9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
Size

1.4MB
MD5

1b5ef1a77d711af341cda60e9a2ccd3a
SHA1

20bec02ed9ec1d3155189ba51d985cc448de1d62
SHA256

9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55
SHA512

9c50cd114105cf85e6c7e18efcee41e5adaf09ce076f60e7d7e233fd2425ef07326b9e021fcb2b7ebb034e4294b7edcee6fabfd9106d0e371bc145ee796acaa3
SSDEEP

12288:/2iEExbs8rHos3KcZt+8x/T5zpBzqUV6jWOev+C3oaxj9y97HQKjs:OOtTTos3TZBRXzqCO+t3oagF

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 19 IoCs

pid	Process
920	alg.exe
2352	DiagnosticsHub.StandardCollector.Service.exe
3564	fxssvc.exe
2540	elevation_service.exe
4412	elevation_service.exe
2204	maintenanceservice.exe
4608	msdtc.exe
2980	OSE.EXE
1412	PerceptionSimulationService.exe
1528	perfhost.exe
1940	locator.exe
1420	SensorDataService.exe
4336	snmptrap.exe
116	spectrum.exe
4268	ssh-agent.exe
2144	vssvc.exe
856	wbengine.exe
4900	WmiApSrv.exe
4288	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\system32\AgentService.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\System32\msdtc.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\system32\locator.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\system32\vssvc.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4372ad80102ae222.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\system32\wbengine.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\System32\vds.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7f034938693da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001660c6938693da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041173c938693da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f3d62938693da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000882a4f938693da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084dc40938693da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6a045938693da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3b358938693da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c65156938693da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3b358938693da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae785d938693da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2352	DiagnosticsHub.StandardCollector.Service.exe
2352	DiagnosticsHub.StandardCollector.Service.exe
2352	DiagnosticsHub.StandardCollector.Service.exe
2352	DiagnosticsHub.StandardCollector.Service.exe
2352	DiagnosticsHub.StandardCollector.Service.exe
2352	DiagnosticsHub.StandardCollector.Service.exe
2352	DiagnosticsHub.StandardCollector.Service.exe
2540	elevation_service.exe
2540	elevation_service.exe
2540	elevation_service.exe
2540	elevation_service.exe
2540	elevation_service.exe
2540	elevation_service.exe
2540	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4472	9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
Token: SeAuditPrivilege	3564	fxssvc.exe
Token: SeRestorePrivilege	2208	TieringEngineService.exe
Token: SeManageVolumePrivilege	2208	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4836	AgentService.exe
Token: SeBackupPrivilege	2144	vssvc.exe
Token: SeRestorePrivilege	2144	vssvc.exe
Token: SeAuditPrivilege	2144	vssvc.exe
Token: SeBackupPrivilege	856	wbengine.exe
Token: SeRestorePrivilege	856	wbengine.exe
Token: SeSecurityPrivilege	856	wbengine.exe
Token: 33	4288	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4288	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4288	SearchIndexer.exe
Token: SeDebugPrivilege	2352	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	2540	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 1780	4288	SearchIndexer.exe	117
PID 4288 wrote to memory of 1780	4288	SearchIndexer.exe	117
PID 4288 wrote to memory of 2952	4288	SearchIndexer.exe	118
PID 4288 wrote to memory of 2952	4288	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe
"C:\Users\Admin\AppData\Local\Temp\9bfc7c09af2a2543f1ca0b6c026d04a3095a1a751fc35cf0de17f17c1077ef55.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:920

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4092

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4412

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2204

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4608

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2980

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1412

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1528

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1940

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1420

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4336

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1544

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4268

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1128

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1780
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9a03ef855e0b7a75643e43b6312feaea

SHA1
74dc509b6ce2a7bf522ca9c5a9b0d55aaaf3a5e4

SHA256
1906621102b0465c43f4b25e2ebf2b97d91765a53135c947d709cd84105811ab

SHA512
9afc1498c629aae9e62d01ada40a7c2b7b244bd69d21c1b9708b88462a3cc828490c7ce363bfe98b3bcc40e064d5fd1cba5b4ca0df78460d4c1746f212681ec8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
7028ecc5fc6df65df019822393d7e6c2

SHA1
d3cb0f675ff50769430e0b469454c19b3aa2a6d9

SHA256
1306a627534b702b2923e53fbc7d53f60e9166a440c5dd2553dd63929566f158

SHA512
6a202dd698b90e7fc5868be653235ab14332d9ac21ccd55d834241e597fd8c1141217ad6bd937e97fa15429cb5fa46d123c964cbca8729a1048e37deb603fa37

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a3be55947ccd6de199504f4072a09414

