a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
Size

1.8MB
MD5

4287631bfa5b26545193f44368a4819a
SHA1

00767fe82a7d66e2ad1551d8152e863345a28be6
SHA256

a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f
SHA512

8817e2eb8f7add0e9d23e48369cd0b8642756af2972738ddf3275fa7b099857110d557aba9e9bb037223a3cecdfc5f8131c6d1df96f36b8efcf7f61b8390e71e
SSDEEP

49152:ux5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAAiLlBUKubZrX+ld:uvbjVkjjCAzJniBSTZL+ld

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3800	alg.exe
3976	DiagnosticsHub.StandardCollector.Service.exe
1784	fxssvc.exe
4880	elevation_service.exe
924	elevation_service.exe
4488	maintenanceservice.exe
3760	msdtc.exe
3712	OSE.EXE
5048	PerceptionSimulationService.exe
4424	perfhost.exe
4064	locator.exe
1580	SensorDataService.exe
3624	snmptrap.exe
2004	spectrum.exe
1524	ssh-agent.exe
5012	TieringEngineService.exe
4620	AgentService.exe
3576	vds.exe
3908	vssvc.exe
2804	wbengine.exe
3320	WmiApSrv.exe
4544	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9ce664ac46f975ab.bin	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Windows\system32\locator.exe	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Windows\system32\spectrum.exe	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Windows\system32\wbengine.exe	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Windows\System32\vds.exe	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3410.tmp\goopdateres_pt-PT.dll	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3410.tmp\goopdateres_ar.dll	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3410.tmp\psuser_64.dll	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3410.tmp\goopdateres_ko.dll	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3410.tmp\goopdateres_ml.dll	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3410.tmp\goopdateres_zh-CN.dll	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3410.tmp\goopdateres_kn.dll	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79656\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3410.tmp\goopdateres_no.dll	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3410.tmp\goopdateres_am.dll	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3410.tmp\psuser.dll	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM3410.tmp\GoogleUpdateSetup.exe	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3410.tmp\goopdateres_fil.dll	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005010931a277ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022447214277ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e7d2b61a277ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8074d1b277ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e94a531c277ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005648cc1a277ada01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3976	DiagnosticsHub.StandardCollector.Service.exe
3976	DiagnosticsHub.StandardCollector.Service.exe
3976	DiagnosticsHub.StandardCollector.Service.exe
3976	DiagnosticsHub.StandardCollector.Service.exe
3976	DiagnosticsHub.StandardCollector.Service.exe
3976	DiagnosticsHub.StandardCollector.Service.exe
3976	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3520	a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
Token: SeAuditPrivilege	1784	fxssvc.exe
Token: SeRestorePrivilege	5012	TieringEngineService.exe
Token: SeManageVolumePrivilege	5012	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4620	AgentService.exe
Token: SeBackupPrivilege	3908	vssvc.exe
Token: SeRestorePrivilege	3908	vssvc.exe
Token: SeAuditPrivilege	3908	vssvc.exe
Token: SeBackupPrivilege	2804	wbengine.exe
Token: SeRestorePrivilege	2804	wbengine.exe
Token: SeSecurityPrivilege	2804	wbengine.exe
Token: 33	4544	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4544	SearchIndexer.exe
Token: SeDebugPrivilege	3800	alg.exe
Token: SeDebugPrivilege	3800	alg.exe
Token: SeDebugPrivilege	3800	alg.exe
Token: SeDebugPrivilege	3976	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 5488	4544	SearchIndexer.exe	118
PID 4544 wrote to memory of 5488	4544	SearchIndexer.exe	118
PID 4544 wrote to memory of 5556	4544	SearchIndexer.exe	119
PID 4544 wrote to memory of 5556	4544	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe
"C:\Users\Admin\AppData\Local\Temp\a08a224f65147a9e653a5ce7ed16110d224997573c503867e4991f4c0b95756f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1888

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:924

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4488

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3760

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3712

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5048

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4424

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4064

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1580

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3624

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2004

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1480

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3320

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5488
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
478KB

MD5
b9e050323b36c1dc43bdbb805e313d36

SHA1
b111b7d07844bda501717537543ff3630aefa010

SHA256
4c2ee3efe0e83129013501fb9c0397c2177df051b45bfcfbba86a4c11799f8e0

SHA512
e4e1b67120564b532e43a7f5256e1a1f70d4941b3f932d368c7a6aa31db8b5e5a14901d529faba3f9534729f15201d4e5575b0141aa6fe3331144d49f34dd818

