003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2

Analysis

max time kernel
143s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
Size

1.8MB
MD5

e9e774c40378d02aa97ac91e949ad718
SHA1

27a82553435647983384208bcae3c57c6e52e665
SHA256

003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2
SHA512

9326fe358da4317957f981c304393630b1334bf9dfe7daf006f576d5a18a6f24fa2b28b3f60fa244e5ddd20ec28eca9d960a6bb729b2dbf921160f791ab606c2
SSDEEP

49152:qKJ0WR7AFPyyiSruXKpk3WFDL9zxnSEksDM2jh3BqS7YtGL/Als:qKlBAFPydSS6W6X9lnk6MMQS7kGLws

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4416	alg.exe
4960	DiagnosticsHub.StandardCollector.Service.exe
888	fxssvc.exe
3048	elevation_service.exe
3456	elevation_service.exe
1508	maintenanceservice.exe
3240	msdtc.exe
2444	OSE.EXE
3140	PerceptionSimulationService.exe
5044	perfhost.exe
2928	locator.exe
5076	SensorDataService.exe
2756	snmptrap.exe
1440	spectrum.exe
4396	ssh-agent.exe
4900	TieringEngineService.exe
4588	AgentService.exe
4108	vds.exe
968	vssvc.exe
228	wbengine.exe
4032	WmiApSrv.exe
3528	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\system32\locator.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\system32\spectrum.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\system32\msiexec.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\System32\vds.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\alg.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\57bdc21d7d34635.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\system32\vssvc.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\system32\wbengine.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM560F.tmp\goopdateres_sk.dll	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM560F.tmp\goopdateres_uk.dll	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM560F.tmp\goopdate.dll	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM560F.tmp\goopdateres_hr.dll	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM560F.tmp\goopdateres_ml.dll	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM560F.tmp\goopdateres_nl.dll	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM560F.tmp\goopdateres_tr.dll	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM560F.tmp\goopdateres_id.dll	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM560F.tmp\goopdateres_iw.dll	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM560F.tmp\goopdateres_sw.dll	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d651142aa95da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e10a5541aa95da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000537da841aa95da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf333d41aa95da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000033097441aa95da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007bbe2741aa95da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000fa2ed41aa95da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee40153baa95da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4960	DiagnosticsHub.StandardCollector.Service.exe
4960	DiagnosticsHub.StandardCollector.Service.exe
4960	DiagnosticsHub.StandardCollector.Service.exe
4960	DiagnosticsHub.StandardCollector.Service.exe
4960	DiagnosticsHub.StandardCollector.Service.exe
4960	DiagnosticsHub.StandardCollector.Service.exe
4960	DiagnosticsHub.StandardCollector.Service.exe
3048	elevation_service.exe
3048	elevation_service.exe
3048	elevation_service.exe
3048	elevation_service.exe
3048	elevation_service.exe
3048	elevation_service.exe
3048	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4776	003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
Token: SeAuditPrivilege	888	fxssvc.exe
Token: SeRestorePrivilege	4900	TieringEngineService.exe
Token: SeManageVolumePrivilege	4900	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4588	AgentService.exe
Token: SeBackupPrivilege	968	vssvc.exe
Token: SeRestorePrivilege	968	vssvc.exe
Token: SeAuditPrivilege	968	vssvc.exe
Token: SeBackupPrivilege	228	wbengine.exe
Token: SeRestorePrivilege	228	wbengine.exe
Token: SeSecurityPrivilege	228	wbengine.exe
Token: 33	3528	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3528	SearchIndexer.exe
Token: SeDebugPrivilege	4960	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	3048	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 5600	3528	SearchIndexer.exe	123
PID 3528 wrote to memory of 5600	3528	SearchIndexer.exe	123
PID 3528 wrote to memory of 5624	3528	SearchIndexer.exe	124
PID 3528 wrote to memory of 5624	3528	SearchIndexer.exe	124

