7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c

Analysis

max time kernel
153s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
Size

1.4MB
MD5

56cbb59988cbb2555fe6cd562d29c356
SHA1

483223c7c459f1c8a22f2abf1e8ef2ad29c85481
SHA256

7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c
SHA512

df9cf829d0455f71196a5c5d3ff16286900a10473e0fc622792eac0fbfb1e8428473adcb30be8105f0684c2125a84e4f13c08400d513811eb6af084d47f3e09c
SSDEEP

24576:wfGxypdAThXbqT+KzWEKS0nFz1MaoCG9:+GApdATcWEKdnFzypb9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
460	alg.exe
1868	DiagnosticsHub.StandardCollector.Service.exe
4368	fxssvc.exe
5108	elevation_service.exe
2848	elevation_service.exe
536	maintenanceservice.exe
2248	msdtc.exe
4748	OSE.EXE
2488	PerceptionSimulationService.exe
388	perfhost.exe
4552	locator.exe
3092	SensorDataService.exe
4360	snmptrap.exe
3164	spectrum.exe
4460	ssh-agent.exe
4828	TieringEngineService.exe
4084	AgentService.exe
2080	vds.exe
4776	vssvc.exe
3152	wbengine.exe
5060	WmiApSrv.exe
3224	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\943aaaaab3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\system32\vssvc.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\System32\vds.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\system32\wbengine.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\System32\msdtc.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\system32\locator.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\system32\spectrum.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\system32\AgentService.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031c6d56556a6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e7e2c6556a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c291aa6856a6da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000498f9c6556a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e0bbd6656a6da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077d8ad6756a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
Token: SeAuditPrivilege	4368	fxssvc.exe
Token: SeRestorePrivilege	4828	TieringEngineService.exe
Token: SeManageVolumePrivilege	4828	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4084	AgentService.exe
Token: SeBackupPrivilege	4776	vssvc.exe
Token: SeRestorePrivilege	4776	vssvc.exe
Token: SeAuditPrivilege	4776	vssvc.exe
Token: SeBackupPrivilege	3152	wbengine.exe
Token: SeRestorePrivilege	3152	wbengine.exe
Token: SeSecurityPrivilege	3152	wbengine.exe
Token: 33	3224	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeDebugPrivilege	652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
Token: SeDebugPrivilege	652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
Token: SeDebugPrivilege	652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
Token: SeDebugPrivilege	652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
Token: SeDebugPrivilege	652	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
Token: SeDebugPrivilege	460	alg.exe
Token: SeDebugPrivilege	460	alg.exe
Token: SeDebugPrivilege	460	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 3688	3224	SearchIndexer.exe	115
PID 3224 wrote to memory of 3688	3224	SearchIndexer.exe	115
PID 3224 wrote to memory of 1236	3224	SearchIndexer.exe	116
PID 3224 wrote to memory of 1236	3224	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
"C:\Users\Admin\AppData\Local\Temp\7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2380

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2848

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:536

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2248

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4748

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2488

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:388

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3092

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4360

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3164

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1212

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5060

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3688
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:5172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
fab5cddc03991fdfa91c35478cfc8a81

SHA1
46dcaab142ad4eb3e531ecfd929367db3fb0852a

SHA256
3585dce2e45094b1d3edd3e7800a9a14ce6026ffc456169ddcd7d155d44808cc

SHA512
b561dd2673af25865cede643c63b48de680c04fd74c436c640ded77c7ad19e2c424a416313dab32bcbeb70adc38b8888361ecbd6121530e277fc71992a51db44

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
835318219a733813279ed88220d8b44a

SHA1
85a44c351c62fd7f851580600ffe9444fea14d2e

SHA256
87e0056d40ee3be337f657e9be6f362e21317a0e445c58579eeae8fd3d8adeb4

SHA512
60310a1bfcc176ec6e810889b2f2a7e615d8c9b02cc0e77c378a735f8e41aa55b314faaa556042dc75e76e4505c58b6ca610bc64c677a223918e79ae1f16061d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
a22a156cc495f46c4b8dbc631b0a9dec

SHA1
b59a3d76b7c7710b9d502f81fc24a6fc1628dda9

SHA256
eadd7f73afc7e8fada5e03980c26751eab06622dc99a399a805d1a0f098ed9e0

SHA512
857af9a559d601117b3f08c480f4ddbd908fb7c413dad505e78ccf4a792d8ba1540e13e63393f006cbe3ce281bc92c84e222a95db7e653dcc0839de62020f099