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
420KB

MD5
f4e3fcbe5043b139bab86063d67af411

SHA1
50597fa071edb48bb13d76e41b61399e6ccc27a3

SHA256
5e0d42903eeaae9b6adce6d494586f52c2c5ec1d2b58a15a0c7aa96c639546fa

SHA512
824abf42bbb1d38c5a49790a2b096780f2b96244d60ec9afa6e70e1d575d197ba1dad4f70397e450afccf5c8463a4a02c6a5fc307dd325c188b514d3f05baf24

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
232KB

MD5
b707a9848b1a3c6eb95dcaf587ab23e3

SHA1
a50670a14c8de87e66e6f79ab86988252d403ed0

SHA256
9f459771d79eb099b9579aa3d1c2fadab785dc57c23436ee4bc022bd12d3c2e0

SHA512
c51171b3b0650147b7f53b5f654fabe49ad14a82a8a208edd8bea5ec6203adc0ddea21f8f355fa1e4666bca7ce61f442b3c6ff50c809baab9bfa04dd3b27f84f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
206KB

MD5
913d4c8f84387466488e17cf8a522343

SHA1
5e851711682162ce4b31316b23b45fc125d4ecc9

SHA256
8ba6b7fb6667cbc3dc85d4c0acde509bbe80ed3c4705d1c5db9f7251d468ab27

SHA512
c06a05ec877f995a35f8d04c6636393958ba6977202384d9de1d005fb78aa6eee93d6724ee52b6336f8fa44a8354b1c79a0e54b370a4f107f99fd4ab05d6601d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
50KB

MD5
317d6cdf8402601e256f79a419d1c4a3

SHA1
4f36a677b0e2818d8bdf2e448f23a794a30b13c8

SHA256
885a97d4f807241e75915b5392bd08c5f043a20eff5c60d326e1a569b22a55bb

SHA512
714faf2872ec0a999e4762332ba6cf0f1886b6e2ba5c0164316b2d17f0bacb5ecc5fda69da9e565909fad8b8f5ded1f658b2ff3d95865e0e526730a6222c8056

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
116KB

MD5
f3456b71d72b26adad20ddc8bf106a13

SHA1
7ee9d8a234d64152b3616c16831cd27a01d7e1fd

SHA256
d021c500630ee89c2f9df6517122277935c2f667559dae6cccdf13f682272d85

SHA512
4f9bbcc92f172c68c4440ffe54fe79aba929cfec085bd2cef81a77915aecaab8c53a6d2883d7937a50f6d80e3af9ec53e1321c8cb1d3b3d076ce75b31dcf7796

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
299KB

MD5
0a0ff024d71517b596fe5ffba307a5dc

SHA1
90931457e61f3fad2a6a78c7a586c2e4a67cfc07

SHA256
d725926df05e03dd8373f66d689ef53561f3d238973d6328d4de414843974542

SHA512
f54d6d14b00092e854a9282112be14ca955fe5ec13db1dcb129c29bcb7ef10c9f7e881cc19b948940419f517ad074fabff57151da1a779a96cbb301f0d76385b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
200KB

MD5
2d381f07712b6d4024992fa1cd5f0e49

SHA1
bc279239effb8de43cb660b26ea4cdd1088fcaeb

SHA256
9f45a1d82f90a9407a220e79104befae59308d51f7d71b9c18dfee6b6fffefc0

SHA512
c6c346360f1e025f5e44eb8a13955f0e5373c8542e2ceb351f52b16a661fb6b666db943efc40fe044d0131e6013a05a992575aa6c09f24dea65650baebef0bac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
175KB

MD5
7f11d86e5779a8181a0e0e47aa11eab0

SHA1
1dfcb608192bb7e571c6abf8824a4dbb64846c9d

SHA256
bb4230da576cb2c4853fae9732b15dfd91a0eee2103baee2c8112120814c968d

SHA512
7612538e673a9c451df052d1edea9b6e18bda08379b4698916830fa06c0936679b5664ae0b623e87d01cdcb56f30a8c2fe2197d072f621c21230f8fc7923b961

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
115KB

MD5
2c5ea9750fa4227296ca55af1e6c2280

SHA1
ac7becf29658153f0199a8c58f0387c282ff7ce5

SHA256
47bc006937739b33665530f9a0903fa99857dbb79c71d8094ab4bf3d8d9b91bb

SHA512
7a219672f89d8d3ef7ffb595a27273056f861fef196550136105da6beed0f2e6c1310ca565f4ce17546cded2c0b0ab977c457028260e3b07708736b47ab3ad24

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
380KB

MD5
3407a2567ad76cf767ab695ceb62bc91

SHA1
f7271dd61f90b90192646f1d54c96984b480b4aa

SHA256
3f43b2b54771a9d4362c53c617658e59b2dcf83dc38d1df90ff1016004543323

SHA512
7b674beedb8d7c1d85ba6b14a7b54ef2f0f8db553708a738fce7d6da8c8e0b712b39e667b266c466a2a0dc8118f5cb6a368d03837d477387af972aa5f953835b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
226KB

