6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
Size

1.8MB
MD5

8c3b856ef1bc41d1509f96e8ddb01595
SHA1

63c8f8d43183d8d3f72e03a459e243e1ecdfcaeb
SHA256

6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb
SHA512

5e307efe55595a94d5bce8148edfc7dcc5621fb2e4b0230108ea5c2ca1f1fd8d2dfb5feb69b71f876e56f40b4e4b988ffed0da74f5373c753d24cc9f8bb91adb
SSDEEP

49152:Jx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAo9dOq18F5/oN6M50:JvbjVkjjCAzJn9y55M50

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4728	alg.exe
3044	DiagnosticsHub.StandardCollector.Service.exe
3064	fxssvc.exe
3052	elevation_service.exe
4464	elevation_service.exe
1492	maintenanceservice.exe
1084	msdtc.exe
3508	OSE.EXE
1560	PerceptionSimulationService.exe
2136	perfhost.exe
1568	locator.exe
3756	SensorDataService.exe
4692	snmptrap.exe
1400	spectrum.exe
528	ssh-agent.exe
2064	TieringEngineService.exe
772	AgentService.exe
4656	vds.exe
2620	vssvc.exe
232	wbengine.exe
464	WmiApSrv.exe
4368	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Windows\System32\msdtc.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Windows\system32\locator.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Windows\System32\vds.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Windows\system32\spectrum.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Windows\system32\AgentService.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\52c1971d46f975ab.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Windows\system32\wbengine.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM37C9.tmp\goopdateres_ru.dll	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79656\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM37C9.tmp\goopdateres_cs.dll	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM37C9.tmp\goopdateres_gu.dll	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File created	C:\Program Files (x86)\Google\Temp\GUM37C9.tmp\goopdateres_hr.dll	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File created	C:\Program Files (x86)\Google\Temp\GUM37C9.tmp\goopdateres_ml.dll	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File created	C:\Program Files (x86)\Google\Temp\GUM37C9.tmp\GoogleUpdateSetup.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM37C9.tmp\goopdateres_ca.dll	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM37C9.tmp\goopdateres_lv.dll	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045656734988ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b13b634988ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf9da034988ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c3b9e34988ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024b55634988ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056ac1035988ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fbef5134988ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3044	DiagnosticsHub.StandardCollector.Service.exe
3044	DiagnosticsHub.StandardCollector.Service.exe
3044	DiagnosticsHub.StandardCollector.Service.exe
3044	DiagnosticsHub.StandardCollector.Service.exe
3044	DiagnosticsHub.StandardCollector.Service.exe
3044	DiagnosticsHub.StandardCollector.Service.exe
3044	DiagnosticsHub.StandardCollector.Service.exe
3052	elevation_service.exe
3052	elevation_service.exe
3052	elevation_service.exe
3052	elevation_service.exe
3052	elevation_service.exe
3052	elevation_service.exe
3052	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	916	6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
Token: SeAuditPrivilege	3064	fxssvc.exe
Token: SeRestorePrivilege	2064	TieringEngineService.exe
Token: SeManageVolumePrivilege	2064	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	772	AgentService.exe
Token: SeBackupPrivilege	2620	vssvc.exe
Token: SeRestorePrivilege	2620	vssvc.exe
Token: SeAuditPrivilege	2620	vssvc.exe
Token: SeBackupPrivilege	232	wbengine.exe
Token: SeRestorePrivilege	232	wbengine.exe
Token: SeSecurityPrivilege	232	wbengine.exe
Token: 33	4368	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4368	SearchIndexer.exe
Token: SeDebugPrivilege	3044	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	3052	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 1220	4368	SearchIndexer.exe	113
PID 4368 wrote to memory of 1220	4368	SearchIndexer.exe	113
PID 4368 wrote to memory of 3640	4368	SearchIndexer.exe	114
PID 4368 wrote to memory of 3640	4368	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe
"C:\Users\Admin\AppData\Local\Temp\6b35489e4584a32175b759b613eda6bea9fb79c8e5b9272f588cc4bb9f41fdbb.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4728

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4716

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4464

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1492

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1084

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3508

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1560

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2136

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1568

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3756

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4692

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1400

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3544

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4656

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:464

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1220
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
112e9579f65eb94ec4792da182c4efec

SHA1
5c331165c0670796d78f4f41c326a1a7d4182268

SHA256
eac97adc601e7bf23cf9f6551b339393ad0ade43385cbf63b46d892177f7908a

SHA512
3c4bbcc4ad548e67327fabe9547d661016dd9490d384c43d5d5d5622609e919214c6bcd4698eb10ab7cfd8c158d9efa079987d444d49c408bccdf86a717d1d8b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
451196f2a9eec58a3fd916021cafe11d