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8fd67ed6d2163d6add246efad60e70ac

SHA1
0a667fd7bb912e1c96e1079a14603c218b7d23b5

SHA256
f17c73669a62b2702d95ed545ea0b82e1160d10773fad60dc1f6f0d4847914b4

SHA512
e2ee3ae3a512fd69f9d44f06c625f6dfcf4640971072dc912a2560a4ae54204923bfb6c406ca2f4e331e23e31a097bb7536d899fcc3b84728eee081bc864a854

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0be6c0aeb5b8ec0a198afa933ac02e5e

SHA1
99b4784b1415310b5eedcf87a6b1bf4d1c6ef85a

SHA256
340ee91aef430584af0036fbd6cde75bc2fef5df59fbdb191c465d1ce8f083fb

SHA512
c721ba48e5c0f08225bc3d29c00675e3908de42c28b82477190a51ad13217a9001aaa3668aaaee6d276e6cca2343f9ef5d1028e0b04234cd46ad0033cae83eb4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
7bbbe08d16f7aa37428f4314b5da47f5

SHA1
55aad09935d3cec743c5a5c80d8136e77ac4ae2b

SHA256
31108a1e6b9cc4f095e82e7477fcbe4f32670cf2be25fd7c8be53203ca2d2c9f

SHA512
d1275c7105bb6eb572a030ce3bc7639eb0555d2b4458ecce2edc5580f2defbb04e486520454ff37b7b9ac38a580693a45f8d14e1a7183362201e64859ce65c05

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
dd5310d574dcb34d338caa8c5ffe43ca

SHA1
fa756c0e309a4070dc8b21331c4054d0c894806c

SHA256
4dcd7deb1354d8afed5cfa45571fb06f7436920f0505a911850a52942c2e5354

SHA512
464f7cc1cd4e2425bdf665f8c35653d734a6c8afeb390b9324d45f0c0fced25e30d1f156ef33333ba72ab59e12c4db4fc5e9165787b3ddac1ec48bc79f486db7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
22901ab4c0e68fad68563c36a98717b1

SHA1
1beecef0962f13a15f84ba55179137a8622e9481

SHA256
d544d3b2f29ce2cb530a9bc8456ad654984c9946fdf93f309bffd54413138516

SHA512
4ad89df7785cb551fc6a0147ad4aba3ad304703cfd18a7096c5b3a53ce14bc83e5c8c8246205ac1763b8edc70589e05dcbb14a2ee246d66138a5bb77406de6dc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
b7728471d051dd75efde70ef472dd32c

SHA1
9eabda5c036c7f7b80d471879609a22001f02df2

SHA256
eedbc09054365351cdedc04ba09a9b9e5315e278099e62c95cf4248dca6bdd31

SHA512
f47d86765356357c5f0b8337fe211f1b02357d16fd42214961e86c2b6f5de17cb9ccb4fbb4f49a3fd3fe8785feec32287bf6b2d3c58efdbde062449668dadb29

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8bf196ef682ff27c5989f58ac40d50ac

SHA1
ea2333d78b3ba41230dccba4a43e5045d653f353

SHA256
145ff668b0835a353b05d043367f870ba6140269754e608685a3f618a81ba0be

SHA512
d1eded1a4680b9709ed4252b93a3c9ca7654431e962dad88d06a8ebe4910b234c39560ea5c15dd6c7ad41c41c771aa9f8f609b8204234b360198fe997f85d295

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
bde579b283e6e5d29a7787219e0e4b46

SHA1
f9c128a0b6a25a87bc4cce019baa3599b5c6e72f

SHA256
52055ef7397bc1f84f24fb427ab5b89f75c4f331941dde0c96ad47e662e422fe

SHA512
5f8550a270fddfb4f8d2d9b26a8f88ff520db172733d72957757a63429c86f1c0bab80cee82afa53d0b05c0a53e8b74717c9b1211854cfe193dfbd578fb55a2f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9dac2365fc49b0d9fd7909a5f90d8f78