MD5
c3066e686e22ae6fe5123f8ea1e8f28b

SHA1
6f6a7a2532251a8f30afe8c5a5f5edcc71c07647

SHA256
58e85a7dc393c41320c45ef751005e70dc4db42e1d7284feb97f6e5127703968

SHA512
d0881d3385d2f50d6562eb2c0e547be563301a6adc7faac9d1dc887e8c67fbb0b04cfc206afa795f52a2c844ba65d0e953616681dfb45ef663ea0475ff156aa8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
155KB

MD5
7cc9c413df493d89838a8198f0b2c511

SHA1
33999a0babdd9bc2671bb5669b8f653edc8338d8

SHA256
30a63c16f87b6c0906ae49ad90f1da6c39a64038cfc9cef02149b5516ab47af9

SHA512
1c1d529cbb01c926e0cdc65d080a96c0668eeecfc2f511c3a9f3f41f7c5e6ac89c6bda8029e23b09e5485c46312b712a161b57091f8261f9dc7c3b15b37e4ea2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
263KB

MD5
40ae70047c6a28284ddbd618c7058fe4

SHA1
ba3b4b7e78334d2d5c996c6858c47578cf9bc321

SHA256
c13a62694f50241585ffb57ef4578874b66e3a8cfc089bfbf1f9a75cfef17752

SHA512
fef3fb162d3e9955b8dd21ef9bbdde3d7ba5be8961221684e2c88e473ee8bdb6b4ef38a116e87497a798338d26ac771d7d69851b71889a7f102dabc2d4e18aa3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
157KB

MD5
2bec3ddb54946d395f95e3dda4a85e33

SHA1
49515fd0c7df6aacd2e113ae6324bb4418576bfb

SHA256
32bc1448374213f240aeffb8fde73df9ed7da9c99d48f27da9599ee1925992a1

SHA512
2f115315bd9810397c3791c68348c4018462749872647bb1c96c33cade73f1ada6a8b46f403cd70b522a6fd1925f39f6b9ccd2c64ad2403f766b9dbe17a1638b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
52KB

MD5
517fb353701dae1ca10155462f901383

SHA1
95a78f6c22eacc8964a2a0c75bb74823d12a93e8

SHA256
cd36ba9e6263a8dc52a218e192def8b6716e1d43b168d1038f1aac26973f5fe9

SHA512
5160905f2e43f1bf26c2e771e7513709967e5c7e0628710cf917c4cf90a9d1ed9199bb9938b9c2356ff7021ec0df8af07d91b31d0bf834db95c45556b39a61cb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
7055fba049ed1a4aab7f169a4837cbb0

SHA1
b5b1f1552dbad0f8a9e7eb55f093c4d4e7888279

SHA256
3ced5d9989c924c6cabd05d54e26ec8468ffe68fb9a1fb1d17b9d9f1f96278cf

SHA512
4834480ffcc53a6301bc69b3fbd18e46660db69d4c512767e5db5bc03fb4c92277f528332569629b1901468a6e4c80d10621dc4010ae88dd0cddabde7fe12472

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
541KB

MD5
1737abb6434e49b5192982f6d2d5a8a0

SHA1
dc173a0f53d56313096c1b2ed6e85f0f2dc6c1c2

SHA256
c3c7f532fff89308f10614b85244089d26f8f84c749092940b0c61eba5056099

SHA512
e6915318a5705a09ab2ce623665d40122d03bd17762fb68999d7bac5ad13c3bcd3c0ad0e1c9c80e44b7aca026ea9ec8fe50b8f331e93188269a19ab96cd9e731

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.1MB

MD5
454b48c07aeef4aca0205cf065f6f580

SHA1
71d3a27d8cd1f4be0b30f4a41d4aa78fbf4caffb

SHA256
7c88b780715adef8244420abb9f94a1b4886bde41e6a9fb1e43f888577e469a8

SHA512
d34728db65deb76c5fc171ee215dab742c45b35c6025ab5f6bc6da44ccc631801ca47ce454696f0821d523fffcca8e0f55a7548acbf8780d5e335fd1002e9277

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
540a461b8d202e1db9ddf019fd1c5377

SHA1
dd1e251467136cb17592688fc6e99381bfc6ec1a

SHA256
fe6b1fcf635f4a089f2294da321bcfad373c96d03cd8b1c1d3c6cf0374ef2790

SHA512
bb62459a5a4f5836c21ccf73b02cccc48a6d5b301830e646810d10b58fbd921283b010dd3ed9393682db587fde825c6dd685269599da34f096eaab18d4a33a15

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
9b2948f2f713cccc273185fc96139340

