06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 15:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
Size

1.8MB
MD5

f1db16d412a3215872441a59948a5b7f
SHA1

8c9a357ec01489be2b0f0b9734fa95b4b5724755
SHA256

06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d
SHA512

700f7de4a0be220efe0bb8a677559258f20cc637d10ff26e3ab0dd1c754111f0a009b08446b062b594ec5af558dfd78c86bacd3aae4b520480d761e55c9f942e
SSDEEP

49152:nKJ0WR7AFPyyiSruXKpk3WFDL9zxnSmgDUYmvFur31yAipQCtXxc0H:nKlBAFPydSS6W6X9lnSU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1964	alg.exe
1952	DiagnosticsHub.StandardCollector.Service.exe
5116	fxssvc.exe
3564	elevation_service.exe
3500	elevation_service.exe
3636	maintenanceservice.exe
1908	msdtc.exe
3040	OSE.EXE
4436	PerceptionSimulationService.exe
1144	perfhost.exe
3008	locator.exe
3184	SensorDataService.exe
4032	snmptrap.exe
1456	spectrum.exe
4412	ssh-agent.exe
2436	TieringEngineService.exe
2564	AgentService.exe
1640	vds.exe
3972	vssvc.exe
656	wbengine.exe
4172	WmiApSrv.exe
436	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Windows\System32\alg.exe	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d840be2d822cf6b9.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Windows\System32\msdtc.exe	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Windows\system32\wbengine.exe	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Windows\system32\spectrum.exe	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Windows\System32\vds.exe	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Windows\system32\vssvc.exe	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM3D38.tmp\goopdateres_nl.dll	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D38.tmp\goopdateres_is.dll	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D38.tmp\goopdateres_pt-BR.dll	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D38.tmp\goopdateres_tr.dll	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D38.tmp\goopdateres_ko.dll	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{69188FC9-DE03-4F31-9660-69825F846706}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D38.tmp\goopdateres_sk.dll	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT3D39.tmp	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D38.tmp\goopdateres_lt.dll	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D38.tmp\psmachine.dll	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D38.tmp\psuser.dll	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7d16527ea76da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006eebdd26ea76da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009bc11427ea76da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088667726ea76da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031241727ea76da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a74dff26ea76da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0f6aa27ea76da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1952	DiagnosticsHub.StandardCollector.Service.exe
1952	DiagnosticsHub.StandardCollector.Service.exe
1952	DiagnosticsHub.StandardCollector.Service.exe
1952	DiagnosticsHub.StandardCollector.Service.exe
1952	DiagnosticsHub.StandardCollector.Service.exe
1952	DiagnosticsHub.StandardCollector.Service.exe
1952	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4908	06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
Token: SeAuditPrivilege	5116	fxssvc.exe
Token: SeRestorePrivilege	2436	TieringEngineService.exe
Token: SeManageVolumePrivilege	2436	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2564	AgentService.exe
Token: SeBackupPrivilege	3972	vssvc.exe
Token: SeRestorePrivilege	3972	vssvc.exe
Token: SeAuditPrivilege	3972	vssvc.exe
Token: SeBackupPrivilege	656	wbengine.exe
Token: SeRestorePrivilege	656	wbengine.exe
Token: SeSecurityPrivilege	656	wbengine.exe
Token: 33	436	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeDebugPrivilege	1964	alg.exe
Token: SeDebugPrivilege	1964	alg.exe
Token: SeDebugPrivilege	1964	alg.exe
Token: SeDebugPrivilege	1952	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 5960	436	SearchIndexer.exe	120
PID 436 wrote to memory of 5960	436	SearchIndexer.exe	120
PID 436 wrote to memory of 6000	436	SearchIndexer.exe	121
PID 436 wrote to memory of 6000	436	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe
"C:\Users\Admin\AppData\Local\Temp\06ba29fba525e750621aeec6d2a1c6cbc00ff6b201b6515ad68cdc2df63f287d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:116

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3564

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3500

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3636

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1908

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3040

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4436

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1144

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3184

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4032

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1456

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:220

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1640

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:656

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4172

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5960
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
34d3feb6aa6f51910fdddd5cc2de2301

SHA1
29dd673de8255f281d70130148c972154376c8b2

SHA256
3c01421112d0c1869ed4d20b9d27fda2e61eee7c9f8b7cf013678f9ad7b44c89

SHA512
4b9a02902247ee35303db7bd90c234b6892a74367e2669d3fa76b3ad88d2f4496c5a5f8a8511226f1b0d4902d5530b3d2bb199da8828ad252e244cc6baac8022