SHA1
e111787ff165fb2fa3a109cb0282e2304c3ee522

SHA256
b398ed033cd0d98ca1fca5d7dd48b1f7d8bc4c9c6849f1e7e71a932affb131dd

SHA512
7789d9e1c7c8eadedc681ab531b3e77d0031efbe1271ba28a04b7aacad5b471b3d1e54f8eb8e802e965095425cccaa199966bedf247bf4f1646da380cc4ee378

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
14cf1f936defe55f63788d356174f3f6

SHA1
875511b5b154fb92dacb69fd087080cf9ad3ab5a

SHA256
6ee29390c6d5ed5b0d34772567ba6f1bf5d561c14df992a7c28f005c4afc1272

SHA512
4a85b171912c053b1765327247a49cebaa2cd1836cedb9ab12567fd239ac6e6e438a0ce194e3b795792b5282314685067a998fdd42601e1e76ac9d433370e0fe

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
6e85c3146b05eddce82cc90bad1eb5d8

SHA1
9bc2670d3691f2c0977c981c270aa723c1af4a20

SHA256
b79fee7a57d58d26545c854bc4061b954d29242115490efcac48a975b1090e23

SHA512
94a311a82b5b6fb37d962fbc9fd80f29615cd9592ff7b378d3901deab8d91798b04e57d458a39c13eb2cae250486dd9ff819953f3f2511e2a71982897c020aa4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
c5e41fd9b4e5271e619f81f30324dbb0

SHA1
719a6f8019021b916269ed272d94d0ab69570362

SHA256
df232f7c8d9a8ae5e77169bcf67d75baa5899b2bbc93bcc2bd701f3f7d827ff3

SHA512
f8f1b39c323155edf9a2a37fdc485e653e5c743be2d9ea820fd5237f5f3383b2a153ff5e6a56f16e8935eac93c11f6f6f567220e650a45c230cb363e8de46491

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
d509cb2c5e3271ab94a2209d3de7f70d

SHA1
15025ec936805ccc16751cb69ec08bc0110b3d01

SHA256
981515dda612f874b628e99d0858eaaf566a1d89cfee373962f77f075992fa44

SHA512
055f6661352ae699741766eff3b730f2ae3865c4935650a53fdb7422f5d2de07eab42264c7adc68017e00e1240224c3f91f7ebb051da66764362b1faeba2ff62

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
05f29fe7eddf114a8bcdf8c12b745d1a

SHA1
2d18079b048776df3b2d404382dc5afad300517c

SHA256
9365682335e798d1ec858614938b1d7b757e88668a794002e89b7108536f0040

SHA512
a9823274342af29a156de1295cb8d4748d67ada81414d61f8a9c5f453517a53d3b9a7eee5df5a37054e8c7fdebc1370f181adc7cd74b7be49238f34e56733f8b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
d88ff024fa1c5eb8f76272a35e9a48ee

SHA1
d13d367c6aa1ea823073bf6e94928220f2045b39

SHA256
1ef14225a88a7201f73fdcb024c63d8b5bafcd7ff91b739a1f8b22bbf592b317

SHA512
54c6d4fc38b71109eb5d3991208432e2c193a9a236d85b968a39bf5c04226769b451fb59c5554ff14ae527d264a1fb786f8379dcb111d146f02132037e6523b5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
b72673703f0a386c86b155dfa01d762e

SHA1
2843840e010d0395c3fa1d1a0d40259143e6c9ab

SHA256
1029b544afa408eed78b4a6f92adcae64abe5f165d758d20c91bcd037f9a1f41

SHA512
7b21b6e3ac0f4ae37f8b4617064ee8a1a206c92cdc8020e54942d0ffa58e36e652e6b34749c64e9ffdfd263bcd97210184a6657ec8ae2e9bdf86e3bcd099c558

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
1c70c38502330b9bb6dd4c16b38cd27e

SHA1
7517a950008caab23b5d25f8f94f553ae85628c6

SHA256
9d755b480ab8875cd4581e321e184177a13f294323e9f81cbdd0f2fe01219c37

SHA512
c6d773d389dad58c61f6be705ceea65e6cdc109b9f697de9717925ca38a3525eb3647373b9235811228359b2c181cb06c0f627f6d7bd8472cb4acdc4875e9d1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
5c7cebdbd410210bb5171d696e95db5f