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe
"C:\Users\Admin\AppData\Local\Temp\003f13e8a53269e3bdabff2f42a782f800052a72c251ed5601688d82f8b8dbe2.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4416

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1252

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3456

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1508

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3240

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3140

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5044

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2928

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5076

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2756

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1440

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1532

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4032

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5600
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
dcbb1b9421ed0ce98fa14d1ff983b399

SHA1
31ec18e1109f77ef2f768a6e5c349161ae0c07c8

SHA256
c46020b07ed223d95409e54939033943ab19d1136952e3f7acc503a7884bd592

SHA512
0b72f65e81b62d347dd431808c0c8e47666fe453076f0abd14b823602ce3ad88db7c3ba8551a9d96e4cfeda0d2c27948d8694fbaf538ef9d66e73c9265556a38

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
f40ec97502facc0e12466f3226bdb0f8

SHA1
aa6da68ab110e4e6530870f9c7c9fafcb407021c

SHA256
9a81ac29904cca8aa3eb833a3db444badf4c667ab848e2b1dc79f8817f86d530

SHA512
63da75cf88f0ac2587c5f706f3b5d1b2b45145f00317374dd14e02f604d3a3c22a4f79d78f59cefc90288602248105e64a0c4ed39c0de0c49d71cff1a95db0a5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
cc083ce2efcc5e003d5ee9845686f7bb

SHA1
c37e643fa64a160880978e1ecccc460fece8eff2

SHA256
e4be06d9ba4da8bda26c1891eb47f731e1c52dabb4cf0a08955009302ab4e5a6

SHA512
c22747157a8ecc70377b0c0dd4c74560b5c1c17ac4753116f426190ca31250dd87086b86a9df6bfe2566830ba7256b5483655abda2c2bdb1f6309105f9aa49c8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
86602349fa0b0aae41ea20412f85fa09

SHA1
0e239c6d8867634fa1a6aeff55dca62ea832a3a8

SHA256
950d66340d2511b0e54785ccceadff53be5371d08b627eda6e7df0472d5116eb

SHA512
3654e67e318bc4a4f696f1f963dc1ca18c0769574ba9b91f43b3ddf003772b8b88274897b39a849bd116a869cc919894f0fcb0ffbc0404c08dd21ff0a1c71ff1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9ca1567bdf888b27c72c4643e1328178

SHA1
44a54222c70b25f6e9ea6e648ec1a8754b086bc7

SHA256
505367870be7353070905a0275f0b73c681f2550b797e639e40f86adc5329dbc

SHA512
265fa6374957b5b33f4c16b49cc7722b47c67d1077369120fcfdce3b8f2f0ff002af95483350cde469c2f64402cec354368811bdaf69455db8836225de665cf6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
56081c0eac8bed9f8c49a0556321d1f2

SHA1
9d661f410d4e4e31a493ba7aae1369ce6a6cab2c

SHA256
d3ba499c5ec990c3b177294b7537059ca556fa5b56c969e2968f88dcb4273f3d

SHA512
028e2dc366aa50b1d9b416668f30e7dfac895243d3e37e5c52ab76ba8ae123969e8e06115fc937ccb2f9cff4ff21640a792cbb0dbdb2a46f6d84cba6edbb4873

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
5108eb5654adf4750a055b4c997d52e9

SHA1
0044564560525a31f989f96b742e64217e8e7c93

SHA256
96d1eca9faae952ab4c418702679052629379ae4e8e1a0c90c453b67a8d54c84

SHA512
4339628092c7284cacd95e9cdd7748bdc70818ad05bec7630fb84da44fcac613df13a5a0c2f715a35ed29314ee5e3be8d1cc245a04e0c39bb66f60f149f97cf0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b364b84d2a70b8344ceb68a24459ca3d

SHA1
0b1de6612df14833ba3d94e5e33df9521ee428ec

SHA256
2cd3c4bdcdacf835f768d85e92a420efae587a1809d8576f111fbe16b12414ec

SHA512
ce5766551c6bddc84fd202728c889dc6ef14a52f34774c031432bf0a84f4a4786bc6d588711628ece853a1899901a0acaaa753eea52a66c7fa3021bcf6c4e4a4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
d29419c67500b574d04b59fa1859c4d1

