132e24e14337fcfd07adb624a6346a473990b9f0f58025b6c636dc407b0f494af1ee3c87a0890c97d5a7a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
2.2MB

MD5
e0344cc844b12ce4ec6696c0f5d86ca2

SHA1
2c5382f928353380efd0ca198a0bfb61c2994092

SHA256
fc47f14e5f41d57baaa00f09de86556cb8e1dfb16e4fe9d97ce70abfcff21236

SHA512
37ece2acf53874aaa698bb8499dc7a995bd86c52f6eac5795e7fe66c4c47962315c772590c1f5764c1c6779e0d9ba32c76c20c17be5cb3dbfef8f252e0e6e9cc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
259cabd634f1810d27c0998ca2600684

SHA1
0fdb520d690267d8cd32e938e56b3325b103ecac

SHA256
a79a1642dfbf8fe7b90369bec7aebbcec8287dbda29cdc67ba47ef8a1e3f07a1

SHA512
d647e72aed3b455bfc289df0f1eed0fa86b7abd9354e2c1af7473ae21ee96edc4bee639a64d2611f76d50d7fe18fb370cdf0315935dc722af2574257faf64509

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
2.0MB

MD5
2c779d7a8edfe863617d620a518a6ed4

SHA1
734e64ab4f732e8b6893708b9524cca6c8a36b4a

SHA256
8a43e08ced251574222930dda2a05aef7b5c1a9dbe892527192669078e447fbd

SHA512
f1cc2258a7cdddbadf2db11a002aa0bf26c2d548e0717099c2e2d9cc8195c3784f0af98b922b39443b3ef3429df1c2c7abab4657298dd0882797176ed8ef91e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.6MB

MD5
c5ff400556602102d0822f6bb1d21fdc

SHA1
5a40b4b17ab92e592e61c181d5eaf9ff4b8d605e

SHA256
93d27fa669ec79146b7b26abebdc44158e3e921f46d4a66818fdd50834ad8a3b

SHA512
1ddaeee7d97037af37c722787a3bf9377f1945488bfe3afb47bb3aace1ef8c417b7684355c612754d43e95c5b29a345732e173a5cb30838771ddf6c0e341ba38

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
247fdb2a9bbfebb67abc8a92a51362b4

SHA1
4abeabc9a4ca4ef08f386a433be94f7dc07944e8

SHA256
a36025d89a61e5346bf8970625122c4957c00384db494feccee2cfeae50f4ee0

SHA512
ca00ce9dcdb5ba36be15e91e9c923404ba431074839b493141e83a2897b7adbb7bea099926cdb75e013e15d6a3ebf4ed418d98c971f967925006e6c22c258a3f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
be813e86ca9ec8981877c360df8deea9

SHA1
f43296166de64b3d8dc8ba60fa35a2a51ea000c6

SHA256
ccdbb93165e50042682734a9db508b43bae19b2e504d3eeeabfb677d131ce1db

SHA512
5a6099532a0ca292f47f2ef45f99135047754634b7e1e4fda5da631b89036451d4c5cd04445a5cc949b8bb58544876fe16a8c769ae90341230e0dd6b9df595a4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
5ce495bcd78e07072f24aad3f3380114

SHA1
dcd1ea182a6eef66f72b38cad6d2cb2e3c13be31

SHA256
18fc60fc3de4c2b0970f03390d32efb3ecce0e7835bf6fcac58d689e7ccefd9e

SHA512
8a12a95d1bc7845ace04646de9e40d4c6c9d1692ed2bc1300bf6b0d5fbbb4c1d2003343f5a89fc8a9690f70d1a11527ebae90972ae87f3a541582f6ce584114c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
0590cb2686cd8411906b81ecbc82dc90

SHA1
d3fc1350981988e0d8b622f7a3ef61e7b8494bdc

SHA256
bed273ef5b6f494b49c4e9b80329c5ae0eecfec48db3a85456f3924e6abb7e2f

SHA512
3df4926e14967f6b06b6da6feb36da381b45221343b6de2bbbdb6dfbf6ac84a2cfa9dba7b52726f2b91a263c36cffa7a90bed88c7bd6e92ebc5d4b1e6f37be6d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
1099b3a2a7758f56f95072c3479fe8f7