SHA1
13eb8c160c450bcb4e9dad56e9af3368de8826bb

SHA256
3ac9b0b1e334afe4c51ba672fc4065e77d2141d58a81cb942662d994797f841c

SHA512
8a6eaa8f1da4154b2c117f281fd7a389dc2394fd28003d827d9ed557ef79dc751039611249e43d91509a62a5fe12712ea36fc5e6159a00ab1e5070b018461ba0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
728ca8c07663c58e1f4b16b88d9d4424

SHA1
41c66a4d9ebac78559c6c9a28bb761335a68f33f

SHA256
2b1757521f61138c55efc84ef5ba5dde57617750ed81f14017060fa2f1246201

SHA512
ceeafbb08a87fd3b4d174425b3d7a7ca8ae46c781cf998bcf4113f8c6e4b2a22b60f09d411734a9e6392ea1a4f3311671282d3bb036b809c2482d5dc9cdea7e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
1ce4cb5498aa50a5ab1e4173eb84cd0e

SHA1
dc8e3b8843b8e92c8846120348b1d4eb8a57a33d

SHA256
41c341406a9c53654a261945815060f4d3455d55c4dc20d57e3a66dd41907624

SHA512
78ab22d5f380a600225146321c4e1c1b7e5abb93bbaf93526da4591deeb989c5c9841561678df95e2682c8accb85a2b971edb79c7f304e7aa84489158c84c24c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
d5c89cfb8f7989d571158638d663448e

SHA1
9ff358560e9e5c4e7d4464d0a8bc2ba5ca0a09ff

SHA256
e82f1cda565c031ecfa6a4b7a05e6e50b02d02fd957c981220317ce0b8ac0ca2

SHA512
d2a5bef392014cdcffc701c26152fda8deabbea6a6ffa40c8d0d0ae4d7412a1a452f9d834e177335b508be50c5695c75425b5546173436d428e8f5ab5d0eb271

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
f25cf7a920b8491609b2c7517a43537f

SHA1
664fd4df29c6eeadf0dd31dbe6180a6d2bc3f18e

SHA256
108698972447a7d8b7edbd0371e50321e258e9cde23057d5b224776b10064f43

SHA512
0f954ef11563988afb997d298f3b431df332001cfb91f6ce1f2e6f5a5071ba1a6f5910321c1ca5d215d92e7e309f6cd076c3f16a1be66d1f54ddba094e64bd27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
d2869db41d237886e8b91b60cc563567

SHA1
f3842a976cb3422a7aec4f845767504c4198ca45

SHA256
313aedc26d35fd267585f74ac9fd713748c2279e489e8653c07f49bc0659bc90

SHA512
fbef1e56eda4a1687843efa6042b4b95e47bd1dfef3082b7d896ea894ab802cbcff20843942f22890b640a713bb71ffca7eec0c4cb5e8089cbcd150dbb5ff112

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
dfef4c25b866d38bd59d49f6dd8d7fd2

SHA1
bc25749308f9f5bf7bc1cdefa971e9fe4d9cf2b4

SHA256
48d2572a28cdac92ecb12039f42bb4d04566c45cee13e8a133c0e52c97789234

SHA512
c4c89608c9bba279f99e639a5f82117888be70220525e358c892e0e40d47373fce8c7fa9fcfa8f61ebb4890c45d1705f5d658648962d89efeb4f2a480d03a314

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
b103bbeaa6e1cdcc59e3801e1ca865bf

SHA1
e26ab23999ab44d6a2861c5534a7458dec4de385

SHA256
73b7c341e809fdf6a86083da6df277668b08b7f1af302c254e160d559f0ff74d

SHA512
4e8821d0168ee52d1b2be1e456e6aa93d1fe3df0e7d042b6a6dc27d3d4eb59eb38ab5256aadd12a004116b8218ec11608bdbdc6acbd58b98820ea80cfbc00c04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
231850f5f733f667d9b99dc49dc2f079

SHA1
26b7725b5017cdcf93ec1f6e5b8c5d43269b553e

SHA256
2ee9726ccb531b4c840f9e71172b78c76a0add46f51c4d05a6c2439caa2442f6

SHA512
4e3ce4b9b807286411855831516f8b7f27094241c56646caddd97c13990e413842fb044b5b87c881ed3b2e959f269b5f7dc10ac971d208b7414b24b081e3bd8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
459b79eea63eb71015a51559d7eec3f7