SHA1
e9a0dd430dba6bf689ffe1fb03141e1b857d9ba0

SHA256
dc2bce3d25d6992e0d9223f6f95e552f54ca48e41c583adaf402c64e46dfc8eb

SHA512
0df71432dae1910b090c8797a41fd3f19ad36bfba3f3e290c31ae9a0d57c2bc8cb5b1618de09175beb6bc5a4a9344c7452231ab9797da5d70c6838cf8ef74e40

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ad8ad870ac7e5c98184c9d886c72bc7b

SHA1
2b81e6eedc3ddd06fa59359c5dfd2d41bdc4c608

SHA256
067a85f633bd42ad025fcebc5df481988f831115b2e05bc08ca25bd0b3934947

SHA512
3f3f059654bdbf91fed7ef14462296e9e4c2f977e89563285372a55082d9c1e342bb97f68697077fc2f43065626b6e21712608f5cac99cdd5464544235b82bfc

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
57bfe78b0885ffab79bcd4695f97a72c

SHA1
dcf15db37386c18923b6c4147e5b5a5a25bdce00

SHA256
04d4b748d96247523a8bc3e6b036186029ce82df1305c93dfb69f82541c2e8e8

SHA512
7b4e160b6e7531656e832e691f71f6bdea69836e995ffeb4643106d4fa819699eda8a2251bf59b0ed55b48b7daf530b3a7a6e86156186c2489eabbe3b276e516

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
58c1ac0d195604796445f7a59bc9e33b

SHA1
760bcbfe80a84273b16738dfe876f48d5c96932b

SHA256
fe1670486ab5d3149f39821b0e999d58f868f74c450092808875a70aa7b2393e

SHA512
ab346fe9f061e4a9820ce715d16775671368d67e2f39451aa56b8591999e9b174978d6aab697ed9ebe83508a1b8a9bf608831c9ee2f4dbedd18d63839d618e21

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
8711cfa52187c6d2407276464f853b75

SHA1
a33844283a2b8f39c0c8907836fd42a2be0f53d7

SHA256
340bad30741e1bfa5eb6831a5bb0c545f2cefbcba30c69106573eeac7a8f409d

SHA512
c820b757b4fcdcac8a652374d48d2b79b1272badff68bcaeb740cd8cfe0d2eb9aeeffec6980dc265766e573e56501265444b75bd688b6dc2b751353d270c5b77

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b10a65aaac3210fc15ad68c67a4d64f0

SHA1
0a9f9dadbb019707f9c72816c236395baf2cd6fb

SHA256
fed73144c545c0ab03a78f6ea003da2c38cae50a38a610168cbd65db65ee7303

SHA512
5036a253e598696319da7cffaf721f7d8d7a5eaac2e1d2813482eede5a973b269c80c1bdbbc785b7fb8f5a56b4d58d258fcab5943080d7a0bbbc621d10c3b3dc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9c7d3404af91a03686f667d6fc094476

SHA1
3c6885a808c423718c58a20cb080dd1abfa7b403

SHA256
4ab014a2a2e9dccfd6c6de8a56342871b890fd2ad3137c9255a55f7bc22b41b4

SHA512
e1addaead5729c9487300665c9a7c94987aed9711d806c7a3499480761e20ac3e0d9b34cc3a395b675da0c250918e20754b49b20dab644d13cca8fde18d0704c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
1f2231ef7f1360bb4c03faeae47b9060

SHA1
308b703d74789c99ce7521228c9794c41d817e59

SHA256
ab9023def9bd7894327a81de241caabd62357c57c25518dd877d2ea3db32e3f6

SHA512
b27f55658dee7e1a16b5a0f701b5845c4959a4e0efb1d007187501835ba2fc3648dc489311dfc9098e42cc1df1e97c954a8dd8b8b73a8403aa5976c401bc786e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c120749cf55423a6fa43d86fe331745d

SHA1
98c93bd1b5b0961a5931dc76ba9ebb080afdaa5d

SHA256
9a4992c997bb17cc0672f4a486662cfb152fc9630d026460f59461aa543d9dbb

SHA512
74fe4cc1c02ffea7b7d27c62e01afc69ffcf19891b2fac077fc98ad2d0fffefd1baf55035f786a332b06c915a80bdb80830b7c9dcd821a3385d40006b676af6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
7fb40c01715d6ed005f5e4e189cf8196

SHA1
db6eb9ab967e8faa39d87e2a119b27e521af2d7a

SHA256
f51ea1f2aeb652692e81397f3792d2e35fe7b79da3286c3df0389011f8456c1b

SHA512
ee4ad50c769dfedd2eb939913c518d536f6dc2c0f90abe93fd68c86d19c8e4e4e10c8abf79d99779a79e8dc116a6cee9927fd9585c4295d65d2ce26496639365

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
ffe6e41d13e728af160c0c4efaf4bed9