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
863KB

MD5
010de4badbfb08eefb720d542a211329

SHA1
b4cf0e89a60f8450da47c38f4e7a2f698b8bdd12

SHA256
6b1d38cb8ecdc05b45e4366b5f822d7c03093d2b4e9fb8cfe4055548ba9d7a9e

SHA512
64919b513c2f9979be451e2815c6d1694111220d71cff767902467610f577bea686738682b0a74014d8c016a4b4bec5a167d39c30b53c64645d698b76fec08c7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
168KB

MD5
2672011594fbeef5641e78036616789f

SHA1
c40e8c45c7be6101e13749d9ea6e3ed797c1cd1f

SHA256
4dea07237d87916cab55a83a775cdc0002e08bad7342130d6de2a95a23349cdb

SHA512
5d7402505cae0985c47c270b242b5a18d7836e4dd7fe2e6d86c47402d51ce21c1e5754de39bea2fd03d8f4e13d68ef2d730916c8a12627211af9be5c4af9bb63

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
118KB

MD5
9289bb60291942196723129419928cfe

SHA1
6727cea3d403cd8f8bbe9ffde99863f67e48ca6e

SHA256
55a313bf5f19be80c99019b5a213582e13c89ab4615d40e1c2005ae43f8d2021

SHA512
0553a87e83e61bb6abc02f520b869a1e5aa92bf8cc22931cf47c99eae42ebdf9a2b5ffe5a939088e45ac06920db44f99539a2fe0356b0ebe6e03242f2895e2d4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
61KB

MD5
87cd3490d6cea99bb276a5bdc297a680

SHA1
7ffbf8cda02d080a81da549e762ed178ea3e7522

SHA256
a86c9f326b61ac8e9e947136a3b4816a3966192b0153d5520b3d0af43e3c8097

SHA512
9345ce78e10dca267c5268e2ceb6123124f6d0d25e7c31947c27700211501a995d984fbb5f6ea9f5e0417da2e6d9d894def177d3789cf8a8051b1d01ec2bd08a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
92KB

MD5
32af87c70e974570b3e783b0e3d0a68b

SHA1
660c186245d65092703e5e22d8f97bd1fec440a9

SHA256
f78cfe3876b040667036a925e029fc3e3a65ece7782ad8d3b16aec2694ec85b3

SHA512
1824b863937a831f297d99f5c288396ba49dd4b22a40faed16217eddb7b1967fa627697592a17db77304ba3f31206460320d60322bd08c8394031a0ef0d4d922

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
7499f206dde80aca46b2458a77ead427

SHA1
302e1a0425941fbefcc5744279675de9bdf6b270

SHA256
d86a81dc18db9c8c4b525f1639e5bddbeb662b31bd4f39833aed958856806234

SHA512
23028a16007bb7b5b8109c9776f4dc26ab11dd70280390ab4f3258f1c7855ec17abf6fc4ed0ff6779de92cf3157ae9d0cd3654552a936520861767b33a11a6b9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
673KB

MD5
00583a0d53e776a5ed819c4a969d0606

SHA1
88d1091e545ed7f428d0c209fc1c3815a5e8ba54

SHA256
14587bfc3ff9696706726c0fa0ea697c728c2c264ac479d45491132dfd9756ea

SHA512
99bfced4755c62f53f0e566109c4bff7e93a9df53f94fc0b370214025b979d839c71d627e18dcd75c8c5bb7d017a30075bf8e0257d36f18f4f982a35317ad109

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
924KB

MD5
875129133f209014efa358b245c2b138

SHA1
d9e0aef2cdf890257633b4c4c19403459e038118

SHA256
bc32ca0fc670d58a570ffad4b5593ac3a1ad53cf4aedef5da4be27cbd3d67097

SHA512
8a8f90d938e65ea0a16fcfee8af91eb0987a363c1af2dcf5e6f1c2b18de6b6e112076561fd0ae5bc9129044afa2cf66cc64bdc1dd2b96f5c812d7d414a0bcbdd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
605KB

MD5
fc892b2561b33a1742c7e415aae7fd3b

SHA1
4a8f090592ac4c748efc5704a14d27b088a52178

SHA256
d8b30c325710b3e43ea6a592db8e8c8f1cd18d6cdf3217b920d5d56282ee8f02

SHA512
061a2a727ffd906401bbb817b0542c84be362af0bab1f3ee98967328c4fe475f9809bf17caa71f31de402b0cb2b75eef5e7f55089c22190a73d744f4b89a262d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
658KB

MD5
1885521b180aae902b4c857933061ff9

SHA1
7227afe6904d172e6ad371f7ed82b710c83dc82c

SHA256
b5c54828ed3242a31392c0dfebe8e7fec679a60415fbfe10de42792be99552ec

SHA512
17c1ccbef645d7c81628084c28933ab05414863bf6fd8c1606471ef7b2ae0ceac27e9d5d87e3b0d679b5155eefb9451608f225d21dad9d13fb1824b3790c50e9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
898KB