SHA1
b3fc74e2dd61c9b9b9f4c878768bc981f2a7fbf8

SHA256
ad2df211186b9def140c9f7fddc3f0f85671756ed8710a79104e80c4cc95ddef

SHA512
3892a2a6db8eed680d61cc16bc8e25761e290bf7731b0206bfc2652034720402ff9f1bf7466137ad2ab9e83912dc973bbd96367cf27a6274f87cd97ae02ba9dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
a9618b527302a16ac42682607cbda350

SHA1
84f5c07b2dd8c3135a21d6c412a77a9a0f25499c

SHA256
0e09ff286fb7a44e188d394d58e2a61084eda9c0f6e93882b24454ceaa0551c3

SHA512
f1a4d3d788b1ecfc9d3a45c48bde3bf04cc1eab2f6ee16cd2c26ae263d8657bdb4f72b380cff3ae388e86bdaa5c7177d3f52cb12c2a3ed628bb86a4bac20c6a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
b66d9a814a130e28f37eaf87c28f214e

SHA1
4466dd0e5725f281d13ce9d73fe6217fd7b28a92

SHA256
0f4f1f65e1ddb638ef4ed6655ee24215d1441e7173097a14526a63f6bdc35420

SHA512
b112b30a6c2cf197ee75711083d9dea8044c651c4bd8436a6c78fdbdaee9251527b96b3ad584a6038b9fea4b554b46eeb1a838e0ac939cac864edf6345938b48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
e32b26c8a6c617b768ac652a6f26e79a

SHA1
b3316528ff98f583e27a5d97e8752be602a22a07

SHA256
3620feb7ba06cc80c24fc30e5eedc03e2c60bc2e9a5df6699557e64dcc3e6567

SHA512
b5824e47f2116385cf6e996a6024f1a3b7ebb49fe2d3c02d6be74dbb74a43719c1d2a6086fa40519c5b09bb3e5ad87219bef3dc4c1ecf0ee928c9dc8bc0ca925

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
ff1e7175d1521a856bddbdbef8577e35

SHA1
f31002d45c64be58e6ca0e7eb39433730e1467d9

SHA256
86a2c6a1d5cb7a346de3d41c1caa88bbd0ab0fc5f860ca45a74c0844cd7b16ed

SHA512
38fb0a05b0eade3d9e67f7026817b91e78e0f943d6fb5c62c542fb5b9a883352e519c60ab0d9882f10a3c0d29a9e7a0afc469ba17f5aba2275ef269d6bec89cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
02fb4afa98b9bc18dd69c5384927e130

SHA1
85804673d0f1acf5f4627f4bbf6bdb903a97d989

SHA256
770d00e2c4d2d93ee829467afd4c7f43af74afd291c99e1dc30a7480d1106bea

SHA512
864a54c5765dcee339e7813c2a140c7f3fe45859a767e96e8119e0a033736fdf4bcd242e28adbeb2f9f4c491e5a51d6239c83923893a82b3a4108ed2820e81a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
50KB

MD5
5395e0ad5deeac5698be63ba15c9321e

SHA1
8c40e0260b05fd523bbaca771f5fddf032b6fd81

SHA256
8694f258c7948f05cb4a92a83c45157b8f75c67c24eb087ab3aa5887e80e1938

SHA512
50f09ce4b79aa732ca05bae9abe1022db73611f25e603fa4578c6e61bc51020a2b743e5f06726c4d0f06a5a6bf34c7c139d30757fde0f34190c536315fa02ce3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
84a3144792d9509b5e646dd8dd496fcc

SHA1
c5267de81620a045fa0679ae0a8e13c44556e0e0

SHA256
74565e21d873ad1b251e96fb99617aa94358b5acbd1299d60759c62ddb6addef

SHA512
0cd0bc54f785075a45bf0a249a7a682879f26b8cb123c1bd8fb9eeded118f8d8e575d41a883d7d875f1d95c48004e94537d80d7da18aef855bb6a929480742d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
3f7d01afe18bb5d24e745573708e9be5

SHA1
7980ce70cfcf00053c4d33286cfd1025c1753186

SHA256
cc96f5f6e1c92096c6b501358adc152a8fda2841a74a6932d83dbdbcbfe969e0

SHA512
f8ca1af570c9efef3a5057e8b31708bfcb3c2d3f6236426b9cc7991dee8907e1748481aea293c11f038611acf60949f165fa7fa0a3f4e46b4cfc7ec761de1e64

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
d249a3904a9fd199e9da8d06d615e331