SHA1
9f6aef7cd976c4cd9327aa52e820642fc9a80b84

SHA256
826c2edd079c2eda6f252d8e872ec979851d8c95cede852b60db99e38709468f

SHA512
eb25349ab6aadcf07cfb93663316a9edf03126d6aac8487442d4ddfa52ab54ed283fec04c669287f80e123499a1d94a9d6a13484bcbf45cec03981703531967b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
6372fa3bff705314d5aeb48e0a60ba62

SHA1
95ac1d62f6224657623b4eed73ee509481fe4c45

SHA256
f079fb88f55d1320d4b2ebd50440df326bc6405c2dfaa475eaa3dd498da31935

SHA512
2aeac41b6f975abefaa6cbe4da63db84485bb546315cae07985995a854a59d75cd7d8c1cedd0ae5ef7efa5628ebeb9f556017cf2f7998091129a99303dac665e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6f4f7e026a2f894b80122461636b7b6c

SHA1
43474a5fc5bb3010abd00a7547b211012e441ef5

SHA256
e261e8e03c37a5f433fa7cd1e4dc2ac0a4651d9a0ad334e0b896667f00a77826

SHA512
997419b2f397f1c274b9a531527ef234a4b10abd70106579b876f04c73a2afa16bdb34f7e7e09b6b1d3317c31eb5a346e308d1786067e314460a6534d78d4e81

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
11593343d9b50362d1f432ea780e5c8c

SHA1
05c6ce1d5d06974fa3cfe2a75c973b308c82e4b0

SHA256
a2e91d1add5def029dfb8024d7b3df166278ec9c4561d6681c0d55cd540200e8

SHA512
3ef5a2da9d6f63013f5df6d8cd46432a7e98c6d93241458878022d0c44d3b677c72112fae8130626db9fb2070755aecf96bcd885a77584ba3afc73d145323031

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
fba71ad22ffc5f43f390a2c3ef66fae0

SHA1
e8602ef9b8d89053e416d644aa28dd353c9e4a14

SHA256
62a96ffc5ac08321630bddab42678dc00b627c60e18868bc12d4db1229562819

SHA512
654c1c4212f0d1f70aa8afeb293bd89f532d0ddccb7a026cda46737a0f423b6d688b83edd87101292cbce7f5a85852ff52f025d5f3641d8b5a578de571a2106b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
2baa552beaec32c4279178ba9c7d0cbb

SHA1
88f17a3b8242f9bbc7e04dd1f953962f6feb9af0

SHA256
115e2ee9ffa6221e6ee43a8fe603ea0c739748ecf152d776eee5f2b8ec1357c3

SHA512
6485ed155cc1a08e160060a8a217160030778c82a023b1835be83a99b17a8664185339affe0bbb96b22a0783b38ac460d746d96d7613d35d69bd212086e93101

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ee9c825e338f8b28404161632dbfb99b

SHA1
2e327415cc77201e228a86c190b8dc6e6ed2a954

SHA256
691f41295cff693d160222e451f3a3f9ba9ef5adb4a0642f52f2fbbcee509a1c

SHA512
bd7c51507a3459e48d11fda9a8e924d1ad566584f5c395fa83639b44ceb7368ba0c14ccdb2147f859292d9d31ad5e0efa25a6ae93c75fa20c951362fbfd7f635

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
22004bfd7e29d2735586cd505832d77b

SHA1
24cc57e5d79e2d07e79422911155a03f89c6ddca

SHA256
6a8f48ed8a3f974f869e81de53599ed86ee0327980d4aef7dc085f28df3eaeda

SHA512
3140af699f535f484cb8acae9f27cbf27fbbed6f0bc52e3202bf3d691264617adbcd2094f6fa65b44e42e984eee8bf2ae45e03f85c02e9ecd8183e3cb5ff2c35

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e412f2893362af7257098a654743552c

SHA1
b8d9879f1e057fc86daa53e0dfaa7b2d9739d579

SHA256
e7b2cb9979d19a7509149e4a3bf7b919c8310dd3522ce066a284c3a316fd5d94

SHA512
4c6d7d74bfba2b5066d0b85b7131be6a5bd65eb2e86e717280ab8bbd9b7f20d26ce0e3be1f8285d5420387b45b615205bd7deac6616afd5b09ece100f87f45ee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2e15ed8a6b34ccc38490d4fe29bde0c8