SHA1
33a2e66c3cb3dc87ddd1de6d8617f9a4c4ddec23

SHA256
4f090b216afc1439cc82d0e87d1bd529ca14a1fb73b1344cdf75159f8650fe1b

SHA512
f126c79248502a3363c949da29ab280c918f369bdf2a0a841dda98cfac660a168adaf9e52510dd0356a8e25d52b25cf4030488342be59bd8b7b6ffcdd958ce2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
fc899217dfdef33f1468f139a2c612d0

SHA1
18561de9e0a75c1de15f2a08b47b8bb0f333f5bf

SHA256
d6ab1f9ba3d342264c3f7a489f180b9b1942478740a64e5fa421132db8ac2f36

SHA512
b376ad6d1268773a6d803237d04d4f2dec6de00ee13961250a0d98c14f121ecc8a66f2a81855fa62123ee1425b866fdf4300059752c625d9afa291d4e137dca2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
477f42b05874aa659422de9853299a3a

SHA1
171fbaece73ee57434569d47c624ff852755eb8e

SHA256
965a583414a2172504b92e5be22eddd10976c504bf5a951446fc6ec688861fb6

SHA512
1a82771690db6bc5c6ba2983c088aca84a8c24d1ec8d44e732909eeee069abe6357ab8ae26f8262bde92c59573e7d1deaea632168d69b703958e19ac3eeb9788

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
12dcb9ca467fab0a79f8f6f8da932069

SHA1
cf5184076a10de67b19d6057c2305477f80ea5a0

SHA256
90dbad582edca13898304a44a9425d27b6700427a3bbc8dcf2127ffb19e2793c

SHA512
da67118e154402725f3643d4981724115220927088305c656a61897c03fa4a2c2181978a4d821ea2713b255535babb3783eebede7e9dbfa8b1190e528df1d874

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
6db5bc58d37cac0437ce723aa4809490

SHA1
fdd2c2bf0144282c5ac15abf6c1b5be7e0455d73

SHA256
611b417a5bcada11a7703014029bcfc6f00b085727e067e07698c570077b892d

SHA512
740a333baa8211b6f53288f18495e4f8dfb7775ee8770b53d06f63a56649a0a75bbcd1d898b150a4f0d3fab30b271c1a5382ea870fa90dc018e8c66421731691

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
ba635613a7e220bdbc0609fe291e430c

SHA1
d3604badeb1596309d262fbfa7ff53f4ab893c8d

SHA256
447ad9398df6833bb6e95568d4fce42714a5096dee3427e5f723bcec4f79fa5d

SHA512
1a5d34318f36b0bf7d6c63bf98c8cc3a2f8e32cd7175f117f0c4dfcc637c8417239e67500f7790533e69e2351c189daedb975cabc2329e9bb500d616805ae492

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
40cacc2f4f4cbb7161ed2a3f04351bb2

SHA1
deefdabe1af9f09566dc2d461d850b3bc17541fd

SHA256
26b6ab0c90210495e029674286b9cbf6251eafae3583083c3bf149e9966f7714

SHA512
4b1e162527518275d4d059397f3957728607d4f016113f6c945af9cc67bc44f5de6825aa2430924b83f15fe63232d03faf880d5b4d7bc36d6dca43aec7127fc7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jmap.exe

Filesize
1.4MB

MD5
15db96485689ac93a5fadc659f357403

SHA1
eca931fdbc90947f3237c6be4f11b3bc2305188e

SHA256
adf4b29bd3e3ee2ff80190fb8a94663ea15c593a298b12dc4ae59c11f3468b9b

SHA512
a8dae112a90e2956396b979016c2ffbeced7529af61368658d0e28fa318a2431c16a00248db4207fc24b12df78fea3099053e4a3d342d9c0e36da40d4410c3dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jps.exe

Filesize
1.4MB

MD5
f34c5677432299adedf29f27abbae317

SHA1
b35c0232c6456dabfa09e66a81f06cfdebe85b06

SHA256
d9de34bea67641cef7fc14437edbf4314b14db707643fc5c32d9ced5df1cca85

SHA512
543767c714093daa463ba9573c3a9b40046f545109ab9151e0bfd34a718d61abc8a3e7a119c32fb875f4469e09aecd972b6eb92d004115b6f69b78a30522f8e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe

Filesize
1.4MB

MD5
4fe5635fe0ba0325b6c296de035d8abd

SHA1
c5c3bd90b613a5a725b1e486ca8e87e10d95f17b

SHA256
aa9c177863a8f2adf61e6f0cd3cc24bd99cabac0a725454945d195f5e358cf79

SHA512
282ca1b13066d1adb96ecc8c13090444a869796b90d930b161d3db5f80596be38012bcc457376cb157426ef290e384531fc141f6a3fa0fbe32a65be9a8017ede