MD5
f0096f9eaaaf8f543ebb6b24cb52f1d3

SHA1
4cdac01a19e8c10c11a913abe787211190246553

SHA256
7e79c2452a5bd9a0bd4b989576f63e78cb3df7cc08f442da671246d43b15ad3a

SHA512
9c81094b8e2bf6a09f36f080cee193402ec1f1bc4da70341be8e35741d2ba33a17c2b182a68a8046e8144a4335a510894350414d13082236a39201be4c1a1417

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
539KB

MD5
30da1ed40240fe16323b8668d5b8c994

SHA1
41048ebe30532053b9b405afa1c6760edb3c8f7c

SHA256
76896140f271899a281054c2240947abda94b7c7de358cf8c3a12673bba68ea0

SHA512
e90ca7a1006910b084ed52670a03f34c9af9f86c9e530600746fdabc222d0d4a07d879516238a890b4a7be07b5cc90b0c1c1529a2ac758b7f6369307ec6aa47d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
854KB

MD5
4603ebd885c440a9e3da945ccc7a7499

SHA1
2b6740ec0bc5ae4d3996028eeb368bbac52dc385

SHA256
58c29e490018f6413efe6d0af605b0a8fb20075e50676cd7873374ae72cc6e83

SHA512
4ca8511d5be2abc9f9a069b182b9f67ab0dab98d1c930cc0c4a7b1f81e3d2b42057897e48e43b8d0b66d60278f9893ecb023a4f3eac8b9a8d27beec7108faa03

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
497KB

MD5
4ec0691680d0e57262c28221bbb55e97

SHA1
d91a6965577f58117dd238db1b69e161aeca8763

SHA256
a66fc4b090a31931effceb65635ca1aeb2fdd88a6606376fa4f656704e8ac577

SHA512
dc93981b92b0558e967f9daa07dd6b9a19a7f861930144afcb26ec53b3951cc42c1f44ef2d9ad58af8cce9a2ab41d1168d9663e315750d0cb26a2cdc622ab447

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
592KB

MD5
60f90c34c904b64a720941ff6791dab7

SHA1
dc2ff6af40566a7a46fe1236dbad266e846a55db

SHA256
2de3cb665d9d954a09bbc0123a1c236ae815e7fe1c2cf6d9762389be6f2181cf

SHA512
a6b4df10b43b429eda10d059777c5322bdd27e3824d70eea9b21add99a5f125086ca85ce4d8b41f142cc69ee45a140067f37a0f7038cf6c34827aa4f1ff20e2d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
555KB

MD5
11cfe55bce623f8fdb3d2917929d2b08

SHA1
01eb578828bce284051201065cb8d2f80b89a529

SHA256
5ba6f9f5bc0e485011d775b8ab20bd82e107403b2c2d36dea9d86b1368b0459e

SHA512
a1828c59aaf13d82c8e22663d81fe3af3401c13f4bf641c0badd7f3a4c35c6904948de1f19f145915d49f629aca08cdf1e56e5f282dae9bc057e0f3689fd1336

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
477KB

MD5
cfd8ada0f7a735c5d50acee7505d4dbe

SHA1
cfd5d51d8cb0f5972a0874447426d2ee8f0e873a

SHA256
f638623ee2cc9b66ac9987fc942f7ca45d8b98f869c2d35377dc34c7ea2724c5

SHA512
1f4079056b7cc63b49c41b5cdc409d36f82cd2e308d6ef26b5749a7ce53b3380aaa351e2bc2bdc309ec58712fb4409e16c346d7e571deef5997224607fc16dc2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
fcc871554f1ef72167ba68bf26aa5616

SHA1
01f3562bcec1c66b84bac6700365106303ca3857

SHA256
d724c699c66d81eefb6c528572705726b06a66fc6db4bded7b63c929012a924c

SHA512
84488004b5bccf223061e24953afbae0b04c2de6f74e3857afcf31c46270105c03458e5b2bd5acc7c841810fa8cbdf042f4c1e4652b314c39738ca3f50d32968

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
712KB

MD5
e430249ababe4e265efdad0a57d1b762

SHA1
7384d6c42290c42b7b17dfd6372a0b05e8e36fc2

SHA256
cf49dcb4af9f6b6eda6b22cb68f8078c86207b61e5ec7c124281ba56bfc58b21

SHA512
ffe36a3a86cbbfccad85be4f4b3a1913a6e06497ae9051aec38407e629c2b8ab8e2d42f59b6f03bd9416aeecf215ec407ee295e9817acde4be2713775aa6ac18