SHA1
5df36b3940e34bf0e56e7cf3f4489305bf890809

SHA256
b900e83006ee1964f5a955a8f0145263689a9e9ec4c5364b6ef82362acb94e27

SHA512
6a98ba1e86206925c8ce4a15c585429b45228634de017913431421bc3d7f1bfa4dbbd91b3ef62ac81acde6cd223240223e03cbde35f47a17cfc5b4473d22284b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
f3e23559c8e3ceffc34370551b9fbbb6

SHA1
1ca2184b9f17139db7db2c4c97ac276ccd47be82

SHA256
95f4388531e3347b1d784c3166df02244813bfdaad2fa9e714c0a3f01d106605

SHA512
de14a561da1518112d9472fdba232d9edacc9ef704dcfdf6bf4751d2c29dc308b56f2dfb4e07acef6e82dd7fd70efbda9fcc5cf5e7538a99d64b7b3238eda05b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
fd17329a63a57e9b0d2d36d7e6123819

SHA1
84350056c575ab0fe173caf62d4573bda6618b02

SHA256
bc2400e9312f862ad84084b10985bb3c9950261a3bf859fa158b33032922d575

SHA512
251fa502ab0c01c7a12cca20987c04a09e53a16f6c50381f172403e421bac1b3c8c12d66a9e37ce7279b697ac0397535c1e0028e3ae1ea754cc9f59dffc486a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
a72cfcd3b240b27f1cd8676e0ae433d1

SHA1
e6bd054d43d61237872dfd2b30d97b09f07db0be

SHA256
899d10686848266ee249a17921e1068e999144b6bbd5e74ba5cbc8a82535da99

SHA512
3b78ec55a0a922fe1c8ba76e1f8058ca9fd9baa91d783b2a13f76d89b64419af9278de38e515cd27ddea83b1d4e980d17e9297e58d8ca76be3e5b05c858c98b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
651eb60269385b4cb610a9cce952bb58

SHA1
29fa913d7b28d5baaa47bb32b1fda366c288abf3

SHA256
7a30d7e4de21f0c501b202b66e4ebc3c679790fe8cd172a776b83960b76f9411

SHA512
645fbbccc4a8ed5edde3ecb733a529c3c2c2b33b10186803ccd07a3ef588524ae122b9b8915f801c231a742fbb72d689cf349134842a6fa5bdb1e5bc754a8d74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
5d0910199d52567afdd0786897eb3cc9

SHA1
3e9b4a7909bbc1380bc106862577d657993cbfa1

SHA256
7a48028e4c2ba9afd87ad3f45a748e14eb354a52341b5c048bcd6481a648955d

SHA512
d822ea186477c7426b8413c0f27d0e0ed6d7bd97ae2bf052c336e218b4eddeee14b05c816dd2cc856e3b1bf0969d847be1f8bc0130db3ecc3ff610a524dee53b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
20439e629c07c85cc6a7da07705380b2

SHA1
a4c56653a6987884765ecf84db91cc5e0238ac82

SHA256
cc5e4003cfeb70af110fa5d55dc59e2b7d2de4cb7118f61ccaed17673feb5a52

SHA512
a47287ac2a22c06bff3ba67102d0e6555d9c7fceecfa1ec7f2864ab3199f9329b123413f60d39a52810b2b62fd18728960f18a894e76b1be356bc752267f49d4

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
ca39c137e34de3872edc3fc29a382b74

SHA1
e5ebc9363c7d784b85cde934b66ae29e21a2ef3c

SHA256
841caefaf88ad9217d5c118569880d1426ba96286c77b7a278fd8275a8b51636

SHA512
f357883de5e5e36f55a462136cce3665114c4bebdcc723ff50ad64180b7378a59128bd7af47908539805d7638097feb998d42df99bbccbc10d5cf796e7dc7ab8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
426e3c89215f1012ac80551c9a7b4ac1

SHA1
00f6759e4535e3d9829fa6d3aef5bec21b36d9c1

SHA256
5dd18e23088d8081678d45bc580b459c34f1248cd61b4eda64e657631ad705d8

SHA512
605ef6891cbfb118a64f2b10a58de338ac8826d1417f53d4424e6e9c71d9c745e976f511e73a365aacc788bd074b2f65fb586c9959a25500f2f3241e7894e376