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe

Filesize
1.4MB

MD5
82f12a64ee27d8fb25803164369151ca

SHA1
3491dc86684d73c4a4358d561c1927a20351633b

SHA256
162c0f5f11b4db8d985ed5ca9ba0c21f6163ebbecd0cf9c491d4a6aba6e6fb59

SHA512
78a45e2f1e50c0248591e43dec61e2ed1d64b916dcad9084ffd83a7c91ec243a5be61e24d549ff4443a485aaf9c1ed23191e192baaa68271f816a14f8cc95475

Download Submit
C:\Program Files\Java\jdk-1.8\bin\klist.exe

Filesize
1.4MB

MD5
708bf147506a0d9e87b1ae29591c8dee

SHA1
f6e1811a50a872e8382d0789e99cd8d8dcda83f5

SHA256
f50b7613074d7e41e741efdff18523476c59110790ab844c1d7b2f602dab96b3

SHA512
5eef50b7c2d73b9501ed3422e15ef78ae3d68821bfc16fa4796bd87a095c0686187a890ac50ac3a77cdd95b21a7f43cab38f37abf2f8a8350e253a2f013e1c33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\pack200.exe

Filesize
1.4MB

MD5
fa6c0f09938565ab55dac3b5a885988d

SHA1
15acd9a5892e6c1cbd3b13a00bcd6e3a9109b939

SHA256
400e9b20c76dd2993c41725b71f51d4ae63eab719a0ac20323d5bdf8eeba373f

SHA512
9c94ce54699e0f90519f3aa410f3d4d4467301a487f3ab2aa07b314c6fbc15dde50623aeeb4cc302cb224c9d9659af5f4a19ce5a473592a3f3a9017c380ab914

Download Submit
C:\Program Files\Java\jdk-1.8\bin\policytool.exe

Filesize
1.4MB

MD5
08392296f8f0c98df7c3d5034b35f35f

SHA1
0b56dc9e4e5e11f398a17778a332ffa3dc4c47ed

SHA256
dde045a46fdf9f18614d034032de006cda075e9d7fbb4ea67e17b2e50384417b

SHA512
64e6c223ce442b7ec2e7eaa3369e0349d034104f1613745057f52cbfd963ec9aa7a7781919541942aee47d7ae72f19bb273107b3e484b60e77420cc337a5824c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\rmic.exe

Filesize
1.4MB

MD5
b2e229fac23dee76cc9a72fee1355c72

SHA1
f3f6ebc53629990a264fdfd520638964dca179f3

SHA256
f74adccff23886790a42b172f57f9a595ed28c02e5cd98cc048a4d7a9693d015

SHA512
87108b544d0af0af14ab329df5707a9debb7624b911efbd68fad9c3e013aab05c6ca68a6f1cb17c95716ac11dba40bbf94552dbed785584994736d8321d034d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\serialver.exe

Filesize
1.4MB

MD5
8e0362f0800bb0e074794fa2d93f694d

SHA1
e9764ab680838685fa0f8bb3a512ed8dc9e43970

SHA256
9672bd26d996e4026c480fc3898fc2dcb4057360d188ff9bdbe2e9e815525dcc

SHA512
bcaf46a5c7d4814ca8b8362156a0814390d1cd724a5e969f8669a9698a7af9543766f6fecd80f4107bd18c7bad65617462ca601e5caebced7665088d107feac3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\wsgen.exe

Filesize
1.4MB

MD5
00b465ab26c3f9253e552718ce348ca9

SHA1
e548f3f28d0ab024da338cbf25d506305ca05508

SHA256
51be471d94df21eb55a520c99244ac50e35a8cc8df769b540edd0bcd1f359b8c

SHA512
e55a11b16e6fa4f7fa3516fa37a458d680890da9fb9ac32191400c491a6397a3775c6afd9608dd51689df8b2dc42d6f550cb5eca493ba79a4e5747be392c44a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\wsimport.exe

Filesize
1.4MB

MD5
55c2069f0a36099a59aeb34968735a76

SHA1
df1670036048c4a6a5b07b8b3c178fbd3944fdd0

SHA256
71279a1d87dad3082e4302aec184118d75adbd8d7fcace1312d815017359bf41

SHA512
cdf690bb81f90477441d58d1f509ae6a2f0c1ae87eb06559f2e0eccce1b83b0455a14543d4ad6c159f02d419aeb50169f723e89e6ba00ad6b53ddc19e440e0fd

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe

Filesize
1.5MB

MD5
baf2b66260c0c3d0e93fe70fc5c25d40

SHA1
76448125028d435d76828640f3ba21b1e21be0ba

SHA256
8608ab7584c48e216ec9b983036f3f9aaeed5c152648cdf3832f1c3c68fbc725

SHA512
59d5d9ad78831a3085a1762997dcfd89a792f10863db85cfd2e4a400c085f9578586f61f36bcde11f9de82c54073e098180cc34d85f727edfff50ae1e94e1fea