SHA1
2627968de39c944de6f71ae67504ca7fea48e8c7

SHA256
98f83fea36f7fc689fe568437dfa5b3361ef6942892d62ee4a25a92f0bcff415

SHA512
e5edea95319ee4fdef3dc40000f236d1e50a53cc3ba498d3ed6c7393eed433a6efc02275715e276aac280299789bdd4766818d617c7a7f410f26bdaa46a83207

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
84b72245faafc413027e85844e79bb4f

SHA1
c38cbffa8e7fbc64915124dc10d5ddeaa74fea5e

SHA256
b18d5a53666391c77d189d9e9c4467976ce88272f5e573b5ad5d1920835b7905

SHA512
790c95a306fc2509a778c8a5b353ffc6f7de6ac452a9661b6889a2a5a4d038dca83ee7d9f411af09d4195e2718a78853c3fab472690a7e450db01b595de7e5b8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
199feac2b42a036c07acd315d5d55ce2

SHA1
14da2b5fafebf396ac83874821b377a27289c55c

SHA256
d69fd39811cd07e88dd0fe71a74e9e47fe9bd4e98b4bc74907e5d606e62e282d

SHA512
148681cfe8074d6f9e18c81fca0ad82a1ba2a10b9fdea4963a58f04422978db4f4da062960f961df29153ed7c0937603e3959d584238f3e3108a6420d0075562

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
69bb65f099a4a286ee9289c288ee21d6

SHA1
f82a610dde63cc8a2efc97291cb5d7299f6f225b

SHA256
e303b4747d51e6e7f3b8c9461c8aaca3a777e840eb6eb3b8e485d31d196b0f42

SHA512
edf7065df78a176f261cda43beb7ea16db9fcab4a058dda7e463a0c5a8dea3bc43559cf222ab74a034401d0287878c171b5eebc75d6a2e5968cdecd4afb8585f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
9d7ef604f621a057b94c11015d207a76

SHA1
c70147cd5acdb9eb52bf9f0bc7838b2651708e9f

SHA256
dd904a978a9c45eb6834233fb82b6ab470870653e8cdd480e81474caa51beff8

SHA512
c604990182125fd9bc59e7845b5c83c2c61605ac2becf79c332f2558e1c05571ffa9045676a99b775cd1e4f17efcbec34444cddccaa0cb141ee3444cb788ac9f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
ae3f9b490b08cdda2d91cf2a0e5fbb42

SHA1
c39117150a9ffb69f3ea4449e8ccc9966e9f17e7

SHA256
7827a19eb0ae45e49c2390e9361d8a96c54225854606c4cc11cc548993ddbad9

SHA512
6c8f71de7130ae43f8b97efa1c9d4c0c278244675a675ca288510b83337fb876794f0c10825a2e01626cb7a2494e0f5e8999f9b3d398f319d6f1ba4641d4425a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
75bb13e773becc723118af94f0513b71

SHA1
bcbefacb4d07d8ddd910eba9d69f0747cef5a107

SHA256
12a1b718f79ff5d32617f6df5842f946d56aeecf6a3ad02d32187779286dc441

SHA512
5e79e3c8d15a45164ad9b6cb97bac3346c1e77a6b554b3601536f03851d66bf9ee3248879ff15362192412f892536237d535a4e9dc369d40309e15b095e454ef

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9b9eca80fb6c5a689fdd21c6f23d0111

SHA1
35720690312f013ba1f95ffe629eb0002202a9df

SHA256
00f2a1dbfb2db626fa02bf5aa1a7f2ffe1704458a74d29638dc962631cfe9e80

SHA512
2f644bc83746e6bdde21c21d43845a95ce64d8c2d88589d3c2721c760fda43bec4b201f35445f27e2cc410dfc71156be8f4182d870eda29f4093877b6fcc3a18