SHA1
cc57737ec937e4f8555b703b0b1a520826d996fb

SHA256
e57f42ab549937ecb5ed62bb7f0e883cb99874a7c419ea3b89e4336bd130d334

SHA512
b2e897cbe36b45f7df8d330649650807b5456da59ae2aa8fd431892b5780d558058846868549df9c2f047b156b8a902c24409af7fd921f7beab7ca3bf7720875

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
723e4e82c5a6a3990e4b1494d38f80fe

SHA1
c15b767fbc78d83e83e464e0f8f83d963e9af53a

SHA256
3fdffb2c7225c17b0d4515ab26ef6c2cffc7836628264ee543115c2787c28f0f

SHA512
5ea8028785a53c9f5204696b468303cc0c53fb7886dea183d1bab93f6d87ee170ef0c9dcd6620ce2a2bdf30ef4c5435a16c11726f62f079ecdec577c0ff1af8b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
cc84a53cd20d6152cd76be870b8689ae

SHA1
a5d9312c3c4a13e0a1e2c589f26ddd534491d914

SHA256
330982800a07613269ecc3602be52091dfad706f69212f6cf25d4ffaaa2eb891

SHA512
31d484b780286270d8f7eea09f0d3dbbc83ea28b8f859cc8093fa2a3f6da8b5f55f32f83ee18223496011f1503295ede1ef02176ac49bd7a1f66771b680c6303

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
8fd430f42913a7cad7cab6a2ed38a6fa

SHA1
00bed4a3e1a6d68108416314bc617f4782684cf8

SHA256
b0c7ee89666d48c26dcb8ab97da5da4df55b529fade2a888f315b193d6455a5f

SHA512
8c0b60bf8bc6c90f7243d1d9fcf2c2094fdb364d5fe956a20419587b7e62f222daa3d3aa28892f11eba6f0abff91a4713a279ec8b3023f711244232e91a2a0a3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
1b7f7c4e008c0d3170cda894868011bc

SHA1
f0cfdbef103d1398b7bbce2dbbd1a71c7510f787

SHA256
8b368179579468e57e8ac4f7eb411078d442a565a64df6f8b5fac1c594a80bb1

SHA512
2468a47b584d60f1b15c9a434d0b126ed58ccc77ed86a19b6cd91883473095db2cc779b4441fff1c9b999d0e780f62120da134d9f23914deffd462f60837eecd

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
6d85056cc95c7a818476c61d269ce340

SHA1
4f15e9fc5aba856a1348e045dea38bb7b5e8e72d

SHA256
9c5fc4382cd41889cd793eeda83f7231b737a7be3ba2a77db852c7044479650e

SHA512
58dec37a1c75c2eb513ec0687bd1f326706d2733b3f8244e18fa8a09e2707619de2dca37a2de15ad694da4bbce565c0d1bbff28281f64e160e6a189673c06b71

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
2727e0be45aeabec5281b640690a7888

SHA1
1d1df2b0a56ab09c9f484ed6c043cc7b8abac5d6

SHA256
d348df6490a56a9ddab1ce861d5ee93782ce74bc7df6449785fc5a7b7df11a6e

SHA512
f5a7db3d1c9cafde0060b0477e7316500e02dbb51b24139f6518c9795ea8a91b50c53a0c4824a61775add306e1b0c576d47d2b0906f489059efed2ab42453cd9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
6e6b58e9aaaef2541967cfa623e092a5

SHA1
041dd1ec8d694f8716f945763183b03c3fce1e4c

SHA256
d1349c69d8c77c25fcfa22f1933d64fd1b03c08736cb34c8b3fefe415ee0a45a

SHA512
d5f0842441163682dc2a77133c0bd66ede0c39ce64958c7de2716b4ea80b35fde7626d9b4bb9ddcc065ff4c22998443dfc38c788d9cb619a86fe9e425b7d810f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
573f07d7a2dc4a9e89121d1f50eef549

SHA1
511c5215816ad111d07b766b24bc9886ebb044f9

SHA256
b867a9e8d8c46ec3d8c99d501adb328a0a86d4b1064dc93d35fb6bea58b82916

SHA512
18cb464e4675f2c9eae5c89b64741a345a623c82eeab9f1844828cef16cac6856d619d9f1631778d2d2cc3fede2eeadac8135715529bdfb5c98a8b610542fc9c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
ccc4f2278c009b9972fa84af139380e7

SHA1
63370a33bb27d171f513b76f41320d4d83f754aa

SHA256
1e22ff628d6bb06a1f23158f6cd7f697ef6267321522cbab7637ab729d11521a

SHA512
6a9181bfb0e99cc36312c4373fd023874284b5be130dbd87a3b8687a7d2bfb876e9218af5557c6bb7bec106dab85f88e340650ea60e5f5a1a4d2c7eec05a7d24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
26e708a705426b8a5b54cf879ea00e59