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe

Filesize
1.8MB

MD5
85e180f937918a38bb873596ef6df736

SHA1
c49170f2d1848b39fd080407d5a8347b71e57168

SHA256
18e2f7e984e743958e26d6b4208134d72d351b4cb559986e1a58b80a19e520bc

SHA512
e10db3758046ea96de68bc22a717e77f03a2a6f1b9a261050d4b2ef624cab1c4347f43b236fc4d03d59118778de02ae5b8d8e17eecb28c68dd0dcefa18db8b73

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe

Filesize
1.5MB

MD5
5b52c8dc87d92603628d7686955a43bf

SHA1
9e990c8ee6fb5bc0937198b0942ef8055f7d5d46

SHA256
f86a874e2166b1505eb97e8e668ed0baaa4e2c272721d4b0bacef4a96f62fa25

SHA512
c764bf3754a1bd48cd6b14381a71287c1dd6c32994f02cc88b26b0496166aa7589c549a08612fbdbd8f93a354ed027ebb81e0083924e38b1fbc594a79e69b0f0

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe

Filesize
1.4MB

MD5
c9b22e81ce92001ff72f8406b4cb81dd

SHA1
40d2b68457781b00894b8e24dbe1c92fcdd0e251

SHA256
1adb1058a4601c836ecebf916b5db8277c3cf238665943cb831694046a6a63de

SHA512
f5c709968592f8958c415fe76ace069b1db6f9ec26c77019ddcc58009f56e9b11055dfcd39c87230734b6425101d0c5ef3ba0b3f46aeff7bcd4bd92a70c8af8f

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe

Filesize
1.4MB

MD5
76447cbb20751d0ee66d6f6d28dbd735

SHA1
044ab90584d646c2de9a1956df7cfe22667d0693

SHA256
8240fa9ae8e9f376126ff839eb8881c8e76a38590ecc4942715a60627630a3ba

SHA512
016bc5e42663b2675e569590fe7ba21c86e57206df713c693d20a3313e66a9157f7a3a0ccd5c33f695ab58db5639c59aa0c1317cd0899e65c4ad18cbd5a759e1

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe

Filesize
1.4MB

MD5
e8b4b2f54d8b86a5b7740403dbcec739

SHA1
b8b2b869c81bb1b3c8f78e19029157782d0d4225

SHA256
7175a901483209f3e0e86edc7c17a32c0bcb1bbf3baaeed38d9c433e4e3284b4

SHA512
fbaea725a042262419da24a26b7964524fed2cbc1872d1f65bd9d4c98b3ed88bcc0c9d287f086ce91e69ab2dae319d2b73bfe35f56eaacee6a7b672e380d13b2

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe

Filesize
1.4MB

MD5
4fce118c4b566e9c1ea7037df2011049

SHA1
235eea9047fa6ad3eae4aab822acd9db08f6df37

SHA256
ef01949a3e4603c56a0dc103b8ac29f14c20c01337116b9c6b7ad0df273848fb

SHA512
123832813a7727c5f7889997e21ec032154608f02444dfdbee6ef5f91cd330757c0ae7d020546e1ca3abfe3573736e152de0b32f6d1bd323f091a1bcce776dda

Download Submit
C:\Program Files\Java\jre-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
8632fe3a8f8ef03b69b5bc8c26778be0

SHA1
b073cc48ab2f666e5248b44ac117a716e2cc01d2

SHA256
b1ec7f164342cd396153918aabfe53f1e4fc5a575cb240dff22ebed97c39ccc4

SHA512
961163dda8333c951c81880bd231eb70c7f468bb667335801052b9a7f8a1d0592d35a5a99567a1a352f7394370eadb72d4600e22dd2fa9ab48380c98f480f462

Download Submit
C:\Program Files\Java\jre-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
8dff3f2c43cbcd7844dfcf03caf957dd

SHA1
84a82436f365864097d0e152dbad44c9666e0944

SHA256
c0837011c6f4d8a5d55f6fa4a84b30530323e66d6bf2bc9f7f32ef1924b20616

SHA512
31faaf0b9e9649b000bef880e694d1c5e819bf2ac4098f37cf2356765c52d49d943af3cb28c48a2c82d5242e23ea926a24ba866d64d78fefc78531555f909bc3

Download Submit
C:\Program Files\Java\jre-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
02a4986a49fa8745a7885164941d51e7

SHA1
1f7030cdab2d478cbd1597ff177989977e07a9fe

SHA256
e8881758b988733dc6c123b0c8e1df4dddd4d3c4a506c5996e4385a8ac214fb0

SHA512
ec6afa1f3b0d0c9b8e023c3bf955a789d2ce796ae86553be0c7acf7468d972ed66af48f102a4e880d603051d30f90067fa5445432a218670803f0dde6d4fc55e