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
0c20c803af6c8789c453e698ae5ffe91

SHA1
211a6209ecb87f565a1a963770a6fd3328399799

SHA256
219773a75f6190d011971583c891840afec44827adaadf05a06fabc5503b1e8d

SHA512
2e3c96f1bbec8695e09d01ed556eba5d678015086803734ebcf84eb40f244b909869cb48b5ffcd8f60887b6edb5e7be9c08587f291512445fae43e231d859908

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
ac07f08c92b052a89a0d256559ca994e

SHA1
d856d9030f2ef5960e217d30242cad047ebfd190

SHA256
2a6b336d26be48852992830481803dfba8d8d300833246edf1ad8970925f8231

SHA512
7fc3e10b5da112138e7a08260378b8d4ae22917bc2e1f756ed653fe477857401040285f6a29d7919a9c3e01a2d2beefbc13cc99fe316fb54176d2879bcc3b46a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
4c23dc9b11e86798b7317e49ddea73cc

SHA1
91f841677735426476e56c92f9a84f1dd732193c

SHA256
6ca2b583c6815def20f415456acd9971d0c2bb5042ef374473dde09167e7473e

SHA512
e196a0d46fa3fd5dd978793f54bf40c1829a6002f6f5281a1f1d9ba23d5ae4009d0258ec5c63914e8eb8acc37f8d815d0fa8b1d877a1376f68440834de5d23f8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
0c4d70d208990fdd10e60a161f47987c

SHA1
0fcd9c4629d5318a6220364c5835ab1accfe6f19

SHA256
f71ddf35a47675d94f7d446645624731df31791e0e83885031c42ac331b2c4f6

SHA512
f1d7ad4bc3494642582bef9ab165273ba7ce1d563c39a778d1c94052547693b6166541351f53ab782290e52577b4bf58318d3b03ffe5b2cca22f5793e7d799b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
133e0e9ba94d8d2223f15e3f07ce358c

SHA1
e0adef7da448164f6ed99e2b664db03fc9b77f97

SHA256
b92711116de32a5aca5595ce89db53c727a1d7a1efb4d3c6360c420a0c8e7363

SHA512
b92f40f6d1c6295d9617e0c38ebfba0a841d74f86ca66a3c7b8a3edf41e231843dd07ecbc2f084de9fe56e1d6cec609fb9e22be5dd939bfcbb84583b3379f9e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
0a531c007390c7590bcc3310aec5e89f

SHA1
c8ce044503bf7da27d624d438ff79e2f33f18a34

SHA256
6e3259d344501c4ed042f030970a282bfa301a0d2f9871cd97ca560f05d925af

SHA512
c6e598a5d9896f3738c4eace01af14fb43c73fdd6152b8365ee2bab44bd8bc740fd7ae2eec83e36e3ed2d8d4212feac7563cfefc7ff87241335346691f378bc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
3f8d09adfa3c1da858b1ec87f7a6fb4f

SHA1
a16a9ae6ecf3fb46c58c681ce81d6a200ba7c47b

SHA256
538c62f796d3efcc981b8bac1f3c9fa83ec6ab75ab63df5b536d73a9ac4f2d46

SHA512
ad97985c299672f45dfff863ce5299a290f25124f8c61a28c78bab62c8906b0afaddf59494bb2a1222c011b496b435acce04789841f2b5f05c76c9d84db2f974

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
82bace77a1bebd5c23064689cb602819

SHA1
a39c621857b3b3b37d3802bb2dfd2a279d50d423

SHA256
506116efb0c9527f1bdb34f69a07240345edd0abe08efce70f610b9e4762fd8c

SHA512
d4156b410ebe72ec2d3e6095cd729234689b76a8b0f098a35555f409e4efc23be2a95875c35d90070714ddb7f43edee99d32dfdc3920454302deb94a796f391a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
40322da1d123123d8f2a87a324b37904