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
536KB

MD5
8cb1a374384e9846cef04e4432ae36cf

SHA1
9ad924e0914ed31532bc814bf8de10ce9d3d53b1

SHA256
ffd9f7bedd5d49326fc6e5396d68af801237e8538ebb1d256cc3fc422bd2bd45

SHA512
3545713819dbd26fbfb7bcbc2447dc403a83f9f60aaf52539bf57c540261259eddb24f113eb82dbbf9c68d304c49536310e7139ab90e922fc729a642c1920405

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
628KB

MD5
78c1d5588d20fe81de859f18073140e6

SHA1
a1f0c4255357a3f37a921d9d6d9c4e5a43a5617c

SHA256
9d91605536f535007363e9d5b96f1d602e90cad40abe1cc221c2e69d79c018ca

SHA512
d0428daf4f47ace8d3a40456a6f3987c6b5d9419a28a551831c2b0fea5e984d86300f83ad1f47a27a5b469414e9505d227934b15a30bbb484801980340e99616

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
722KB

MD5
0ffcd99ca6f60ee3ba35df2dddc2da60

SHA1
78b4ec83c33e905bfcbc5a71d2e1bf2d30f64738

SHA256
54ca3d91d1ac8f6e059297cda581d2162b18ec612d087e4bd5f2a8aa3b50383b

SHA512
a178b3a16fdadb8df83ee9b9fa9b3dfedde7f1bbca11449d345b95ba0384614c6421357378b88c6e25cf0674c9cb04d2002ad30f3e5758194aa327c5efc084cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
485KB

MD5
7e38d2afb67f0c0d48674e1ed1f62e4d

SHA1
dc4d107afce7c695465dfdd565d1c87d655a6a4d

SHA256
6b8290bd695e60ede017c068bdada31c0fb279869be87f50719e1728f7785a30

SHA512
9f64b047fa97b84b8b2ea786ca5df45dac2179a54e8955b5f5553e376b0791c44c94c27d2adbc3e432b9e22f2c8a270833e887f95fae8312647b8d7cd488cb04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
463KB

MD5
548a5678c0d386e1da54a2b94f3464f1

SHA1
dea541607c58935c1a67b24fa47c5bfbb844413b

SHA256
205c782ece93ab7b350406172fff00a7d69d19f99a4c05844d5d87532b816990

SHA512
052c2155182148a3be0ced11f1fab0d236bc8a16516f87951c47e976c86c939f1d3dced3e1ddb50c1fc154976401c40ce842aec9e1fd8ff1362439878c4fc7cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
466KB

MD5
70520133e206bda18ab18017db7c8847

SHA1
d7a9f590315b3415cbe995e73454ab216b7957ef

SHA256
4677fc74027b6eeba54c0844a536ca1d4de39b83128c986431be0373b46ee24d

SHA512
ca9686fd03a7a7e4bf69eab464b84d1babf5252665e961bf63438c2062cbc1393d57b577eeec1453e547b2d70e12c41cc148c8874ffd7ba8780a6de64f07a7ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
462KB

MD5
8a353663f9ce61eed8a3964c9c53ec46

SHA1
461ecaa5d0319e88333884a59d75dfb21122b23b

SHA256
6862838df22e9b1baf3017894b60fc87797a9a105ff1472d980b204f2cca0e13

SHA512
bc11e132f520a30a72443529baa766388579b9059aaf7eb8cbafcf778eb85aab9218a327a129ae0b1e1d87eb88f24a25f39dda1a5a1e238fbd4cb6ff4bf6c5e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
485KB

MD5
314159863dcb2f9d135965fa03fecc3e

SHA1
d088d4701fbef2a80867d27b279e1d64765cfe6d

SHA256
9a5ad41db293d07e33fae0c5ad8dfa7b3c9881aa673120878d6a8fe1228ade01

SHA512
f2679d699785b721b68ab3ea23cfe9c895aacfefeabb2e2f9e8b865a8f54aeae87d82ff4c944f0a0390ec4caf964c1ce0a251f8f3ced73ccd28c359b86941c10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
463KB

MD5
230e3d0e068a93f96cf9b3aa5d757f22

SHA1
57a5c67114cf14673ded2b255a4c9b5f336a21a0

SHA256
a1f28d0e6db51fb0a06e92d5859885bdd68bd63fe1acb0acc92f53f88d7e6c36

SHA512
6a079ced934dbf24aceb52c6447fd96ad5d840884476017f0c9d206397659157e1ae215906a98a8e80904edacd479bcc62f7438ed4bd4d58048c83875a265809

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
541KB

MD5
f9689ab1cf0a0a4f0f7f2e98c85cc9d5

SHA1
cd01de58b2ae232b8cb3e38fbd0741c220db4c5b

SHA256
f08f32a7734ac4f1ff754b36a1f239b66688229d6b006df094f96b749f430744

SHA512
2ecd704862f70a806fa3fab57426c90b0e9473ff18d5f00491b14193b1726210efe158bbeda20a46a078d0079d24cbf2b45f3f5ee069afd7113a38f7cdb4ed0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
576KB