SHA1
b40c7a697185b78970a7183a1babece6cc94f661

SHA256
78355d9a3809620426bcf607aedbec0fd14dea331fc2fdf5a41c7ba142761b79

SHA512
d3aad6e86e7b8ee11bb13a0d23bf2694f7e17f8f4d5ac4d383fdfe08f43c5468fcb0a0eaec3f5c379c349a93cf4091cfe08adbbfc09202eb3b3d2dcd37dd5eff

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
df27b6184945e50b25fca82b18ecc701

SHA1
d21a52f3cada09a6bcddb26fd725515fab309427

SHA256
0372127194d5d9167d344326bedbb9c1e6d6f55404397d37bed23c7ef64a6a79

SHA512
735f149621c20f62de6a712fd44838b45c80712c5eb5d02c8da6aef39fb383b213d3e0fc0488854dae2343aa13baa28fb891f919d0a63ebacaa48d1c941fdcda

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.2MB

MD5
3411c4d7651e4f3604bba35122388d06

SHA1
a9d83b1da82ac6dd93b9a365d34c8e02c50d26e9

SHA256
63a63150beb29c1d30a236a4394a4d7cd17ff02b7d577b807892432bd66f98bd

SHA512
9b0e66da5021cefe39f627d02817bab78eca63d178a5840bd440013a8f251bf58ee07140ecf181f1b75ff959d7349e910f13bb56bd907237ad750227f9aaeb87

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
7779d75f9fa675206df2a6f4e7ebd5ca

SHA1
f8df1ea66f2d3812410ef2a6211ea66c977193c2

SHA256
52a41e1571b0630bd72fbe3c0409ff0351d59c768e1005f35bfccb89c8aa10b1

SHA512
47fd3c81de39425d7204ff608aa28c516d68def9b843e0e4e4f0c272ec444d74cfaec0027185a8190f32bf325a3a1ada1cf84d2b52b5dad1a52ca7da333fa010

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
b1a69f90c6e47eeafeab18bcc227feb7

SHA1
1e6ac5d6b84c61eb96bca9107e40a52168fcbea5

SHA256
9e6b456fa0f398eedc30e2cb986bb6468c17ef367004c4e94981443034f2b629

SHA512
aace2cdb97f3313ba39cbeab6ea211c89bf569cc92cde8c026ec22abf0beecef630c132310bba4e73940962937d07f0031e09af953cc0bd63882c9358b2de63d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
d0d76d3711ffe5525d5b6b6604da5dd0

SHA1
be57fb4ba8fec8d14e2f2a43be4f2fa29d8fb432

SHA256
4f91d98de64443816e1b01bb1c079f25d303604a436ea15520a20df69d380a08

SHA512
35c6e7774606a68b16d6b3047563f5020abcef32278f7ea4f3ac638d40d80c7c81b80b89c69e4d3e7a68ddab0cac580f08d6946ee48856615c6dcbe6f640d2b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
99575f63180859594f7992f5ee70c714

SHA1
3b27aab9a669ad8f55b9596d21c560fa09c208d2

SHA256
d18ec774103c54a6662390b76683958dcd495c641bdad0242fd309d1505c9590

SHA512
bfd70dab625e6adea8af8bce868911a93937a3ae9e89f5397bfdfc4f6666d24f6e933af83e2458059cfc7b2a8ddec82fad2ac1fdad4f68a6d652ce9988747864

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
b3c6be85003f89accc99b0a21084ad0e

SHA1
81f407aca1812a0481904ba95c453e95b9fde53e

SHA256
539999e5c3514a85ae1a9c432b6d22b40f6f5290a943d1ae1a9c497c0b6a416b

SHA512
ed80206a42d3c2b5a5dd01722b0365cc5231abca797e59428ff749c94f755416ed8ddc2c2d6b4d658001555b195d87573f2c8dffc73b75aa90e8833aca228bb2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
e95888999bd10d83c8a0890f34320fa3

SHA1
2b1a017c11490c5a0aa2c240fae2b7ab804260c1

SHA256
d5412de9e350325e7550f291f6ba2643bcc8b4ead3f202690e0b51f391043b7a

SHA512
28ff1dd23842821f3f8687840e44d1a52d13d43b5b9fd23cf9bf03819e290ff23297d8c30078c952335f319655d4a5167e70c58edcf1c8b152a94cecb027b331

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
59c496bae410f3ec45b6c7030e4c26f8