SHA1
01a474cf5b97df32f4059eebcfb3057d64fa6a3b

SHA256
914634066ac16cd9e80ff6265c858e90b2831464d2d308dd1ceac3e14a5fff39

SHA512
f48e8d74aaffaf97326a47ec6bfc63d24ce1b6e9cebfe68fe0722e804692c914fea1a4e209dcb0c95e59da278581b987eb307153cb196ead6adf4988f235767e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
56f7076ebaa5066794a956e84ad7939a

SHA1
69ed48ae026409d7b1dfdd6ff175d72641265076

SHA256
db8be70744ffc58a01cdef20af35c38a10c8bc8537396e4af99c99d46a913c40

SHA512
64d89a5c75f47af2b0e1c1622d2bde6e26ec275c130967eac667ffce1c5bfa40b4f039bc8018b4f3a595f16261a1a641e47eb17ce0d9e6a53d473374e1bef01b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
1472d1c0875f3aadf6a070485357e0d3

SHA1
b21580a9943cfab9b202166edf81b31ee7cbb958

SHA256
296c198b841ebf21a471414426e3a12d97f87de3d0706f68efe4120b74750062

SHA512
a00fdf46f986e8a19cc4036bcec48d1442cff33a3270d0238647e22ebadaa490076d37242d4f6f925cd273f89656e593c02a06dfdc45944bfe53bf15278284cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
14ffaac6f5540ac436834dec38039626

SHA1
6a3965ca97b7e7b9e77048580e217500f2436e56

SHA256
ce526de30ff4ee22ecb591c6376f2e506371948fbe906d171935184a7e40be71

SHA512
48cc6e5c433c8dc8a413ea161468824f2c300bc616922642bd57076b04485be06fcff80de6aa258797bf6786a21b66205b46856a3ba6a81b869070e8c581f674

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
5KB

MD5
08da7a2f43d180bf9064d452c2ac1877

SHA1
fdb88d4b1f00f9118e6b9507e1f3be8473b605bb

SHA256
e804ff5d2f75411b1a2340c1e755dc8ae8ce8d612e402652b90c2b87606909b5

SHA512
1ef66844a0279a7e6ae35f7f288f1f7bd873caab1510b00dcef690ba960a36c730229c2fa8c6af919826344b7e7c6363a3e50a0866cd68589dc343ad816f1196

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
65KB

MD5
41415d6daf0aff48bfb7dd0e78dd7b49

SHA1
c5ccde47264531c1f2c8662bb31c55c48db4417d

SHA256
3f192d4412ea8c0633eac6a484ac2afcb9b60245fa888654e682bc79b6b6fbe5

SHA512
e8313b434fefa6223ed8790e9ce3e815ff2799c0054a5629cf680f9e6aa08d041c12b8a2d17c4d6e73d042e44caf6280a9f05bc981d188bed3766e14be8c128a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
52KB

MD5
cde88fe72b6ee78d285c5b056b828ecb

SHA1
64d79a0651f4260791e004753aa72f1a8a0f203d

SHA256
b727c1e1e5e85624c3c2bc5d1b72c6fd92310b866cdb70916600b91eed67b9c7

SHA512
3fea3f6b1a31910709e5ff92a495ce69f46fd6f4cd851bbf354f6596b23483f0e03bdd4af44c0edf1722cf1a34149cdcd3b6da0c7760e998ebbdec21ebffdc87

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
292KB

MD5
aefb1e316631c4fd25aac2d4c30cef4d

SHA1
8e6546bb849130692d1a7b3cd1f41c029878291f

SHA256
cb7eb6e8aa63436b6e8a6467bbb36a99944fdec87cc1c6527ee61633cab1f6ae

SHA512
0a174744718f7c2be004430dd0f47774fcc58272ae1fe4b3e9b9b0b20eda81cafdc8dc97338e385a400b7cffcb988ce94fb2da9e175f331e02bcaa7aa7a42379

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
767KB

MD5
99c44d26df5ba4cd3717ae7c3329ff65

SHA1
1f24429fec7e6e1ef6c36d66fe1a324f6f351677

SHA256
af1cb69989338b3baaba1f3079fe1e807cd5d841841b75589262b3bd07519bfb

SHA512
00e43bf707899086d30f0ec7ab47769cb1426205a7e026142734c7b37e8db0958a11e90806f03c6542f5a6962f435f9c55708b71c1aef401e439da23d0abcbb8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
192KB

MD5
da0733d241f1d7c3ca6b32ebea1de0e0

SHA1
b362626149640c720007d50b8dc2f0ade7bcd0b9

SHA256
095f252b4ad247eae82136db775e421c7c396574e489b4d562012f16ae6fa7e0

SHA512
cd32355bd28386d88f25ce670dadfc44bd365b529935cea8b840560764bd1f7c6d401bbe1c0e6cfda717a1792080b61042928239eb032c5b0894de758a4537fb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1KB