Download Submit
C:\Program Files\Java\jre-1.8\bin\klist.exe

Filesize
1.4MB

MD5
bcd00aa4bcb5883890918696dd37047d

SHA1
da4298eff93ba816f31754e6a658e83c6fce3ff7

SHA256
7b53f109ed4b64e26da1e6097e9ea52e1b90af0f96020ff7ccb2c0ee9ddd90cd

SHA512
5bd36ad07f383d667a3d2d3688344a74e7c064419fbb76ef62743ddbcd053437758307e90dbc3af7dd913be185354f630f0c718a17677b2c2ecb1f8b0f65bf9b

Download Submit
C:\Program Files\Java\jre-1.8\bin\policytool.exe

Filesize
1.4MB

MD5
d38249f23c67a783b8553913168eb9ff

SHA1
8c8aabab752e6657942e8f7be02e446c946df9ad

SHA256
f72802b0814c80af4215aa12a7b8365725295071be28012928a8bd6b12802852

SHA512
c2b8d4ab5537279f99f40664a46101ffc3e10a32187abf61194e8d4cabb7a146e1cc4eb4b22ad599030fd55edebf3f0fcbace559ecc0bef40ea79033ae66755e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
17b9ca90db616721c8c9b2a362fcf0d1

SHA1
9ee6f138e145ab46a9515cde856b808c1c92222c

SHA256
6a76f313f5574bfc32b0fccd1f185d3323440df615bcd98fb9305f8429aa648d

SHA512
d913d682be20f027259859be4338262fe0a3238a7a16db54791c38039d4e9b43a6eca0ba4530f67a884bae5296645eaa7f5b0ddaf6dae7b1985890d726feaf8e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
fa725fd161a24f4655d2dc22b5ce6d1a

SHA1
8c66edc22a7d9afa023ac253ffdd9e8d3d5e76e3

SHA256
90ff0a2ec62be667acab952b47ed73eb1063eb3b51eaa5d194bd8cbf25632b32

SHA512
5cd569f126eed0c30596396749ff74db247142b0efb32460c7cd81accf9560fad6056ed8c45108094ee168265df64adeced30c1642b4b06c346994f7d6d46233

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
d12625e1f8d62e70030d1a21d1b9a228

SHA1
7f8d5dce8781b05a29ebf4cc76b2ad66a265d411

SHA256
d11da1196a45b29fca36f3bc0343043d09b737fb00d8ecf4171f9a4fdbf5248b

SHA512
13b7c181c67d6e59d02ff248c05b53936aefef68214c83409d305930080b95f6fd7dd95bd05a34a8eaa11528d0b0c304e73ecf2edfdbfd3787062586a58a0a72

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3eef4e8a484b0740113fee4b94487241

SHA1
5c2ef246abc840b481588e345c452f9a383de7e6

SHA256
fef6b6f4386023c027cbbff9ff3983122488b759b852d8a830d1701bcd616e48

SHA512
2b23b1eee6d11622dc8b2c4d8b3391a234754d377713b38c90957cd992a7fdefb23eb1a65d37f64ebff3fc7df8f9568419a5ad1a5896c1a68318bb7bd7c8cb0c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
08fec155258559a7164ed0e6059725d1

SHA1
98f451c22e0bdb7548e89771653226a06bdacb68

SHA256
2a04576f603095b5355cfda2c12cf67e485474b93223b25f382c9798404cc3c2

SHA512
31b952b7bf9feb90705d20aee5f11c145e4ead2edd56fe99cd94977cde8fb4608768b77408edf48d4c1da2dd75ae3950307c23a161300bd4eb3bc739e36d3437

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
bb2b92491a8153a14c95a8f0724bee4a

SHA1
535145c317efd966ef9a81b041357a411563bce8

SHA256
0a050206af228b5a473545ff57845a3013ab0782e4c41b36d2c8dddcbcb3aea9

SHA512
06afe1e6d7aca9b4d475f8095cd0e4ff9fcbeab890c790fb7a541736525dcf1c7899e5fdac38479a926aa7a349b1478a6f0df57aa4448964cdc51067f593bceb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
690c2f704f9a9b0e7475c25c80b35fb4

SHA1
9923f5d3d79a8a7d67b72d0163027f0452203182

SHA256
d98b31d6b970c9ef678db0437b6e82187281b2aafa1f17a616916f32c43823f9

SHA512
77f82f9f507746e18ee09578665664574fde995267d7eae8492a4fcc1597567afebbe1f3afa7b746b641d4a0929113e35e3dd5451e85790b4d5bba5c186dbf6a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a9aed0887690ef23a437bcfbf7f7ae8d

SHA1
bc0269c429fab4c8962130580ad478cac0c45513

SHA256
48e4418c355945802815f51cea7a5bf6f2b93184af1c99e82b10b5a8aee12dae

SHA512
9c39179d5f09496c64347d9e7c38028b54301ad72fab281a1fa4cf3031177fb1922062ec07f489be5e0e7bdc23a14bd366d4784ec5b857bd5d04429044bcef89