SHA1
d7a695360465af83cfba267afa808410a2015165

SHA256
e949f177bd1257c7d2d6ed584f03bae67627209beaa287244bcb52dbcaa091cf

SHA512
3a864f07a924a9a3d4c39ad4b389e023ca8c108ccccdd897015df1f2344efd7ee7676ea1025186f7d0e877f5ebef39bbae7ae3c5febd94c22906ea088cc5fca3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
49821e557cc52500ddcf9137d26c54f1

SHA1
8eb9b587cbdda5e7797e42599c7267e2631af679

SHA256
994844571ff9072dddf1f9e21830732874cf35d9a1e85a8498bf3ba850b349e5

SHA512
54df0d91260abcb7edf09b2293e40ba659dc197fcc815017f1ea8e5ea3f76216fee4978d8bede6c920731c56438d368a156ff74acb55207d1d5f718cb8aa08bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
65124898ff777737fa82ab11653fa4ab

SHA1
28fbe70ec740bb358ce6cb0393ecc6c0de2c41a5

SHA256
449b9bf8177e5dcfb91306bac7742d687edc6272cb78c60a4e2cb444a8ae24f6

SHA512
59a31dd64764afe56b5548f124635f8ecd9bf48cc6a4a7609d2df39230d61a5b2072fa64a863a7e7306a1d30bb5b8b6b4ea3ceb43af338a57dd7b4fce9c9a91c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
92b9ac5c57d89f64583b4af93db224f9

SHA1
0bb8afc08ff8e18be4216849ceb9026d2b7886da

SHA256
a87bc70e3f2060d376a2c779411c61b9232030baca40dafa867a763f7ab25b31

SHA512
4bd23bff8c79e1899c85249e24b2da379c5068ae778d5f011411c0e27f6f42c5cb6e46f042c66edaa05c20c605a7f8835ba54fadc675b1249b78c7704ab1e0b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
4ace3c1ada6aaa3e5ff67d82d98d91e0

SHA1
907673ddb32198863c3bff256a1e240aa2ec99c8

SHA256
b87311830d55a8d3b56d8ae3c1061ed93b101b048360f49db3a0777e1fd75409

SHA512
83921fca7acb7a785eb9668e84ad7233453d603e52aefb3d17db24c9b175ea4e5da8fd40fb9070d30d53343a7765a790c36e7686c32bd6aaa361353c20d89aea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
b71706d7f412fa7c5b4292d6761eaf7b

SHA1
b3a529357acd482968a7c01febc8f8167b5b4c53

SHA256
b6eae7543de466e757830f8ad2688cf93c11e6db5615e75fdf3b8274573d797b

SHA512
2d6a32f8c0376e06202daffdd22c0f28b7e83794bb1f8490f28446482703593622c1710f660efa2fd5a32abff63369a8e37635f14c1051d6226fc1c119bf39b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
33b1db794d072f41d03f52127fde2b4b

SHA1
5037bf88a4ce94fc2d60aa88501c23a4cc5839e1

SHA256
f704ff658ba60a4db022ed54c8b8f504bad9bf6d69ce2c974f59f5cd3f5983b1

SHA512
645d218726bc32f9f0aa80744a5b1c199aaf025a7d7ff01d6dd7d10b2d1976f2ee38a74ecbd382db1480fe35401fb91a69bef703c481ef80cfdf0a281ec453e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
dd9579e8148387691e24ac73dcbe64b9

SHA1
ca6cac247f8e140c27b1f9e74301278d98884338

SHA256
ac1dd96c1e1f975d02155bf2650adbaaa0196f756f2af04a5348a36c00dc6221

SHA512
abe1d542380f8dd4f4339458773fa138757afaac2f1af84807f520c6c1b868e8c118148feee99d0e6169b78bd83d67bcb1e7e5424ab1916004d2840e44e2a8e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
5dd9dc9e2e3900efda0cbf6df7207285

SHA1
367c59f00eeb072cf4e075098a605ddc54d3f773

SHA256
0dc224138d8f0b6224a6f7f427cb32af15d399ec1756011a47225943ff5de715

SHA512
7b396e2daf5ccf97f9fd698137cf11a5106f31b2e44bbbee922f3b49fa5653932e21429757615a04dc8483f43f890edcfd27ac9c408134d538d454d46c33599a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
d41ce1704911ff823b2058fc47e90224