SHA1
6104e1424c0547f8b1a80ebd135c7bbf913de789

SHA256
ad6a45db8bea4e6d65191a7dadcdf73c91c19495f2168f4b11a246f9e2f89803

SHA512
eb77ae5a28ce59d138169791d5483c0e190c2fd88a80bfb4c944f5630bc83132cbc02f8116fa651eb42da212f17779652e0be785988bc48aba36194ba4a74a40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
682eb8733627133075b3541fafe1421a

SHA1
f90165d0b1668fcb8989eb0e16c891398b06dede

SHA256
a3dc008588fa19abc3289d0c4755ef05213dc60f4065aab7f83211e74b3c81ee

SHA512
beb3729c5dd4a630ba2eaafaa5271c8b16404d71aa1e1d1f7f5b45e462c85ab7fda64cb696dc0ac13f12e53635cc855fab46c6637bb53d93deb4d4c87fc6cced

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
31595dcaa1ee2d82c0a5f8c8b0608cd7

SHA1
15002ea71d7dd9f2b85709f9682f95b6f70bfb33

SHA256
469692abcd78455662e150660a309e6050481539d5259c8d60462a2f38cb6bbd

SHA512
a3c1d302283439c300b47b5f71c5b18974f0b4ac2d7ed8898109897fd9896bb8d9546c184f7d6f0397373ebc18474b2e6f93564bfd051d6e4776443da9bbf661

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
78cd7250720653efccc0fabc2b4f74f4

SHA1
77703f1564dd0c5d5afa03744c5ff3efe415af4d

SHA256
beff3259d1ac549a3b13fc526aaf4d4e791f18fb9486157e6fae6abb854d5843

SHA512
054962f077adb4c4a042a23935fd79e7af7c225969fd511f2a764df9aa1afe2004263ee5cae40b2437a68bd9fc0c7372ac158feee6462985c6bc463437a69c6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
8b84b08ce244f2e38ad9b0f4a54bc7ee

SHA1
83d4fd2d1b4d1ffe5a5b5bff31702e336587952b

SHA256
6d74daee52bc004fbda88ef4fa5a72a9c7ee14445f9ee68fed2c3f3f015eecc2

SHA512
10566e6cf50c9184c5aacb6da71a537f3366abb56a589a22d86c9839acb55833d8448847b115e6e5c7df323f9be1b1b53c1443b7f0e8e89087ebd8bd7ab9d127

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
b8531e571971935909a10a88a60aac7b

SHA1
8b52d12c0f1db46674204d98ffc92880dcac061c

SHA256
6301c9b158893d61c18b7c5f77092c2864444995cb4802ea59c8035d76cb04b7

SHA512
dd0be04c334d393776a273de3020cad0aa95798742b0aaabca3ca2f42d39529deb960eafa635f64c2c51970893d31b03a36779a0b80c055dd855accb558ea448

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
bbddb4a013ee574fee46f73745d83a3e

SHA1
1e6245486dfed79d441744f5c8bfcd5772b29db4

SHA256
4b732e074ae8fbab1b52b0a12583d9846c3643f813426d29bf4f85a6e95566ab

SHA512
cc6f720b5e48f8385c7905aeed524885a170f0d8da2605b5dad77f31f722204ae0189d79687746f18d82143a709316250fc8ca06617b6f71fa3e7da7b2b1aa1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
9c8893c105ca374eb5c0f21b37c878ad

SHA1
e459d459d8b3e7931d93dd9f0adbb88bbf8f78f2

SHA256
bc9caf4ec1e96f00474e847f87accf15cc4cc7a3e1bda35fe51b89952833fe46

SHA512
4489191ab9761ad2738d668c5245dc06f862aefb008eb2ddd6e109024d94b80157b08c75b922a7a82d0d7941a77bec79e8ddeae558d642541bdbcfa6ff84867f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
782d4abe99994a174eb0db21fdf4bfa7