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cbec974c02ad199932eff8cc0a0e55f7

SHA1
ff4c740ea082af2e61f1d5f1ddbf41a7112be784

SHA256
392f2bc0e46853a58d01a305d8d262a127345da9069b3721663b172a81b38f58

SHA512
b8a3593c0a9af922f9936503d9d123f957a2e888432d2946318e8946b448a514635e10006ac1e64579953d2d012b008feda22ebae5951b7c61f9951159a6dc8a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b12a3379d6e6337eb6265fe80e7a7afb

SHA1
1d7d700d636baff7eadbb656f871928468f82da6

SHA256
8dd675e3eff1f18a6f44b02316a83d22d09b5ee14a3e8b8d0d3adf1277c80dfe

SHA512
db683fbdd9eda3f962e633c49bcc1dc1a71ddc93d267cbe9a6023b2c46953c1e0499bb7806b6e2547effc607bef74a288414a842e67f4a1d7295161010577943

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8d7993702302bf4c447f91fb43882406

SHA1
1e9f7e0e850c681c737a5614eaffc65a5456da54

SHA256
aaa86b7a6160760da83ba966e1128e5a053fbcea28267c1f14ab2248c7f89c04

SHA512
c1e042e249e0e7f22f37818a188244e775c28aa92a4e2745786939f270f4248cf0778c20718423f9e5127fbf5e4a046dad12a54689f8d93ee0b9d8c5b7d20d1c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
c3d10560e8a4d43832ad0e375c95636b

SHA1
e08f62e1c481ab80ef81951513c7d23ad4dae2bd

SHA256
40bf59ca491ded71b1bd92ce75dbc52bc7af1964a3e6cda383216b2925dc4ec5

SHA512
028218b9aeac29aaf328b7a3c89eb2f054fde41a2db4ed8cd004337c7c7b2381a5f247d67c0b1fe42e87a9f265a8e6e19b6692fd4e788f564426118d7f2ad091

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
0a2e3e4a8a260a45f51ae09cd93474b4

SHA1
2ccf087b72bcb49ca9ec49d4b2acc4420ce47a46

SHA256
9d1e4b8e79e4e4635c240be14d2ebd32a0d5fd2309e7d4801ad7d2d2dcd5987b

SHA512
c37e6b335184c4d61dadb20c321a08d7a01879a96a8387049da2c8a9eff8039d2062a28c75f18aa43710f7b2658c1eefe36207b1b66085dc8bd77012f14602ca

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
e60ca25b299a7560bf7b6b5d261939e1

SHA1
d0ac3df99ae53033527b03f94fd3d4736c9f341c

SHA256
e741028a51e4a59f1c7f9c2467823460f95322b1ee33040e2198a04b41440269

SHA512
a88d22194f5cff1f229fb0ffc8fea565acaa03d68bd6dcfdc340c080663ca8e931b26ad8439781a4c3ee8c54e9b36c9c90b57c7d86359b2e3df7dc60c9c91dcc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
2ac87ac74e4f2c63d567b5173eecee61

SHA1
7ec616ad7aec3717b75b8942216f2900b9431400

SHA256
4716bee20afba7031e2501a10c77be37937a21185f41c24b0d5d8e027080ef0c

SHA512
d547107236e13bf09a4bde8c1179890ecacc34f48f6304e917dc029e7e9767d5674b5c6d5d598a9c2502a888ea96e850151802efdd8a24296cc47fcc15e2f966

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a7ff820e2493fcbfc5d341edbb2865b1

SHA1
8ade587fd713e98f4eecb9a0f47d18b2aac80a16

SHA256
d25d5b83a0115cc7ac2fc0f83a3ff432a41be1e68ef4d2d96367aaf76a2c193b

SHA512
6d58f9c116e6aeb1cfead9c51ccab1a956a2cfe451ee17b5741e821a5e6056726ef28c0f198260b39195b2202ce28bdf8f8c632c2656e0efa840cacacc80ac4c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
256d29b63426f25ab1e49cb5312cfca3

SHA1
99122348777249ef68911aedffd462ff6031efb2

SHA256
90052b62eb5f3cd753c7a75994af6c72c44e35a8dcaa74d3497dcad90125233e

SHA512
0c7088b68f3503989aa0f8686a70e6da610d25e5225412464abe016ef1e3e300f0ff21c1a17874454ac9d71c83d41f11f9d7df6b88e7b93ad1013eb99d489af4

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
07dcef5f97562eb78d2b3bf1eeed4436

SHA1
ef19db5cd955540714b563776913b518047827ad

SHA256
fabbe5a285d63f6e1e1ae8d78480339f02e7285442bb31d7a673ca6a5b7e6bb2

SHA512
d0e20e725daf8d0e7b83b5afaa344d3b393978d31ecba9a15ae2d307fe586ebcd4c72145854e780107718188e9e5c1f13e3dc5de9911d34a4a804d6fa545dc49