SHA1
92ac2983dac6e522ddf3a32007b3ae3ff5574490

SHA256
05c2d53aab8c25af1ae8113d5e1f76a1549049544d8c311d8ec246f1ba301c13

SHA512
5a8f732be4c0bbdf2389fc51b993ffe961ad3786fe87b6708e90f2b6160116f54ec58cbee7130502b0ea8e606ed909958933d4d26cca8661ae85b8a41dc34fa8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
2e862ee2fd0317d3a3135c9ad492d5a0

SHA1
41afc243c2c1ef3642c0b50f0f1f941e31b1c2bb

SHA256
6ac49695b8487c32892fb762109915352af0e18648e7180adfd1fcb9c5d702d4

SHA512
c2a81162a3379794ed1ffa08732dc1266dabf9ba09fecda9ee8f31b9373d17e89573ffafd5a0c6b77d7534bdc1ab84e8680a7ca0b3317109b7a718ce26291f58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
92b96472243111d5a52e949261f37558

SHA1
842ae77ae48c2b94d139f297da1e26871916c420

SHA256
954d6c336ee22982ed44bc33851ca51b40c66be0801d4a918d95035b93bfc397

SHA512
1761b2ef137f430008cda14966307a769597e1e1c241b8a8109ad7e6be04162a9661ceba8f15e2d58c6c4e2b73cd0aed3ad9ac8c5f40df1cacebee997d5b7eab

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
2f9e0245479babb0930e6d69f390471c

SHA1
aa6db80bd0f3b28119c1c360a62f7f607532af6e

SHA256
14f55928dc2fe3e66f80a806699b7c5050f7c426ea3b7043c31ec57465b52687

SHA512
c2bc6fad4e94ead082a12ee8386e17023285740f43c80d00474ab9aab0e9e9b8d905ecb53c08dff0d58b69103d793aea443450954d3e04704a633bcec9872aa7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
ff99654563ecf321fa4a2930f9196387

SHA1
71331da2886a93d0da182691cab702f199021808

SHA256
b12e3d0e2db0604d4e3834dba8c41ce197b400b88f5f955c77732ddbca7b17aa

SHA512
53e280bdd7962147ae9a3bb50401320a200aa2144d7d49f8358901d9d7f3fa22c130ff16b51b3cdaab198fe0c2d88360f46c6c2574283d6e15b5e58cd7eeaae0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
827KB

MD5
e30410cae7107c75c50bd1393d739cdf

SHA1
eaecebc80fb524fe06142e409cb3075919ec49f5

SHA256
5bbf1c8734d65223c7c58e3e8c4af17e2447e0dd50c722f6d1e55737936c14b7

SHA512
6007f9098896fa1eef155d33ebcc73e6f63242fa6686521aae352a119523ab7110bc6bdee155f5f31c73610582833aa72f73c56e31487665d0eab49b6ae62bed

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
599KB

MD5
08f1b4012ad3c26d5fcdd79f61b50cd9

SHA1
40d44caa8a0997fdaf4b6856f4d2aecc94c0fe9a

SHA256
9a9dec2c2a97b65b11adf46bec592b5c24cae0aa5808a476f2917bcde7d118c8

SHA512
b8f139b439bc3c776df889e4d4b17119bdcc1e93b89852307702d6b9628e2536c88c6bcac82339c690a74745e0c64ca913dedbd4affb0683e55ff74f35cad0e1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
cade2815482addcc9ab74ffbc570e6b1

SHA1
446985483f4c19117bbf4b237d51f3dd24becb1c

SHA256
e1e9c9d31e4ffb6592e233ee00aca08b3fa8b829352565fb365d8df9239df372

SHA512
f16798a9168669d98a7bbe62d9f62b9b8b7fa16c9a88e520433ef9e57edc62b642d4afbabeba4e8c3319d14427853e237df38ec015fbdee5c5848820ee563d09

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4449484ed850733c4e6e2f7b5e893a66

SHA1
28e059dfa8f3b04136b947b6acc42ba370cd60ff

SHA256
d8929278072318f28534aba0c05c68f912b0facb8a9e2eacef89ff0a80ca2f0a

SHA512
94522c52b0c6b45df08190d19f76579ce65670fa7db1593dd19ca213397837cf6fe4c3c7641b05a2d3d64bbb15d1346950f91273e6f6299d06378853113aca97