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ed3fd3dd0bae8d0c201a493b3f1e1d7e

SHA1
de2027252d95434cdb0ce0f5896141c19d66a075

SHA256
5a5f64eb08ab783571c991fc5a4b62e0d1101295f6ea741b87c85e01a3f49ddd

SHA512
7351dc924bfbd2f5b6491dc98ceb43e25388e80f3810cd0f8eb81918af709beb351a3a2eebce8d452ee43dee8622e8c778addcbe54641e093a4da5f8310f4792

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
6a76d0007efeec958b972f598bca6ccd

SHA1
e33c55135ae714d4de0eecb4188013ff1636813f

SHA256
a42f03338a7f52959e7244d3597110b1a793992f381ec6bc109399fd5c001f6e

SHA512
8c639cf21458196a4bcaa838f26f9794875af740abbf4fb54768e63b49dba7f1dada33ccccc771fb98bddbd6b46ab9ad6f39eea1ed79b8755e4e974607739f9a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
fc812fe42f8d64742a29318bf4816c93

SHA1
188407a766c44427c159e5d92c8537d8445b6d02

SHA256
9bd2bf5b76904564403efc63fc5fdf55196f9ac795079d53e6f58a7e4d069b40

SHA512
e1290010fc241c150641771ce66cccce9304b049a9fb77b2208fdc3474fd796cd0c931a01f2a2ee1b57fa60aafafd6095f48a287a48ea52c7b58464d7d4e1850

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
b79287f237313040672a64d924082375

SHA1
ccf23c296d47284511971d4f9edbb232012b24b7

SHA256
5b0acc201fe0618eb4b6c81868d9371d0140008d6de1e5e578a700c119237426

SHA512
64bae9012015ac16bb857f29e6916f4f6667d534a53671bf65d8e9ffddf3e1e83bbc93eee475a1ccc9e71340b9b109e9f3b1a96d005a5b9f5df4320b70265b3b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
dfc571fe1db9992746b846a65741a364

SHA1
32e7a0ed69d5883bd59d7e7e74a05f137ef6ae1f

SHA256
3bc4980cd5ffc9c9365dfd7999ec211b39d21045f63fb532432a200873af9b17

SHA512
3e56d626701227e9fbe44041faf0ee5eac904f7eefb02edf8a6e57d42cd2c6cc70463ae0ba56be0ab6bde0078f3d8c716131b20a59ac9ce76cebea64a580bb0c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
0833417f7e44fd856983ca95910b5874

SHA1
81107548f73f039c880cc1237e05e99889c13be0

SHA256
4fc16f133be39e336fee3ebc5548178f147c76ad19aa3e5d03c2807d8c9dd23b

SHA512
ca7744f51b16840b4ee756f7bfb932066f98c74831358c1468aed7a03abd1ffb49cf5eab1ec992fd8ade1c1cddc0497d2b4889e2034c955dd57fcb7b5b496bec

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d6bc52905c3ddf34f6d6641fe2c808c6

SHA1
7935426630f75992245bef714a7f5179acd4a1a3

SHA256
8c6e4be0bd7a8aaaecac286266d56a1c55f927f54e7fa0be1b95212ab4ef2eb5

SHA512
c19d8a3ebc438fdf9b95a4acf75b4d1e635339fbb704f26f18c50b1096219b1cd79e558e8a536d571bda7f548aaface252b7c77990d621fb79b0ab7feb18a3f9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3a8061285d79560070c89f4082b011a4

SHA1
ea990d691edf215fbae30cc6ea9d6a23ad167aa4

SHA256
6ede6c83cdb1e2bcb9defaf59f1196caa39354798c5b09535032eedaf07442ca

SHA512
9ff79757320eb79f79674bc06cd65ce3f34215a6106fdb58d73c89abed2174e7b1f3020560af2958bf2b0477c1aac0d1bd05229282e800e4c228147a1864136f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
fce0a24e8a81406323bb445a3c6bbcb2

SHA1
e55e1e227b8b0ceb45fad8d87088456b268b605a

SHA256
39de4b68b24601c0a96b0f6f8d7c7b1fce171b7ac6a7bd3fcacd40d0207574ab

SHA512
a7b61fc5c145b17a00ef19158ad8677cc35cf087dd587d9002c1a62c2c8ae5d8a5b89aeda056f99f17ec90445bfabcad451cd8891a09d1c2cc4585d750457837