MD5
ebe5b4a54a2d500f362b0322ed54d012

SHA1
eb3e23f28126fcb8ff94063da5684a62c01468bc

SHA256
be2b1c9dcb841c63fcb9c31e7039f95fb4d9c674193b7453b6d68ba83286ed9e

SHA512
499160fbc3d1d8850c1f19ff0a0ec31ce9bc5c3aa21fb63566d9e8d6736d7c705cd4f48d773656e3a0e31bc2584c50751b867b2eecfdcd353ee96b6fa43d4a06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
613KB

MD5
f7a7b9e6b202f7a6bf000e3f03f86113

SHA1
ab6cd2e2b5f7deddcc020b5ee9cfa54f6fb77a48

SHA256
07f74dca3ca70431e1e0b03ca5230ef521050bc0996f7de72acaf31ebea2fa19

SHA512
145eea48528efd6fb0a0f44f2fcf45e5813ede1b2f0d60088d08df04d42fd6aad77cb32dc590ae90c8425ba0b6f61c2cd637ebdebc196acb0b6e134d543b71ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
444KB

MD5
8504d7299925eba70e45093b3c1ee62a

SHA1
271d9fee008c2222054d160d6f7655822fd969e1

SHA256
608216b86904c2df8561092840bb24e1a98e12b238a7ef98b9f62617d6094cfd

SHA512
f301841338866e5ebff5229c81bc00583bb3bfad09dee3d76a0f9c00460ea8e00e5a0d1fc842a10174b59c1c9753e2d3a7cee0a31028d451d29fb240123edf13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
478KB

MD5
7644abf1dce8bdc2f9434711640bc64d

SHA1
51f4b497cd0ec86931b69b022afe44a52b11fa05

SHA256
097de14361e099247734de084782c3fbb02f3a3e8c9f1f5a2ebc451a3ae0d282

SHA512
4961336f25be85d6dd353c66c51e61c8b6343eb7108c4f21c4ce604dae276e3b0848a87feee04d399a5ffab1f365e7fb20fbb97e559c4d7950b8de90c81cde61

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
428KB

MD5
64e42bdf67412bd088d05a2d1de7bd0b

SHA1
22840fefd830eccd453b46d70fd6d9e2d0f3f315

SHA256
4652ced25d08e1ddf97704bac03d517ca4bc0032c3df44aa727d6e6f032763c2

SHA512
129df67a541f4c102a1c21afab584254073b729298e1ed0fa188a48dce82672d401bb89fd1703049b7f5af6d50bc094d29a8e1140d32a1e4a41fbad1a13e55e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
456KB

MD5
4f9c0b8bce51badce744de6743f0e2f4

SHA1
89ed4964e5d35b55d99902ff1b21c027f8b65092

SHA256
af62d418ada47b1b07e523b5ea421a2ef329b44855dc4212a7d49fe9e6635ef2

SHA512
06b1723f57e56717ba39896facda8ac12a18535d2f9cf5987b934a00ba8b7f8b71e4df876d04afbe61c582614fa38153eba05b9c626465501f6d2e55e9dbfd19

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
169KB

MD5
96491c80448d771df7f269bb0ddb430d

SHA1
5c6c00d4e5155138258fd44b3c7da1cd89795e6b

SHA256
3472bc373ff77c66ea3bea4a0f577f4ce1cea35db0d4b3701c4e3b9dced65cd1

SHA512
ab9a8c48bf1a2d057b872437307bf6f6908c3b03cfb29cdde756c815a763657ac745c4e04772bc3cf422a5c5d04ca67dab3ae974d9d7dec1f1972503fa3df1cf

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
684KB

MD5
8ff03704c4e96262a0e72bbf8596e5cf

SHA1
bccf90ccd56c1d2358565f344ff83c712ca525c6

SHA256
592cf5c9e6537a0a5611933b007812d7acd477cea5a63e5cfce61b73b5fd06a3

SHA512
26325183e2da30914c87d311ffe1cb725d34ab9dc1ed46db1b34761c28dcc203d48db79a875201e20449b4fcc4d2e9a3cb896db5088df835a6607788aa134998

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
183KB

MD5
c6efa6d308ee2a77495f155f13f2be9d

SHA1
34d63817fff53d8655fb10abf872926db5bd849b

SHA256
bf54609b346ac45dd32f66c9c99cab64cfa666e93c31e7b9f1fbbaf182fe3bc7

SHA512
db7c4d64e8e315b33d7c46af3fa0083b128dfa7a47154b8c8890f4c3594a951ec99cb63efb485aae2ec25a737d48795b6d126ff8967d83bdc2d5ae31898e4461