Download Submit
C:\Windows\System32\Locator.exe

Filesize
396KB

MD5
db28d4cb41687026bd10a68cf18ef102

SHA1
aab562422cca3873968fef0ba4df6bc21e56c6fd

SHA256
af328aade8ecffd35598d26bd0d5bd09bdc466c325db2fb3d05e80696af18ef1

SHA512
3bd69feeb68b6d74b9efe6953b13d310416e108fc6410cb36b9b67ca58237c826615a99d7ee57bfefcc1f8656ea5f22a7650e75f2ed21f88da89f65be61109a6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.2MB

MD5
9bf363b717a9c4dd2f74b4063a513215

SHA1
eca8245ffe4c397b613e805a4db0de5c9ef576a3

SHA256
b9074d948db0129e5eed1b69d6ecbb470f4d9ef4299069a6320e6cafa3bcb59b

SHA512
523a139e9820658e5a8ee5479ed369a3d473e10b390b1c23120961204e5dd7f343b4bb7971d4c10b22e1b5ec88938bc3daaceed27623ea3b8a21626a50f38504

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.0MB

MD5
e7d5e9f2e432946cb326b28e175c573f

SHA1
c0604a019a04ce724f73e864eadeec8894f6c0ff

SHA256
c57f70fd505a30b349c5a8fdfc724af11cd6ed1d6690a9dcf2ffc1a2461528a9

SHA512
a907f167a4cdcd530f2b54233683a6e0e0973869f0ffb1bf07edcd1a122a279937811e06b6cbe355bca0d40d2b9358da3c9a4f1f87dbd3d1437caf4fe2739b4b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
984KB

MD5
7d08bfec4368df5e1ef92961fdf13f30

SHA1
d57547c4a84bf051ab91a6994d54fe1de9d790e2

SHA256
db9f49048201ac923ad5edde886a3c4170acc92e3023822f69e0d7f3bfae17a2

SHA512
32390d4401927e6dff64225cfda63671ff9ffb94bec2e84abc0d9ad1ec8d147e37ac3ceb74b0b596d7484b3186ec2c602d4111c51b8dbe79c88de5e5df2b1d9f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
65KB

MD5
6e157dabb7002a74409852d3617c54f3

SHA1
5db9ed9e97603e9cf9e0d52aea39ec59e639ae53

SHA256
4d7445eabefc618b8aacb906f9774c3ff749d30e1944053d566b3503f124590f

SHA512
e1ce3c8ff74f0327ab9ce747c4ec424c0a33b3012b68b7f71f17bd99fce45cd82a67b06bbac29ac40372355b1ecd4276fad095648c53b7701db21e0944b91ae8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
408KB

MD5
a157ee754521c68aaebde854b6ff3a5c

SHA1
4dbd4383bc59a06c08c2a783cb96e7e148f70f3c

SHA256
dd30d944073a568c1d5d11977faa892a97b7f6cb74913038f58f7579e697e8b1

SHA512
67e18369a096f64b83d01f66109fc5e2612231a30c6e698d784b245ccb866085a3070438f89c392742341fc58f310cfaa2f6add189a874e13ca55ee5bed623e5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
39KB

MD5
a819fe7843e83d050f5685361354bdfd

SHA1
c5ac6a4c703a9d95fedecaf2866f84c5ec2cfb5c

SHA256
b72efc3b5ab964bf26a2335ce0ec168d573bda0d8bc4c502f34d5cc10b8dddc9

SHA512
5ec65e44c45d96de6373b3c2da164f7fc2696ab6aacbfd4c31f10bad7c9ea849a37dbbdd411a6076998bd8b8e08553b695b3933a032fd3fe5cb4c4d653e7178d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.2MB

MD5
d98113c3250679d4c24b6b3a52d48d73

SHA1
9ef14086253549e39dd0d8862a50d7a30baab9ac

SHA256
b053093d371e2b3c1fb29b12cb69b29602c2469a51c12db0d9a83a61da105c5e

SHA512
aa6a7fd139c32dabe80babef3cbdb97b6b6ac081dae9c9ebc5929be0b4b1ef18e9ead3ddc789acd8fdef740664884588b36df4a48680cdf6ecb38a7345f1a973

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
496KB

MD5
411bb6133ce466d4f60f6f07c39d209c

SHA1
85d87601c28e5938682b62e7dc40551923c28e38

SHA256
8a8c3ae172f5d55b36ed7980f1506e351b6dd35d9dbf7d307659f65063fb45f7

SHA512
b16332fac341265365f721ad02cd1c97beb0a69c75f0171d3710a2e03b3dfe54c7e4853fb5d8353f0e59ccfd73accb33d0ea1b30268dd1385e712e16a80c6c43