SHA1
261d22d244b55d7a27ac7fe85d82eb37a882b3c8

SHA256
2f4c687848497834ff8557e7b811f79b60f82925469453a67a51a5159cbfc4af

SHA512
4cb5a51c81b1abbcafc0d8283a2919288b3067a38a3225cae975934a9146c9b2d533914d4805b50384f417e25f0df05c2fa928c5406d55455d6dc4c6c1987ee4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
8405fb019efeee3aaa8b189e18f927e5

SHA1
a9295e924cc175b85d819e7c2d2991008ac9a4bd

SHA256
480df5e788a0a9a86382e99466a687761602920caacd7f4e2d67fadd339fdb37

SHA512
4d3c4d1b59068b9aad2021be5d9dc7921ebcf984c2b78bb2f44e93aaab9d65ae2f049de22b985ced28bbcad8cd616fff283b0d3ba7296bbf58dc44c33a04301d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
a1fab01130defd181df4fbad2ba3d26c

SHA1
b272f58c62712b753f56ac539409d6b5e2fd57fb

SHA256
af7f5b70e60f75b4dc0f457d79ff4fab045dc2eda5949f8e300facde1c55efd3

SHA512
9e4338d3bfa45b5b26ace5cfe6c4082d786502ab1f76fd9f13d6323c3674f2ae106f0167c5648da9560a78ba3027509d3c2525a0fcd5893100c15b6e1484c2b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
969a1ea1500f20bc324ab6fb8cd113bf

SHA1
69e0c060559ff845224f3ad98126e7f590b95783

SHA256
6437633fa4a4948256fe7b23a96dac1227cd70cd62fbdd50be8b0d64f009ecfb

SHA512
ed311efb1aaf2173effa66a019689900d550015689d77933a4da32b762ee16038c40b164e3f1ef5507cefe19b0939cc418c495d69ba9c9d5c7d8b66cdfc615a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
2c05001c41452a0fe5485a62632f7bcf

SHA1
d5ee531b83041750d777ecb3e22a166a4e58d8c2

SHA256
ecf4def549a298657d3407babc06611aeb402b372911a6ffeb6ced36f10a8e85

SHA512
e661cffa354673c1797b0a22983644637238f51d867ea4d90e5eb41787c250e29689c5ffcb5c909fb326f16b13e436a6cb1db2d39c7d5da67d7943666797bae4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
059c99de0de7df20f1db543abb8e6593

SHA1
e5161b4f6381e7cde4cadcaec2881b7dc6368f74

SHA256
a2b7d2090d8211094d7db169f5699c32aaed4e0ba99797b2ce11f2b53db60906

SHA512
4e883a176ee7afd9061a60a62755bf3b9686e7e47e1aa7b550987ed0340dd1c3cc1f8dd1e0ad785e04d5a7c93fde0d85b48fa3530ac2777bd5d29eb8446aa892

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
9a19210e3342e125d6f4ffeb4cd78409

SHA1
0fbb7628d57ad10f45496ea2f0e1f5f5dfd1777d

SHA256
250ddb4ff5d2e7cae331d7e85a388e832630b405c442ff10b65f4a1cebcf965d

SHA512
0ad664c59f9fd82d3dfb44e57c44286bce49f3da63004ca1cbc803163fc917c44f65f0471e1c93567d0ce90c15211d07fbe6e217162ec67c0cf8687099468446

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
87f9fb0819f66255e0ca3d8b1dc7d46b

SHA1
5031aff5f920588fe0ecd753f0ae5b0b2e65b0a1

SHA256
149ef594ec9b8fa4e5b92b6c49101fa784d7c6841939affc3542ebb3d215a0aa

SHA512
c6cfcaae9b08ad3ac76210adb8b70aeda9fb929921bfe1b480e47417ec02b4ffb8ee081964cf3719cdee0f50abfd35ebdbfd39dc1f59d90258176dd71c5b8a19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
90745ca74b42be1fb0bed34bead733ff

SHA1
25a01cf2621a04db7eecc67d626059f7131706b1

SHA256
daaa0e5d96240c5a8b127be5eda6ab2519ea0879bf7c8ecc3fc8d762a9730195

SHA512
6fd59676fd2ca7c28fbe34ef0463241dcd918685b55e2dbca1db2d33b3921961bb29cb26fad12fddc8d66dc2ec99a69b632a374b950b6b5edda58c0170725902

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
050e2501d453d9cc9072c74303ff7763