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
269KB

MD5
f7c042b603826eabe9d090b6b4422566

SHA1
371c896814a71b11541a012482b4e90787e517a3

SHA256
57c95d4e99c8a51ff4294d0dcaaba86f02997b534ec88296184dcd03acc28fb3

SHA512
486d055bdacdcc7ac440f89d363c0c2fa124d26213bbe6e884ed695af62df86890a524e8e8455c774a2f4166caffa55588b2460a075b75e1b7754fb94ddccf83

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
7dac727fdfb032340b7d804753b79955

SHA1
e49f59e3fb8883f6e389b2a4ca6505505a7642c5

SHA256
e298a528d8fdb16eda4bd2ffc62f19eb843a9a862ce3413ea830e3b31127752c

SHA512
69e8edc95c4a216ed01f2d9f8c0259c87a73570bb2b15568198d9f32d74c4d32da6a4807f747f719f6afff0a9f2aae2dccd661e31df3b4368696bcd3b7fed901

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
852224cf845bc6cba28131f4b84e0c66

SHA1
1ca55832bf9fc48a454701870bdec6418e3a107b

SHA256
2b4180318deadb59bb3facf69221c4991a88ea3f63de0c8fabbf28b006aa9cd1

SHA512
0e14bf607aa021e7ae00f2cd41716c07509279253b420d0ee6019852e4f4a329811d378fce2a6de59c2fb1f77ffe691e1cf48c7b099b19a690e5cc2c86da44a7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
207KB

MD5
9230038da6ac7f8c73e48dcfae9c60da

SHA1
c8a3a1739a459ad33a12c91cecb99ad10a1f325e

SHA256
670f47b806e045343b96c4ae1205d2b01c9fea3267c7aa5ca2327fd0166190dc

SHA512
59665a23d4d9241409c586fa138e86d421be4d29247f7976827d857e72c024fcdf6e6866d17235cec44ffe2f6f298a0d03c64af357b439a2e97f76a87c1a7b1b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
368KB

MD5
e7f2c12bb7f2efc08c29c5896adac228

SHA1
1a1f9a0a0ca86140a5673b53bcf71a551e8f52a8

SHA256
a988be87f65d7808aaa2013becb5f7fb5679270af41f0ba705ccae07d9293535

SHA512
13b974078d1425bf3e4ec3c65e224afd9a8e388a7fda816c15fa71255f006e7a0392bf4bda6be7a1f4acf28cf288c0e24769bce5bd61e61ec0bf504ac924960a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
417KB

MD5
79037a1c368fc2d69bc3a7088634ea18

SHA1
6f7d7e1877cb4d2fbd6ed53084631aab163b634e

SHA256
e123f436096fb2d76ea0c838f1d40ecdad6f4324b233a1133db2339b910d8647

SHA512
08c525c400be6b2ed2650a4a9e306289a6487db549bbd9761dcc7c62a7b67514c96abea4d72d4beb231221da37839ff5b98f7e2ca0b38cb4d769c3265f459458

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
713KB

MD5
c65c21441d9c512f596d8b9d41965a45

SHA1
e1d78422d2de39e88210f800f9db6d9828803781

SHA256
59c9e39704205f13c1d5be0a969c4ccfd965fccf04354a47700f9aeda265a6de

SHA512
5d7cc4ce87061281c3d44e08736872f3eaef8d8f655cbe5b587c35544802158dccd889e12786beed677816e08c9a8c61792cfa11f22feb205a6796492e0a94fe

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
252KB

MD5
e50dd52daeb83a82f9e85830a3a3ae94

SHA1
47e4fe03a69c5e7dbac15de346bd88c986a79053

SHA256
ef6923b3e798106de48075fb77ffc3c5f4cadea81a9dea894d4edd189c5a1b2e

SHA512
a341ae5cb1ce3580696ae1ec98dbfe2851b0ee5be3b31b3e90e5e0891d5bb94ea64223d0558df5d3c878773586e92664039e984dc81481eae216c3dec8873d09

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
134KB

MD5
acc64ca04419b08616bd62b554e2eb40

SHA1
151d8f046046bede269fe5623b864b59fb20a648

SHA256
819d099fb86614b1bb87cdc3f1856364a3def99338da82c5b975ae54337711d4

SHA512
e1439e7bc55d8af208f8f6eac57ffdda918aa132ef4e4bb2b3edaf51188442b87f568dcf918d95ff7c6ee68e92fbb6fe9a71a1a14424283075c1e867147fc9fb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.7MB

MD5
143356c10d353b2f9dc941db9ddd669d

SHA1
c7b3e88f84f067ced233177233ad91f41ed84b1c

SHA256
b65bb79d6f03faaf46ba8ee674b23460860c2b8db873ac1769e85ea76e1feb50

SHA512
e57ae4678022c17b391da338d0e96ef627edfb99a2cab11f9817e6b1b5e1a632a00914bd6dfe85d72f401b21ad4d6d448705953d27b16760c777320ec50e71ad