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
ef8931cee99d49866ae91ec106e0b491

SHA1
c36b565622915c3e83e74f1274864858f7ee9320

SHA256
743048c554da9ec498255e7ad7aaa418a87cc8513c9a8925405747f2f2f379e1

SHA512
aee500f4b018cba1b7b1666b60796fdd0f3b66bcb6eca0a02e74aa401a98ab4b26d7dd00c9f2c99e113da61b8640fbedee34df18953381a730c2d95c179920ca

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
d046b7e88d5d736e5b097c4f195399ca

SHA1
79094cd314dccf2c6d21c5b316ee8e7103ca4f39

SHA256
1cdbc3c665f0aeab671094e144a58db13089cf005801173666be206534748f2f

SHA512
d28c9b14b8b3f674a592e2ee966abf5e8286bf726e12c63dffe7bdd290fc7a4cc1fde39fefce811bf4b74087f33762a07d62c4e58115f2e09d456711cad0e9e4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
117KB

MD5
6e4e6ccc4593e40acf0e021a21996398

SHA1
cc76e16380098c0e7f078de42f4cf11af154c431

SHA256
dc5592aa8a891d6ed4eb01c0c9e7759b6179b981579d7f4db674c4a18e6b9fed

SHA512
03dd5cdaf4e80308588e10a971d17e5f754fe9411f10a4a70b3a4cee59972e3676a63f8096996ffb5684aafc9c9fd3b53da4623c9afded2849e60df299f1a9fc

Download Submit
C:\Windows\System32\vds.exe

Filesize
706KB

MD5
06c6d6e9809b1b03cea24075770fe264

SHA1
c664d2a3071772ae7601b08684d7e7d627bc338d

SHA256
f1763212c912d5926fbaade3fc8fedcfacb7d0cde47211d9a0c53a2880aca643

SHA512
00fb68a6554b9a2ceaf02de1ae76a53d0077630df2a2086d261bd2b88e57add627348856485f4ed1af669d64e72e770d0b86ab9962e26de40e7a65d69b126c3c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
347KB

MD5
91f712778f06382d53c258d0fe547319

SHA1
6fe2c1fd72847bf103ebf75e64e3a3da857ae71c

SHA256
0d486a6ec1fa34b4ee6e8d2a2794d9cbf1a667975bec5cde86772404783e84dc

SHA512
89c900bed8d367ebbc05d5f43f831a6a5c6028c428cd99ff10aa41c6ada6caef2887123e9da9741994b91557d3bd6de8ed8975f40e2e09f651d7b1526d784575

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
339KB

MD5
066c6a2a79db9dfdf993ad9fa0d36128

SHA1
4c4a31d89d75e55d8729aa6e301c49cdfbc818eb

SHA256
3a28b7378a0f30d945e6332511954beb98aa92658f9cc8a091f370b3f2a9042d

SHA512
32b9aafc07a6343dbb49456c1b7e3f61c0553b984591cf0081c3ed6f99fa74dc3295f3e5280ea3a54d2b638c54a9b84e88ddfb9e739606f202e77e469aa57758

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
2d50bd0d48d60e3a2588edc214dcef90

SHA1
c9177c8509cbc0bcba027762545d8657edb2d07b

SHA256
6f4dfe7a0315987d120588ba9b8b9899a5062efb630bbd4e957fa622a960e9fe

SHA512
b0b070847159c1a24ad5970a21e65b2d69869f887907d7561b3c2ad5839c06b4c516e09d0cdc7b620365be88c9bcb08809d969033d500c5521dc0812b25aaed9

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
732845762025e4862ceb543b09914662

SHA1
34e058a8b039ebea1c5accc94cd3f6775961cb96

SHA256
1928725bee5006169cfc3b556459732febc81c4312baf14090816ededaf45c9a

SHA512
ed63d8b5ceecf499181998b9c479d9f635cfda4f9e823ae9b754a5f8610c70e2fc508f64131bd10e9b5a9ba47b8c60641ffaf40ba17d12d203a55d70f5df5e2c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
b7d5d2d6ccfdbabaac8d44d8b6199278

SHA1
a72c363ee8b145edc3d68487c77338eb10b5640a

SHA256
fe508e6cf0da5d25c499b47afe05d2c173392bc5b24dcdd3613ee4780d565934

SHA512
1e1bcecd8c067ae9b482b69572081d233a799df539f950753c5778666f71c08aeb9bd9ddddb1b8a5c219effe1c9b2f13c8bc7d02ea8e60ba20575b093ee4d67d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.4MB