SHA1
d9e0209959dc02e2ce38519503f75f9f6d329a48

SHA256
6e4c0fedfe0fc5701ba30861de68a323e1837f6e6b56fc073dc396f1c2b5552c

SHA512
99b4cc939ddd2eac7e558134ebe85f7e2173b41ae31792f864235e98ab94662ae74a5646b2bf4f35fd8148cb19768dd249131190d486592bffcd406bea5837e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.2MB

MD5
1062f42ecf5cd896c7276f63bd76e6a9

SHA1
a4eaef21137aabcc052bbe16f0c626918cfea9c5

SHA256
78c6074b25e4a32b31b2a109fbfe438795c91b5dbafe223adf79f6a544a6873d

SHA512
a2ae2ceb7d04c47669eccfbdb48f7879858c7340f3ce5560f0f7f19eb7ecfc0bca1d2c4db0a11f2aa529ceb23e324eb15ad9b06ec311ae799de396b737be319d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
9b3ef9d592f7f466fb5ded0aa59194b3

SHA1
d71ac4d3f0365edf6c76a1d14f24303076f880bc

SHA256
ccd03116535477904bd6ca5d1afcde50962d1b6234139b08a5d46338386cd520

SHA512
5642af88ea15b87e3698e1f9c854fd9f485889d5350322f0dc53a5cd5d88880b45ce50164916fc1c005ea49f5b7ed6646331488e21eaa68791d4bc438a223c59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
3dc16bf6f1696f2f6eecaa75fb054b04

SHA1
592e7da1dadb056d38491d08d27b15a324326719

SHA256
ca31d720618914e6d33ef318b41788661eadfcc89653826a6e4be8208bac4a19

SHA512
9cbd95b24184987ec4e9e44afbd8d75d763a3d210c0d4dae33a343a2e09ca8135af7b9ac7d64605614df664c2743baf040ef8dce7f00475983fafc82fbe84c48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.2MB

MD5
f74c619d40bb87c4b12ef8b274257a0a

SHA1
9e8a990c77ab1f9791dba2cb20797d7dfa6c5872

SHA256
a46e0b66b662530ee00ca56c07c76f18c7758909de4e6367ac06514c771b918e

SHA512
e72962f6a96996e1c0538b70d7e0bb2f934c647792ac71e8a02bd477c57db88852a74a61a5ca7ef433082b014de4289f1d79efbb091b4c12999ce329b8c9da49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
d7ce9e76e5e1b8f1295af24518c8e84b

SHA1
d26bac150890a5427395ee379454cc9caf9a3720

SHA256
5dcea4dac0b14825ec386eb8892be84886abbcb13204dd09f8ba02eed4e646b3

SHA512
0bc5326e19c9d60113ce38ef3eadb5b863e79ed5a41a9307cb0121cb8d7f84663d957a217efb5af1310d89865d4ff0f74d1d60e90be9372dab8ed36e465696e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.5MB

MD5
8bcbac76dcbfad6ac37583e536d83a6a

SHA1
31a5910cd79d4e9a308d9073aeb402a9189b538a

SHA256
dfd6e3d1a7aadd6c59dba2dcad653b0f3ddaeac0156a95572cf57e56f0ec431e

SHA512
f0a752452964feb3fac3a0666c5c79697ebd0a34ecbd639737d1d1256232c5b8de10dd66a3417013a0031809fdfc0e47d2078c6ee78c0e9e8e9ffcf564689e53

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
2e18d88d4072a2ad704b9f21395eca51

SHA1
180db04178aa8dbdc59eb903c15c6e7340ba5a9b

SHA256
199e08cf5028cf36617ad12d498b338ebd54a4465c33b2961c6f15750f97b201

SHA512
ace756dc2a3891be982229c42140274e4b0bc6343f2675b175ee5b38d8c9e2e4cf2b3b74acc65207a2d6ba53d7eb8511f11202337a4d4a4b3750c20f19cccfbe

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
0f62b244d66d48b47237e70eee94729b

SHA1
d3223d7ca50f4954131a6c54a668205a9d5f400f

SHA256
8cdeb3811139898dc5afa548d6ece812b83f971ccbe05bce0a3f3d99ac0aad44

SHA512
57af8264cd3ddb0bd3b4a398089233e997af761e23b48cdcc6e5562881392ed43da4282679e16b82191e0c2643a8a9ffa669cd0810e1fa904a2b21a4972c267a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
3109c04955eb26fd89c177f9f1e4cdce

SHA1
c30e9424f7dfd3f9a1b1c77872416f03a137e69c

SHA256
9d5bffa16420e60296397fb2c1924bf953c6c93ef3b1d9893b76a94be8e0b9a6

SHA512
9204c6071f8f17c238d5765a42bba871ff24144e65273682899fc8bec35d46bef700ccef87ed35553b03ebd398cf60108d43cec8e417202b1631ce31fc79c8fe