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
8c3732aac277ef62f7cda652bd22aede

SHA1
b174fc291a5b919b00fda5c5c8fba8e9109ef87b

SHA256
c2539889129b901a5b3cab9c13f762ec39073957ab4fdd7d5e5ccf19d5c227fe

SHA512
5bffe1502646c0c8f5a7884b0762dd34ef69d0c0347f9a91057b407985e691af2f6dcb7c8d540a9493a5f4638015f78e9e86facb4b16e60578956772e4c7852d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
218e2f098b8b9f9264b51b5fce771dbd

SHA1
4ec2083241058745388d72e747182d93b0da5fe7

SHA256
29135bc49d4801d0e1106e20b6384be29c212c5d87b979177a13ca4e72fd5315

SHA512
c739a8d8a5c1a4e25721009f93c9b448d5c1b740ab23605ca40b0108c0adb7dc9da66725bf85ec54a90e7e58be2c98daafd41369f2c579b73790f270e2355e3a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
4b42e7faea04aed6fab7d852053355b3

SHA1
d9c2dd565ee34bfed63132de3bba627be2080f2a

SHA256
c9b18b6c3683ef65c26bb5a32345d4ee32500e861e147ee87f63dbba5328a31a

SHA512
4ad340003ae06fd9febea710287a1a27452ce8ef85019f3d0451a154712ff3a7c9134925b8fe9e0d5f95f7849ce4aa575dbebc02db57acc5150dd7871dfeca5f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
67c2d209c3283d9ddbef331e6239cfa7

SHA1
8faea2a5759205a02dded05be3e816e5f149f944

SHA256
f4466ac269ab7af9ab5a54f606b2628e56c26c743651465dec4e8ba1468cb371

SHA512
6efd28466f0e0620b9cf99f8fe321a5b5568092738b70827eb60706b7758f8706a335b3df09fe60c20866de8c9b9aa3c8b45c0f3bbe2c5a5f40543b6b6129d6c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
0fdba317ca6c24495a22456f376d9471

SHA1
72a2f2c4d0917b32d4083d8bf8978e24b470dede

SHA256
28f01bb6603eb0c7c90787fda9ca8e75cb8938074d5d4b9434dbd04a813628f8

SHA512
9f276750f76493a3b3633abe5c2fc37eb0d79392883139c7332de2f1f7eb3b24972692077ddc792a1fc091695875fbb67f7fef2b7f090c961abbac398c6a93ef

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1e849167086099543bb2889657cda3b6

SHA1
15d3fe018c54c74dfbe1c35d8e48a0e49f330615

SHA256
be3ae0be117e1aac602f9d20a3d47161c43d3812b4bfab6a187c724617fead49

SHA512
2c56f812884009eab11a39c85be8917e3787e235efd486b0bf8c7e0df121be8b6e6b2b0933e4a7d28a0cede3a760ff9d69697f6d213365f0ed8c68e83a9f72e9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
542974f38eb0c760cb3dea9afccc343b

SHA1
b0ad1a360fd7d9d4afeff438ee88ca59e74d8746

SHA256
98963ed700f04d67029c2a019c93be220692fb11dfc9a70ca18f2f766ecdbd8e

SHA512
fe23a38a1606718bd68508e30098fe694847d412186382436b46bbf726caaad02be32d59c822f3c380e45d78c9e8e979adf20688a27d79b7dfe5cc3ad6aa41f7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
acc2dc2380b193943adf3c50b5888bb4

SHA1
dc9bd958748f80c7c31963d360ecc2c9d7c7e1ff

SHA256
0fb40469f30d4880a2eea0157c75f35e2ac9d95e0958971e4d0c0e24f66fdf30

SHA512
a9b5357e9f6251fb82756cd427d5ba4cc158507a7c0bd61726caa8a3d23deca5aada0ecb2e4e001065c6e4648d22e9c0bbc799a3bf9d3539e61221d512b63d04

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
862c64efe3fe4d72f8db681533f926bc