MD5
156f0ef240570f6bcb77e1656332f152

SHA1
39597972112fc05e2aad90761261b1f10d60a94a

SHA256
cd59d7cb2914aff54fe0d767d14c75bf26b78160f5a77bd657604b0f8dc3537c

SHA512
55d8cbd88a19ccacb62ef3c00cd7c93efb7c63b351cd3f01354c3e12f2ce4589766f2f337376183beedf51abb58986c5aea3c9f7568904aa060b8eaae48ef2fd

Download Submit
C:\odt\office2016setup.exe

Filesize
3.3MB

MD5
23e0e4b6d23f14fd11c439fea2b37538

SHA1
b6462484423c9110b54772aea6f675d86e09160b

SHA256
80d994908a39e39078eacf454993f16fe5dde6edcefc8fabbf0073f973461d17

SHA512
b776640407e5157b0a02830890b17b393c6d51789596f2ef1cdd62b1a86a709820a6904d608be377bf4f547e9b19322692181df795358fdc492b64ff39760688

Download Submit
memory/384-226-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1016-13-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/1016-139-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/1220-557-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/1220-221-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/1316-556-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1316-209-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1316-219-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1624-102-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1624-169-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1624-101-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1624-108-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2216-86-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/2216-92-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2216-76-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2216-147-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/2288-603-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2288-244-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2512-233-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2512-575-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2520-183-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2520-231-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2916-241-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/2916-591-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/2976-235-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2976-555-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2976-186-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3260-581-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3260-236-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3340-1-0x0000000000850000-0x00000000008B7000-memory.dmp

Filesize
412KB

Download
memory/3340-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3340-421-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3340-7-0x0000000000850000-0x00000000008B7000-memory.dmp

Filesize
412KB

Download
memory/3340-124-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3388-560-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3388-229-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3632-173-0x0000000000810000-0x0000000000877000-memory.dmp

Filesize
412KB

Download
memory/3632-178-0x0000000000810000-0x0000000000877000-memory.dmp

Filesize
412KB

Download
memory/3632-225-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/3632-172-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/3680-119-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3680-180-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3680-112-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3680-113-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3964-123-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/3964-126-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/3964-131-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/3964-134-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/3964-137-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/3972-196-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3972-203-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/3972-243-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4340-190-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/4412-149-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/4412-155-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/4412-156-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/4412-202-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/4412-148-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/4800-167-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4800-160-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/4800-161-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4800-217-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/4812-140-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/4812-193-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/4880-97-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4880-98-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5292-577-0x0000022C4F8B0000-0x0000022C4F8C0000-memory.dmp

Filesize
64KB

Download
memory/5292-576-0x0000022C4F8A0000-0x0000022C4F8B0000-memory.dmp

Filesize
64KB

Download
memory/5292-578-0x0000022C4F8D0000-0x0000022C4F8E0000-memory.dmp

Filesize
64KB

Download
memory/5292-586-0x0000022C4F8A0000-0x0000022C4F8B0000-memory.dmp

Filesize
64KB

Download
memory/5292-584-0x0000022C4F8A0000-0x0000022C4F8B0000-memory.dmp

Filesize
64KB

Download
memory/5292-580-0x0000022C4F8E0000-0x0000022C4F8F0000-memory.dmp

Filesize
64KB

Download
memory/5292-593-0x0000022C4F8E0000-0x0000022C4F8F0000-memory.dmp

Filesize
64KB

Download
memory/5292-592-0x0000022C4F8A0000-0x0000022C4F8B0000-memory.dmp

Filesize
64KB

Download
memory/5292-579-0x0000022C4F8E0000-0x0000022C4F8F0000-memory.dmp

Filesize
64KB

Download
memory/5292-604-0x0000022C4F8A0000-0x0000022C4F8B0000-memory.dmp

Filesize
64KB

Download
memory/5292-605-0x0000022C4F8E0000-0x0000022C4F8F0000-memory.dmp

Filesize
64KB

Download
memory/5292-611-0x0000022C4F8A0000-0x0000022C4F8B0000-memory.dmp

Filesize
64KB

Download
memory/5292-613-0x0000022C4F9D0000-0x0000022C4F9E0000-memory.dmp

Filesize
64KB

Download