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
520f4d649512851fe52ee39616f24b44

SHA1
e09981deb10936983a5d44600ab7f98b53881097

SHA256
be24db50ad6fec8114cc38e9cf67bbfb49d86d019c0e55fa3496d201e50d6176

SHA512
67cd30df10333cd19e94d33f0b3f9f7a82ffb89ce5cd6b2ff8ba75c7492a3dcc657a493463fa113c15a096ddef46881950653a1d0d898e5891e22498bc22cead

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
5c10e99ff93bc7e7c24f2c683baa4a7e

SHA1
d3ccfa94236ee397b6efab13fd4e947f7f9eb98e

SHA256
f576706a2e164709d7bb54faef93b6b9e8743297dc5cffc9824d4815c554c7cd

SHA512
395737951e1edfca13d60fb1293d438a43ff4bcf5c84b0bb0162bd8ffd1297e49e424bb5d7e9f98fb7a459e0e18b3c1b6585ca1d31a941b0e482321d5a8a6f4c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
71b526748504fcc3db1f003fc8fc02b0

SHA1
acb78820f15501a38d679a5273077a80eec3b276

SHA256
63692512701c557aa1f13edfea32da8214d4fe21894a5b745b13a136828e21cb

SHA512
3a86d67c49a1f8c8ac7bcf9f409d922a345118c1d03584f7d560fdae5fd9ae7a70cf9384f2ca5ebdd0a7d144e14010747dcfedec7fd5dfa75dcfbc0353f06e08

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
dc51c7d709b8bc9243789c913c44d8f8

SHA1
6f8bf6e7a777f46be3f0a6ac0272ee3badb295a7

SHA256
40c97f0b5e24eea9d5aef4c14a95ae4041d5d3d6df03940becc85d4474215ad7

SHA512
be2c41901e43bc269005c9e994bf5531d2b70f22b0403bd4c3869847afa9f38f49aacb8b694dc101f014b8a4089dc25fae3c59697227aa9c5b4907274db29420

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
2f0d2b48459dba51d0e8f073065c8e28

SHA1
03d469abb2142c3001a976ce875356730347bbee

SHA256
a2808b1c7e30d94ef72d7c55cf1d7fb2da6a2d44181a5efa14b40acf1a55e135

SHA512
a7a3c66168349938191a1a5624ae033b6dc72f739ac2b2d70868c07a0293523a79e0d904681871af15f2f2bfa8d4a6413b85bbbf7dbef02cd3500aa61a1285cc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
07f5c56c38ce84968af07219b28d7db0

SHA1
718a5b83703c3334cb3de5dcbb492e2f642cec4c

SHA256
d591ca9c36126c2104b75bb242e3696a5e393410862bc9a4f3e8309a846fedeb

SHA512
c95672922af2c43e4cce480653e89d8e166a5c6e70672242834a9723d2e0c5e9d6a59c4b68515174f4f02f9a0265fbcf6d261dc05ed619e60a2ad922c5f1c2b3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
04c3c25558ffa64d7a6f1459c1e7e586

SHA1
9e156b987cec56d70c4de189782d3a5d6735696b

SHA256
d870b545139a710f0f9ffc53fda8179bf8fae16c46aab54c512bb1b43b09a02a

SHA512
670abaad211172a8f06de555624868532eb7350b200f0e3dcb08961d05b8dca97e2aef196b7e1b31c5f96bacaf5beb93e0e240b5f859e6a45d73a3372ea14be4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ff23073fbf9d7a5c80265ba952df2dae

SHA1
3535a340d771081ab770caa57b75a1a660436945

SHA256
452c1ba6ac690f6c25e046e70917bbac71d84101acbb75e1430304f995251cd7

SHA512
229f0f6b7026930978542081c43f8ae2a0fbba51c5ca95e37e8f324af0502136d35f018f4829afec10ee1afe46ce89ad79aae16868cf2ebe6fffdf2443c6b8ef

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d9a6dc5c4a4e682fb37a8a06fdfb91e1

SHA1
021ad1881cd1e957439ec09063f6e5da647a5dde

SHA256
4b0074baa819831db3ccec87c09fd3d7758bf55dcb7305583e2a4906bc25967d

SHA512
060a41d196145478923a67437d0f0259cc84e90d4d29b9a117e459585d737ba2b849b5ae07b6be519551493692fcf01e3f2b3f429da926fa620c58ca773ab853

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
6dd9510789a00f39b31033ba2b4a4adf