MD5
91ab183345de1b2a7f54c37c96f20754

SHA1
29e801f07161ac9303b754ec668324f528403ef6

SHA256
a6a57891bb2726cff166daf88f4df6c8dd4177daf9c41eab9b40a4bb0348a966

SHA512
320ca9d003837ab37e9be8188d4b0d58db2d367b8ba25ed0d549f663e74f712ff5ed36fdd61da9e7ac39ebe8e834f15d204c110e9e373cf259f3f748c013036b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
896KB

MD5
21c3805468e561c545f5c4214031eae3

SHA1
98732a40084c1c07eff17d13591be19935dc4146

SHA256
3901ea45008c6761a52065b051dd1f7be06e203be032d70fd034bbb7671951fd

SHA512
8fe7eb6ba8c4ea18568c04da0a5361ce02bb7d8e97c89e966a4ad62550ffee9350513fa7eae0a44ba3ee1614c490cfacf9a101f8cd9cc54158c6ca0ff91fa705

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1b98d8b35542740d10155e765d4da90e

SHA1
023167e8273e3e879bb4c3b5cb04c89835082a01

SHA256
d120a5b6e0cdeb2b3284842458897b891ee911646d76a45db1e8c895a10446a1

SHA512
06c5de844a1641e036afddb846298d599362f96058d2b22aeb7f538440790938db7b5f718107c0fb7497b054b7495edc99121215a9e1709849d2f6ffe300eb61

Download Submit
C:\Windows\System32\Locator.exe

Filesize
61KB

MD5
772817a0006315ee79bb5a31dbf48d05

SHA1
31d027c87fb73f0ae4baf3f19f884fac72c56897

SHA256
4cdf128be7b44ec7537f7d9581ac747482f359deaf1f790556e5233cd7546adb

SHA512
76a58243b80d63d7c47fa410ce638d6906441e746733993efa2ffb6c25b41e9ee8ddd4dc918be579eec4c3afafd17ea05c995673fb75a0a002ecfeb7818a0b1f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
197KB

MD5
c91e8ee60f911f537a2d3829a19d34f2

SHA1
1ac077402b180331f23304297a8df2ec692b60e5

SHA256
bcee2eaf556595b8e85e26e4aa51fb096c721c4ef204128e9758fbcda71b6ed7

SHA512
4ba69377e232bd152f958de7d40e7f6f066c86b5e7ddeccc92d636b2e2793d6d28906fefb01af07895d8295a0cbb8f7b22051c001585e559a967b976b4fd8be7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
178KB

MD5
5a631c6e4afc1cd9173a3ee09ebc3203

SHA1
3231a073cafccb5321e96563a9c7d78240e79298

SHA256
8c4318572a2eb84dc26aa6a6876eb7b39c602870ecb251c499887ce2e68d51e7

SHA512
0651459697c7e7caccb7c700c53725f6f2be847c52f1eff0b778579f79ffb9ed62bd351bfd861ec4aa5aa0e2f993857da955292931e0319694b9b4ad1a7f1a4b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
194KB

MD5
7c95c096668e00886fd9f50cb6a39a13

SHA1
b201dba9007962549a7d8a08f54e0969e2d7cb45

SHA256
42e5734086521b1724eccafef769786fe6b4abfc315de7c752b678f3bd62fdf3

SHA512
3b32a89fdb187d4c0dbc190d6235dbdc88683cd64e5587c1d5047e468f9450390b438101a22dd4ffbb88a523f5de3b2ad25ecfa13442adf2de9460f16c141887

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
77KB

MD5
4b39aa3d04fc964d0a5eb0327d5c0453

SHA1
c535a12b6ec5caf92063a6ad558c063b30799a8c

SHA256
bc8b1ff9b771ea4b772da05e946df3b5a2a5f600ee473906e07f63eac6d42326

SHA512
8a767b8b176b8541562a58569938a0af7fc0577f762114a721544255ad141ffb2c23869c0347b6f3fcf648eb4137de5232608e9724695214a8c083ac7b226949

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
570KB

MD5
95eac415a2ce0cd08aee0ddb876ad6c9

SHA1
628c1fb0a0ff9dceb5381aa870e1c4f93650fd37

SHA256
8a18cb14165291a830aaf5a73963a1f9ee514191492eb2fd8414c2d33a3b8e9a

SHA512
a92bd2f479873e9aa8f641db4be19515f87660458e6db2b7949bce9da17409339e2225cb75e8daa5716facbded61a60da6375d81da42cc3c96deb4d1732f7c60

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
71cdfc63e323ef461950b310d95905fa