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
550KB

MD5
ebad16f0ecc4fdee6b970faa9671ee72

SHA1
ded541f96388d0550c0abe222f099dfd38cb5441

SHA256
6b532174129d841589d36692d3e46e2ec236092fdbd4c0369f819d61138046d4

SHA512
4072e453b5f24b36bd37ffa4421d4be7b78c4ea849ae737cd1ab677c8e4806d282c425c027b335d41b1b180cc45704c264fb7307f393570e70c35bf3bbabefcc

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
235KB

MD5
17250eff3ebc40d36040165de50f1778

SHA1
615521d9db03b19c9d1b720d05ca878c8703bce3

SHA256
a176d12546d07bb27d8d7fb9de94410a0373d4c3f5548fe017c339840847406f

SHA512
9605531784b85e2ecf82eb6931fdc5fa33bcd0c2e98310d4ce8e5e890048534d0386a3d13523e3e50837dda75998918a7cec38e7bf51fe0b1205b6aa7b0a1ce9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
62KB

MD5
559e33d772538885f7a886afd4a67a8e

SHA1
252ba16d5c8198440fea51613836ceb6a7daf597

SHA256
96286806acd3f893e90b961a42765dac0412f5e4d4a6b4516790dd3e2822fbbf

SHA512
d5f231229a36c37b142e7561f2fe5df623014cbaebe6b1c7ec7430dc9fe1c9a91ba19d17d044357f4bfcb106973f8f77dcce986aeeccac065710357f78be7a71

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
88536960b5543542e9ad48865fb9289c

SHA1
e1fc54db13f5ae30db0bba096f73f76444b431fc

SHA256
3766ea91c26d13eeb45ff3679da31550a44cbdd6a5c2bd5e8ea540e7d4cddd68

SHA512
da0b16e2dd2605b8a66e5d016411b921f78cd96d75ae09bfe22afbbed78301e084addc3009e77206df29a72cf7056b765946fc8bdfeff9acc65ce805ca77f2d3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
195KB

MD5
d26aa5a806225bb848fd6b74452ec005

SHA1
88eed3a76c9586e9982b08af454b3a63756d0bd1

SHA256
38349df20d8c2e480d3f6671c0e9b85f3729a2541cf2a0c0e741336aaa79e555

SHA512
15fcce6bb3210f680bab8b3ff77a2cbe2ed9ae81d32dfe73e1bcff8487d36470da3ddd77f30f03b654ba40fc54442610244f0a662d8d42ada5e3bacab35f6c4c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
447KB

MD5
e347614aff9eccd386b6f85fe23ff6e6

SHA1
47adb4973b9f91702183d9d9d7ae7b975a255e73

SHA256
8dd1227947f3e71217c9b00c7986224e37727f16f503881d050bda222d15819c

SHA512
a9221827e0a37c0642f89508432c1ff3c2210e08f08c866ab1238688130e713004d3e9af856b8b59450c20dce1b473696dd5923a4f51f8f14f044f9da04aa39c

Download Submit
C:\Windows\System32\vds.exe

Filesize
192KB

MD5
2575ccdd1874b844ba34077279dca49e

SHA1
2ee3ed9733811e426ab8d9582a0fff6aa192ea3e

SHA256
c4fe02935551cc306024b69dccbd567a5717f570594c16bb84f0f707c15cda5f

SHA512
b338e1d8adfd7755e83c4106b3939c17b3ed356be232a4607da1ec034f72fde5fc3d8e44568abd3b64ac0ae0dc7c107591b1bb5ba18f6d1101fdf66ad09a3800

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
341KB

MD5
e0e14fe7a6c1d7752776457bad535de5

SHA1
a4e466da9e2085ba345bca988f2e857431908e21

SHA256
90a05fb0ceef1a49cc96a1f60a1e04c7b64513ce487e74a305670d22cfd4da57

SHA512
fc968e743ade10c34f985c51d236a35227fd591d2a3baf9f200e075e37b2f2c19bf4f259546fbacd45edb49dda5518a4d713c3ad34ce0eeaaa974c3e08208af7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
103KB

MD5
b03d8597e0ee8bb8e8abd46da1316b76

SHA1
df79899bdfa361d00c9b9332a76e88e7d6de9acc

SHA256
fb0fd6f06cb90b3a815fef46df94004e23cde80e6ac6ce3d0d6bc1abe8af5598

SHA512
3ee8e412b2e34534faea5fafe051a0a7dd8614e08d65c12b1c6a54f52e8886a4cc03f5781a09587518503b065d92365085fe8645cbdcc0ac3b40c8b09dc4cb3e