SHA1
994bee076cceb1b24a644d577ea464fdf8d59047

SHA256
b4cfb02381a936f64d1e44014dbe56a2e8b70c9d747f336276c0b5d2cfbafc79

SHA512
78b12cd54fad32c6f6d49bcb7093f94cb01a2121f569f7d5ecb21e658a70bd82e4f64356dce9852934bec0ad9cb3da6cd8b9e588f3a43557642a2deb5b96fcd4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
95dc32a47dc72f81e5f8bd92b1e467a4

SHA1
dcda1161a7694946053b6061deacd534f1e25324

SHA256
14d94983bef6517aa36978f708f4d97f5cfd23ec72f3328c0b987ab72a0852cc

SHA512
702b36d08ab04dc1d55c0b1f3bf2fe6ecdd7a1568b0ab552aa7aafccc5426266e9893b777f0b2dd72e74143a76c1b648e759639fcfceed1591b4ce663b14c570

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
2bb39ba7570b3f8c0493176c4f1364d9

SHA1
66893a9ab72d769ef19b37e9bce63643bc6857db

SHA256
85b783d873e062614d1e816d9f0bad37036a9bdac4670249b6bfaead0a0c430c

SHA512
614d2bd38c5ccde85eb778b419f4f5ea9280bed6f040c62eac9825054ae7aed69ce25ce94446d5122e1f19e401848ca429751fad9ac96449f94b87ff837b8b7a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
d585d64d549bc65bc885508fbde9b905

SHA1
f4aa5729d89cb95d0cc0522724c762c02983e087

SHA256
7d55f6b6cf8bb53014f69872de61d92368a73d9bbce272bf428dc655658fb4cc

SHA512
8b94b0dd9d881d55aaa6ac22fd0096ea9417fd4fc0a6a558d2ae5cabcb11bc78e9e2c2b6535aa3f33caa92ea8189efc7a396e995cef9143f081d7222ac20b183

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
5e853e6c250d8f3833a8475b7082019e

SHA1
8686bdcfb04eb26462b5a1c52d25ebe770b426ec

SHA256
1b46e68143d1bd0bbee0b26e216599e83c41f6b8df5b39aa1d91f018d7d45756

SHA512
b5c3e3ca7a283db467bcba5570ad0d76788595041e5278bf865f264223285cf86e6d7ddc607bc438d4d823a7400ee1ed0af336ad4a27aec68080944c829c6fb6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
eb3ee269c37ba1d5f0696e393ab544e9

SHA1
5b497971e1b4e2fc70815740562737b037268d11

SHA256
1b93870a0ffe92039bd5f3cca36e4cb105f45e99858448b6b01e02d381e53c74

SHA512
d897ab2555a0cec366a44a50ff82b0a35f7beca0cd9d266f31b655a416998a5c48ce61fc6457b64568284bb891c45b343be510eeb4883203d16e2b8603d9a5a5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
db5cfec92d2b8a0b8c9b69bd196156bc

SHA1
a19d8701209d1200734932ce6ab4c471835eb0a9

SHA256
ae3801c7f9fa8114883b9e1844f97b27c43ed94e22ca881b9cb4ba77b79debc3

SHA512
cea166c9c9e30cae74ee6215d7552cb0e71801d320398008a19ea112004aa7bf569acc8cd4a8e9a79aee48d5c813c30bc6066cbe9e4b4642c14ed83d59af4577

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
71ac21f600273eeb5c79ca5d5a258093

SHA1
2898e5d74b8a90f2b607669ba635b33b5a539d7d

SHA256
bc747e71372652d4da1d5bd2d87d0fe1de720eeb9dc2fee5f1889ab585023d64

SHA512
82be860176e1c57ef8d520d0218bb827a7b745dae165e7caa5919826102bbf9cf82f1156e165fa98e25b2127f2afd827fd449d3ccc8496689fd463a712a50f05

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fa3f99e19216cfd452c4a2c0ae0e0cba

SHA1
c7552418ce115005d1ac47f46c468a786b3e839f

SHA256
a7a44bfed5913e77de2bb1f6671c7ee720350b9b33810c481fce4cce8f4b6a07

SHA512
a53c47940f8b4cd98de3ded3bedf23d650c26d0b254f53fd4b6c4749752f1ad64dcc7845e4b3e70eaeb97e8291c61b5125e8914378d1eac22c3dcf6b29171967

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
641247bd45e7939b07c8762fb2a458a0