SHA1
f5368092975f48b8713aa3ea9d8d6aadbd57e1ec

SHA256
82faedaa02c588f5e737a3937776d323f9e72422f41ee0cc678590d67d5dcf56

SHA512
89ed82d84e793f6a93286361b6bf9fdccf1921e46561dbc0d7f3264bd81f528a3bd179562946ced47bd068e88168d0c3b57b9398ecb265061257009f1b0834de

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
172KB

MD5
9f5318c5b101176bd4b58bafdc2e46b8

SHA1
766efbe8ec61907471aef1d2611ed2cdaf3f9fe2

SHA256
315e76e61c418fe69ea2e86182ad16e2244a901155e4786a52ac14ede967ab86

SHA512
41d14f94c4b54f91d053da87ada0f71398aebb974fe9affe1b5cace8442f81a2942539b44a5e31adda0ddf5d4685d1314fc00e21b82819bcb23e83c5bfb4dfc4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
67KB

MD5
fee73cf6b939d6c13539421c414e2ca0

SHA1
dd9185512a0ca249e6b8e98ac34a617af9d45230

SHA256
57e6737aecf0d3c5007ad5874dcdd5c32e38a57f9ce104be243198308ec413b1

SHA512
47a42252b7e49f37cc32f8d7f9fb7bb19211cc4342206ed0373d79137052e4ecb923330a93c78bd3ec4a2278a0256aac8c89f4fbdaa17f3a05595eae9c63e0aa

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
361KB

MD5
58a004d9f31d7280dcda8452b3900d8c

SHA1
9aa47fdb7ae83d540b6480501297a6ffb3360dee

SHA256
a9b210674ce241ec29ef60b98771ad264cda1d6314e074f37145ba45feabe715

SHA512
3817e546404cd311be31dc3bdd6e2766caf23398cda2ed3d89e18d6218d367d310d883f65bc1e305dff6967bcb8293e591a89078b94dece4cd9b2e07ecced7cd

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
c65bed6673a3eb51416c0d40a84c6a78

SHA1
8c9023ba6cb1fa77844e4a0439d10cbf4402ee10

SHA256
00e5c23f15a16e548072a6ec67cdf6ac1bfb9d0d69e24b99ebc1849d8fc6baef

SHA512
6e73103b907f941cfe298488f655c977026d4d3c3b19a19f8da9173e3a5cf0688e81b19bbac3ea2e2cfdc0b35aa2393e9713c14e976064df169005362277e424

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
490KB

MD5
0e16ecfae226f7f25f75a8bd3658ab07

SHA1
2706c6faac5d0a920736033a15f34ecefc0bed41

SHA256
3e36f55b800629c92a110171d334219a958424be420fb6d3e51c285e6eb51974

SHA512
e1bb6941c4311a518ee8d5c210a636694064a070353b0060b5f71deeaf6294e088d689be38f7449b80ab890c1cfc1d4a555e35dce51d4bd9b6e566059986253e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
281KB

MD5
533889ef426ad3032bb56744d8f79b17

SHA1
4d25a3fad28d594c595de4ce6b52bf9ca3361d5d

SHA256
b67060ba6442195870e3dca0c0f6431a8b1f6d30fe17165f7a432cb93b1ff6e6

SHA512
aac9557b7883a5851579de9151ccddf2f7398274fab10a4d00a79d414f4bb027f8bc57191f4b49dda9675c369ce43b9f785a7f996905f9fd0a52485aa3c08513

Download Submit
C:\Windows\System32\vds.exe

Filesize
501KB

MD5
2fe98c95e933a838e1e8fd3396a47146

SHA1
83b7417bbe8ebc68bc3cfcc7ef806b1b1ce53a3a

SHA256
26941d58f7054efc21805e95edab1e4e05474e263f65d13281cf5e05078b73a5

SHA512
0f36ef829c401eb3ead0519507c986eebf9b7bea71b2bd9e85f4933e10c27432e979041e5199e8a62d344dbebbbd33c290aa745a4877ba72fedfdf30d555a065

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
73KB

MD5
f38b4ba6aab4f7e03250359612102a5f

SHA1
8ef11eeaa237970727c3510768ebbc51c16e592f

SHA256
bd97424be07ab938e495cab55c957a7b974b2aaf71557aa3eb5f5e989b03d266

SHA512
a29448d2c7403da3fb137b9a8d746303520440a1fee48cbe0ff75151bc220d8061cbf94f8a9944e0c98f9dd862386f7d177a229bcbd95f6f0a1b300aff4b502c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
217KB

MD5
a4c269cf9dae769587e38b696d051188

SHA1
5aedb9a30041b9566922a0de3ecc9f4831a78806

SHA256
5627d6b65f11fdb3da0283b3f5dea701656f7c817d01e9ef11fe0e9e18e955b2

SHA512
13171ad3e9beb41beb7e51d2a405af7290610880a38577ef64a8c73eed27c354a41fc0280f6b60f0a9fc27797dbe913f5a80e6d97beb9fa625a644a8a84dbbf7