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
78KB

MD5
e5d499963aa878041147316689b2f420

SHA1
88c840f6a9c874a3cd3fb691b627c4bd1eb0e0ec

SHA256
65cd00aac114f77e1fd805a2453ac5af8777e6cef886b36db4f23fd499998e01

SHA512
edb41ebb68ecb1e49a3a262b1e7a86ce1e31659a2a443d24d43c79bb11397a640ed6a864ea14b6f649db038efed00709457b13eeb2ba346d4958f06e3f36d90e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
175KB

MD5
6e0a9a6023523c19212d3d4062e2dcfd

SHA1
a2c26697cce75e23e9d630bec7d7858fdc25075a

SHA256
8490e3c2f76165e9442c3e8f11142f8c4807461632a940db48f5d768f59c2d99

SHA512
17de64282c58b5e471aba0d7ea4ec1997b56208d5fe6a6130c27db36dfcd899b1b4542a9f865ce7c03b2711fc238123454cc6d1b760f65a92897fe8e5b7cb3cb

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
87KB

MD5
483e6d0b8bd3502cc0c15c9e2e3e027e

SHA1
b2de12a2a2196197c471a50848b354bd6bae9aee

SHA256
ea550546d2e49ef508c63aefb571ed5488caf8869ced1cc7b9989963262ae067

SHA512
ac835d4b2086953bb12a1431a1407230a0a2eadfc4bfee29615922d4bbf3272ea1ff9c949dc96368991fe14b9e1828a3d1e88b947e4e1d55a7db967fa6808c69

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
207KB

MD5
c55eba49f7561d096ffd74ef00682330

SHA1
f36d5478dad39b981d241b8795f83ecb88a77d40

SHA256
6bd3b98aa2cd40f9623c94a1548b0d9ae2156be97832606ae9cb86570dcd64b5

SHA512
afa86fbcd15639a3ca6738a9f60906059a443b06130705520ee86a351378e6df9ccaa53cdcdd3a01393125161b43d9ed15d928b44e52a01d6cf47ce4b9b7103d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
164KB

MD5
506df186ac3ac76c53878b0d3ad470de

SHA1
b082262b27d9c044896e2494f31572238675e9f4

SHA256
3d910e4e1470c536204a073bceefa279ffd620c71a4db7183bcd52f34cd2a6f5

SHA512
ada0a68df4897aa3841784ae8d8bb3c1bc7577519e4585d94fd72015f1fee70582fb8e407a66616b308ce457da242caea50d4c7408e2e71d9d36d3b677e1c042

Download Submit
C:\odt\office2016setup.exe

Filesize
101KB

MD5
a9f40ba8634379f544d08d77fb48f2bf

SHA1
13eb8624861a04c7515a6959958c722ac39e8913

SHA256
d6f4f41013bde47b5ad2a95be5426fdb8e4f956c7ad9c808558f84bc7d8f097d

SHA512
d53aeb6a90e7dad033db4d820ab547ad7dc2f1869778d076e031f9f12ea35c011efcb6561a4c4db7eaf2536fd6bb4908f2268a9843b12cf99f8f632055b26ea6

Download Submit
memory/436-373-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/436-365-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/656-340-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/656-347-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/1144-211-0x0000000000830000-0x0000000000897000-memory.dmp

Filesize
412KB

Download
memory/1144-268-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1144-206-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1456-258-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1456-264-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1456-324-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1640-321-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/1640-313-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1908-161-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1908-171-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1908-165-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1908-227-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1952-101-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1952-95-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1952-94-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1952-102-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1952-162-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1964-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1964-87-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1964-13-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1964-88-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1964-144-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2436-283-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2436-351-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2436-291-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2564-304-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2564-308-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2564-309-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2564-297-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3008-216-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3008-224-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3008-281-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3040-187-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3040-179-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-241-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3184-230-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3184-237-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3184-295-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3500-203-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3500-132-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3500-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3500-140-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3500-139-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3564-190-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3564-120-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3564-121-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3564-127-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3636-153-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3636-159-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/3636-147-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/3636-145-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3636-156-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3972-334-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3972-325-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4032-311-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4032-251-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4032-243-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4172-360-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/4172-353-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4412-338-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4412-278-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4412-270-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4436-193-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4436-200-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4436-254-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4908-131-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4908-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4908-464-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4908-7-0x0000000002370000-0x00000000023D7000-memory.dmp

Filesize
412KB

Download
memory/4908-6-0x0000000002370000-0x00000000023D7000-memory.dmp

Filesize
412KB

Download
memory/4908-1-0x0000000002370000-0x00000000023D7000-memory.dmp

Filesize
412KB

Download
memory/5116-119-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5116-116-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/5116-113-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/5116-107-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/5116-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download