SHA1
c90aba5878866c851d37ab853d406e3faaae2fbe

SHA256
855d560bb4ce6eeb1755d12ea0550709d2ad6086c99caa6bc4ed1b0172478c7e

SHA512
1cb7b223fc318eb98ba3e58df102ecfec2b24f673909b07efd7d43631f5b355296275f68c756c6d542f2acdf995d38af127da4e3b1c16e925e848380c8b28293

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
5b28cfb9deda77e564f392c5dff9ddda

SHA1
9c125e6bd712a41e6cf7d567a15e5e70e88e6aed

SHA256
61553dc16c56b9355195829378f4295a106a845a54b4f733ce6a64fad79edeab

SHA512
f8b55475707f93d5a768867073708a12d56441c932b976c519b8b25bdb0f5a5d7e6db95ed9ae00a8d2bb52a92d0a9c08f8c437e90bc396420cc8d5d93218fea8

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
2e25249a1e2bc22849f280916d85ec72

SHA1
f0085017594bd8a53e646eca3132c7456fc7bdb9

SHA256
c7ffeaa2c77614944b4f8a6d02deb93ed208e8dc5fbcba170283a3a31b8c90a5

SHA512
314407884eeaeff83419adb92defb6c5433a343f0d16578d95440966155fd9332e87d4e2a86043ed12c95a16187b351125fb7f5f616f9a68016096c7afe4e5ab

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
810bfa59655225f0647097fb04bfed92

SHA1
9afb3502709a1ff122213ca9f1f653016cbf6952

SHA256
75d5aae5a800a910c1ffb4882899c3c50f9e3d6d20260a41c29baaa2bdb2ecfd

SHA512
4598a6be6f9d1ed31b3f7005ca32cd5543a9b71dbfb78da37fa5b549fad3b488bea8e36fdce87d705b446be9e0dc522325e7ca6081f6ab02d5816cca45d450bc

Download Submit
memory/388-241-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/388-129-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/460-21-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/460-13-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/460-105-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/460-12-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/536-75-0x00000000022C0000-0x0000000002320000-memory.dmp

Filesize
384KB

Download
memory/536-85-0x00000000022C0000-0x0000000002320000-memory.dmp

Filesize
384KB

Download
memory/536-88-0x0000000140000000-0x0000000140217000-memory.dmp

Filesize
2.1MB

Download
memory/536-81-0x00000000022C0000-0x0000000002320000-memory.dmp

Filesize
384KB

Download
memory/536-83-0x0000000140000000-0x0000000140217000-memory.dmp

Filesize
2.1MB

Download
memory/652-1-0x00000000024E0000-0x0000000002547000-memory.dmp

Filesize
412KB

Download
memory/652-0-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/652-7-0x00000000024E0000-0x0000000002547000-memory.dmp

Filesize
412KB

Download
memory/652-63-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/652-6-0x00000000024E0000-0x0000000002547000-memory.dmp

Filesize
412KB

Download
memory/1868-35-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1868-26-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/1868-128-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/1868-27-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2080-406-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2080-218-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2248-90-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2248-202-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2488-125-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2488-229-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2848-179-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2848-70-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2848-72-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2848-64-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3092-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3092-322-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3092-266-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3152-440-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3152-242-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3164-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3164-324-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3224-456-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3224-267-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4084-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4084-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4360-155-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/4360-315-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/4368-45-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4368-48-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4368-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4368-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4368-40-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4460-180-0x0000000140000000-0x000000014024F000-memory.dmp

Filesize
2.3MB

Download
memory/4460-334-0x0000000140000000-0x000000014024F000-memory.dmp

Filesize
2.3MB

Download
memory/4552-253-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4552-132-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4748-114-0x0000000140000000-0x000000014021C000-memory.dmp

Filesize
2.1MB

Download
memory/4748-217-0x0000000140000000-0x000000014021C000-memory.dmp

Filesize
2.1MB

Download
memory/4776-437-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4776-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4828-199-0x0000000140000000-0x000000014022F000-memory.dmp

Filesize
2.2MB

Download
memory/4828-352-0x0000000140000000-0x000000014022F000-memory.dmp

Filesize
2.2MB

Download
memory/5060-262-0x0000000140000000-0x0000000140213000-memory.dmp

Filesize
2.1MB

Download
memory/5060-455-0x0000000140000000-0x0000000140213000-memory.dmp

Filesize
2.1MB

Download
memory/5108-52-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5108-59-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/5108-53-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/5108-166-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download