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
265KB

MD5
23b99b7a9fd352f49441bc55b5314505

SHA1
d1a7410114de38ca759464265b4027eb213c2194

SHA256
74f152516df8b11ef51d53dbb4d435ba4b150833b8162375625a7a3f9ba3eb31

SHA512
9e2d9d8125d5a5d89cbaaa23772f76e78c358684e7c5431bed4817e384aa880102fa360d51eb171b4813f027aef70a43f96d6059a233647fbee647c6cf03b0fa

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
175KB

MD5
86dab72e994082c3002509c86835017c

SHA1
eb8ce66909bf61e1670e6749eeef4ed4038514d2

SHA256
a1b9c0667ddc0b24f45ba955d3e3e89657559ccdc82da3db3411656419c4a86e

SHA512
cd2fa0d67b6fa2b9977a80a1d5edd43ca20d11eaa4705e35dea8ffe08ea59499ec60a0c0c6ea792638e4a093b18fadb345d3d69a36c2568e9b77c04a90b45f85

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
149KB

MD5
175ebe6e1f0c5a4b6574bac40d61e9cf

SHA1
df58daaf4bf924a8ba4c0747173f9f21e0b43ac0

SHA256
8f028c8784318ffe1e402abece6af77b70e4b5b29c6054f62443cfd07ca70106

SHA512
f1f35b6eef7aa2d43813baf4c641ff0a5ac87167cad645628152401b4a43562a63b1da59f35c6de72a46fece0e094866cdc92f9814a15cb9d63b7acaef3902eb

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
187KB

MD5
94425dca39f86b6e4973af1ee7886671

SHA1
a6ec884d0183a247be0e1903357534e84300ec75

SHA256
58936c2637c6fb87edd23fda54c6a94f7d690b27c11903fc59a370872cd7df82

SHA512
e8cbb77d128e2273c3044ffccb33e6e263e652182c8573189e470dabf82f819e2fd0546dfd85e5455a4b881a69086fb98712401d68a12672ac5511abcd9cc6c6

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
219KB

MD5
0a59221e1b2b126bd07066f2a9d000ff

SHA1
709486636439c055a229447e5fc622aed0f0cb39

SHA256
4155d1de8e762197017ef591d23c79bdc53a2d9b2058979c6e1ea00646b2409f

SHA512
d96e185f524ca748e507a02803cfeed47c6745824d22fcb1de0803bc2916251279fb065f885799c76cc7d66aae9a1e25b9c69a5943ca3ef516823d33169436a7

Download Submit
C:\odt\office2016setup.exe

Filesize
144KB

MD5
ac668a59dd49926257899c3a69aec1e2

SHA1
29633886ddaeda7e901f0cb6665e6eb6f870d490

SHA256
a1da5ebe7add3ab3ee51675eddc66eef1a80bcf653b1946c14e2a544cda86fb1

SHA512
cfcecf4a51debc0f81fbe358cec41b300c99ff5796566a4f2d9249622c2ce3ee4cf4a1a7d09b5b5bb33889a90169103862d259234cd61713b402d5150691a2c9

Download Submit
memory/924-140-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/924-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/924-133-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/924-202-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1524-328-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1524-261-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1524-268-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/1580-218-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1580-653-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1580-228-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/1580-284-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1784-113-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1784-116-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1784-118-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1784-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1784-106-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/2004-246-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2004-314-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2004-255-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2804-337-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2804-330-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3320-343-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3320-350-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3520-485-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3520-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3520-1-0x0000000000B90000-0x0000000000BF7000-memory.dmp

Filesize
412KB

Download
memory/3520-132-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3520-7-0x0000000000B90000-0x0000000000BF7000-memory.dmp

Filesize
412KB

Download
memory/3520-6-0x0000000000B90000-0x0000000000BF7000-memory.dmp

Filesize
412KB

Download
memory/3576-311-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/3576-303-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3576-626-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3624-233-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3624-243-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3624-301-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3712-241-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3712-186-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/3712-178-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3760-161-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3760-227-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3760-170-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3760-162-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3800-145-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3800-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3800-13-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3800-88-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3908-323-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3908-317-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3976-101-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3976-95-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3976-160-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3976-94-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4064-271-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4064-207-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4064-215-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4424-204-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4488-147-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4488-158-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4488-144-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4488-155-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4488-152-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4544-355-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4544-364-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/4620-293-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4620-299-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4620-298-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4620-286-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4880-128-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4880-121-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4880-120-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4880-190-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5012-280-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/5012-273-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5012-341-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5012-348-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/5048-254-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/5048-192-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/5048-198-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download