SHA1
8471728feacd73dfebce1d20c6a8955bbfce03ea

SHA256
37c773ca03fbfffb5e15c2712f299f52e65730e188ae94916eb9ab38c87d7ccc

SHA512
a4ecf0a465e912a2bc93a9d096920d12a91c8ef3cd177357c397f1b49114fcef0e40618d5ea96b7df6b552e0f9ff7449f51b5681935cbf2105f9b58ea3d58899

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
07d96717b9646838c10ac5621ad3d017

SHA1
174125205bc2b60e645cbfa07fa7ee7c8f169557

SHA256
11c03461ee0dabeaab20567a42982614a4563ef792d445818cbab95814b7c1ee

SHA512
044fd42651f4445f0cf2cfc676ad4dee3fc4d45440dcbb65f52420460110414981f8b72023d8b927cc39d5c3cac06e0aec0a92415b103a883a3e538be1b92a8b

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
e25dba6330423d71bde88336ba73faf6

SHA1
a988d8352e2b049ef4ce35f126ef00fb5598150c

SHA256
280b11fbf97c9279b29b8c24f75e24caef0f48e55639fdea77359b1c65a3efa3

SHA512
d52cd19c8f138824314d4b22567c62a9e02a3140c19e071be030e9084b9f111e388f7d842e1d01967e2703b44908358c0a8e2cbfe224b9088797a5fcacfe2b0e

Download Submit
memory/232-584-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/232-238-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/464-242-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/464-585-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/528-209-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/528-218-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/528-558-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/772-226-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/772-228-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/916-6-0x00000000023A0000-0x0000000002406000-memory.dmp

Filesize
408KB

Download
memory/916-7-0x00000000023A0000-0x0000000002406000-memory.dmp

Filesize
408KB

Download
memory/916-1-0x00000000023A0000-0x0000000002406000-memory.dmp

Filesize
408KB

Download
memory/916-125-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/916-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/916-496-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1084-194-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1084-142-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1400-205-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1400-245-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1400-195-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1492-136-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1492-124-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1492-139-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/1492-127-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/1492-133-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1560-162-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1560-161-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1560-168-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1560-216-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1568-184-0x0000000140000000-0x0000000140121000-memory.dmp

Filesize
1.1MB

Download
memory/2064-563-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/2064-222-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/2136-179-0x0000000000640000-0x00000000006A6000-memory.dmp

Filesize
408KB

Download
memory/2136-173-0x0000000000640000-0x00000000006A6000-memory.dmp

Filesize
408KB

Download
memory/2136-225-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2136-174-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2620-581-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2620-234-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3044-92-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3044-85-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3044-77-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3044-149-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3052-170-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3052-108-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3052-109-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3052-102-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3052-101-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3064-98-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3064-97-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3508-204-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3508-157-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/3508-148-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/3508-151-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3640-559-0x000001E9DA3B0000-0x000001E9DA3C0000-memory.dmp

Filesize
64KB

Download
memory/3640-604-0x000001E9DA3B0000-0x000001E9DA3C0000-memory.dmp

Filesize
64KB

Download
memory/3640-621-0x000001E9DA3B0000-0x000001E9DA3C0000-memory.dmp

Filesize
64KB

Download
memory/3640-586-0x000001E9DA3B0000-0x000001E9DA3C0000-memory.dmp

Filesize
64KB

Download
memory/3640-597-0x000001E9DA3B0000-0x000001E9DA3C0000-memory.dmp

Filesize
64KB

Download
memory/3640-598-0x000001E9DA3B0000-0x000001E9DA3C0000-memory.dmp

Filesize
64KB

Download
memory/3640-564-0x000001E9DA3B0000-0x000001E9DA3C0000-memory.dmp

Filesize
64KB

Download
memory/3640-573-0x000001E9DA3B0000-0x000001E9DA3C0000-memory.dmp

Filesize
64KB

Download
memory/3640-575-0x000001E9DA3B0000-0x000001E9DA3C0000-memory.dmp

Filesize
64KB

Download
memory/3640-577-0x000001E9DA3B0000-0x000001E9DA3C0000-memory.dmp

Filesize
64KB

Download
memory/3640-578-0x000001E9DA3B0000-0x000001E9DA3C0000-memory.dmp

Filesize
64KB

Download
memory/3640-580-0x000001E9DA3B0000-0x000001E9DA3C0000-memory.dmp

Filesize
64KB

Download
memory/3756-189-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3756-236-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4368-603-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4368-246-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4464-113-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4464-180-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4464-120-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4464-114-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4656-232-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4656-565-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4692-192-0x0000000140000000-0x0000000140122000-memory.dmp

Filesize
1.1MB

Download
memory/4692-240-0x0000000140000000-0x0000000140122000-memory.dmp

Filesize
1.1MB

Download
memory/4728-14-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4728-141-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download