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.4MB

MD5
2984c608f10c391222e9089dd7aa0755

SHA1
8596e117f50722a12e6e4c268bb6194b3eac7e9d

SHA256
81226a4027c4d558e4f628f59b650b901ff54e879f4429671f062506aed4a22b

SHA512
cd2a673e9f3d7133b4870a1d5474314832803b122df78be4efc50101dbe44f91bbb162d23b10e32f2f15b6134b89d36be4868a308eb8e41605832ca7688fcd5a

Download Submit
memory/116-124-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/116-337-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/856-153-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/920-70-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/920-12-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/1128-148-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1412-91-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1412-92-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/1412-98-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1412-142-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/1420-310-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1420-118-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1528-103-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/1528-152-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/1528-104-0x0000000000930000-0x0000000000997000-memory.dmp

Filesize
412KB

Download
memory/1528-109-0x0000000000930000-0x0000000000997000-memory.dmp

Filesize
412KB

Download
memory/1940-114-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1940-303-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2144-380-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2144-147-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2204-56-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/2204-61-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2204-68-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/2204-64-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2204-54-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2208-132-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/2208-354-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/2352-22-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2352-76-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/2352-15-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2352-16-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/2540-32-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2540-31-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2540-38-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2540-99-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2952-322-0x0000016957ED0000-0x0000016957EE0000-memory.dmp

Filesize
64KB

Download
memory/2952-326-0x0000016957ED0000-0x0000016957EE0000-memory.dmp

Filesize
64KB

Download
memory/2952-382-0x0000016957ED0000-0x0000016957EE0000-memory.dmp

Filesize
64KB

Download
memory/2952-381-0x0000016958580000-0x0000016958590000-memory.dmp

Filesize
64KB

Download
memory/2952-368-0x0000016957ED0000-0x0000016957EE0000-memory.dmp

Filesize
64KB

Download
memory/2952-369-0x0000016958580000-0x0000016958590000-memory.dmp

Filesize
64KB

Download
memory/2952-353-0x0000016958220000-0x0000016958230000-memory.dmp

Filesize
64KB

Download
memory/2952-352-0x0000016958220000-0x0000016958230000-memory.dmp

Filesize
64KB

Download
memory/2952-311-0x0000016957ED0000-0x0000016957EE0000-memory.dmp

Filesize
64KB

Download
memory/2952-313-0x0000016957EE0000-0x0000016957EF0000-memory.dmp

Filesize
64KB

Download
memory/2952-315-0x0000016957ED0000-0x0000016957EE0000-memory.dmp

Filesize
64KB

Download
memory/2952-325-0x0000016957ED0000-0x0000016957EE0000-memory.dmp

Filesize
64KB

Download
memory/2952-356-0x0000016958220000-0x0000016958230000-memory.dmp

Filesize
64KB

Download
memory/2952-344-0x0000016957ED0000-0x0000016957EE0000-memory.dmp

Filesize
64KB

Download
memory/2952-327-0x0000016957F00000-0x0000016957F01000-memory.dmp

Filesize
4KB

Download
memory/2952-345-0x0000016958220000-0x0000016958230000-memory.dmp

Filesize
64KB

Download
memory/2952-349-0x0000016957ED0000-0x0000016957EE0000-memory.dmp

Filesize
64KB

Download
memory/2952-351-0x0000016957ED0000-0x0000016957EE0000-memory.dmp

Filesize
64KB

Download
memory/2952-329-0x0000016957ED0000-0x0000016957EE0000-memory.dmp

Filesize
64KB

Download
memory/2952-330-0x0000016957F20000-0x0000016957F30000-memory.dmp

Filesize
64KB

Download
memory/2952-328-0x0000016957F20000-0x0000016957F30000-memory.dmp

Filesize
64KB

Download
memory/2980-130-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/2980-87-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2980-75-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2980-77-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/3564-27-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3564-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4268-134-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/4268-143-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4268-355-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/4288-159-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4336-122-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/4412-110-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4412-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4412-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4412-43-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4472-0-0x0000000010000000-0x000000001023E000-memory.dmp

Filesize
2.2MB

Download
memory/4472-1-0x0000000000B10000-0x0000000000B77000-memory.dmp

Filesize
412KB

Download
memory/4472-6-0x0000000000B10000-0x0000000000B77000-memory.dmp

Filesize
412KB

Download
memory/4472-262-0x0000000010000000-0x000000001023E000-memory.dmp

Filesize
2.2MB

Download
memory/4472-53-0x0000000010000000-0x000000001023E000-memory.dmp

Filesize
2.2MB

Download
memory/4608-73-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/4836-140-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4900-156-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download