SHA1
fab97b058b1fc472848c9feecf5ce0f73e0a30c7

SHA256
dbf4ddbe08a5e267cfb2915b7496803f2d9db1468d2f33fc7d8b7e68441dae2c

SHA512
483091a83b8d442a8f88f9c1a26ac6a2bae1e7edfe89fa9b3e754f180a8dbe48a4303ae811e231d5e920c9daeb812be3ddd3a1dc182471a831dd3a8e51a66aab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
5a9f9b187af4923ee7fccde500ebb305

SHA1
3d727239061f212ccac18705af56850a803af780

SHA256
584813805c5b68a73b218c69b75ca420ac545a2646faf1a7cabb05e3b1192704

SHA512
2ae9ead9718d1746c634451946583be2afceae9bbbefcc342a5e0d51fa71faf1a0cea92aa9e971522515def05bee93017e304548514f4ce555fc9641ed3eabd0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
9864efbcf57700ac0eee516bb145f8d0

SHA1
f9f7f69e4155d8b911a3ad721015401243ce0f07

SHA256
623951b560fb8d213fc047daf4868022fe57dcce11f3dcc03d89dca5c1476ff4

SHA512
5689d0b1cde2e8b6714cb56c59887e8420d89e11a6c767cde96521637c732ca662d7ccd30ef4c9183beecf3cf4be8977dc4f4587660e18eb7f8e49d99bdc5b49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
30ab07ec7d279259ff36e19010fad4f6

SHA1
0d3b5b962c3d0cdb849e860600fcf67a15dc1da4

SHA256
427a74b6baece7bdd84b270215bf4958ad0f2b968e90acdf998dfe37f2651ba8

SHA512
cfdd933cacf53efec9db2b6b691c791ef775bd4f6396f72726592bdbd83ab5443d1ee72c60c13d6a56e1c06ef83cfc085d25a406d142be1845e450cfd9d38718

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
bbfbae4e058d8c9947246337da2176da

SHA1
17e339ba634a5360ac09e7a789713bde376f10b3

SHA256
b051cf0e50083274473cfa8fca6c58af361af2a034a66f554c32fbc9d0617c7e

SHA512
a3c2dab708be88d1bf3131284cdbd9f1540ffc34cd341ee72b3628b9599f94c646df0488e4619fa018e9326d8baee19f01fafd4e3844a2a069918083f6dae25e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3c27a270a84a71b80811c0b06de43b25

SHA1
5d5ac90a5641d44196fd6969e4b2c3ba5a3b7475

SHA256
e5ed02781cacd85a01a8893840896d0c65a6556454b68a6384dfbd4335c96961

SHA512
3275193dc050cd5cd7e54ed00200ee0cf4a07be2caa1f81bfe475a6b5cc9c660145d1e9af267753b073d97a423f4b866de2be0056d2f306300c360cb5086495c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
12f56a8e8c806531802b17541e8832af

SHA1
5c52ad893ac726e9ef1706bed2c1975546173b7f

SHA256
ce06c8c5b92dd57ed61fcbf7567e51cb18a3dd8b53c70c72cc22114511ac33ac

SHA512
d19da36424077758037697d892f69c180ce995bd85b76f61723fdcaeed76c6e672149a0b6a53f4d0e66115b4cebf548ebf6febd9c24a107cba4b974c4c62851b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
0b316434486cb0b6b70399c836dcf0bf

SHA1
ab9960700eae300e9e671896988fe57e0235fbed

SHA256
5c9503db9c6ab65821d75f142e3d2084a87512d451af9537f3cc0e8014e37d0e

SHA512
bc05eceb4ca69325b4cad911b58cfae3d04c4cdaccf97a9bb915ca82762758f162d0d0e58d417a76d06f5cb21a14e9cdea18f6e8d3b7b6a3a05093b9377e6913

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6e5cde31dea88a02ba2c7374642857be

SHA1
811e68af2cb4f1211f9683ebfcfd297ad8c0bd09

SHA256
37b9ff75deae33f076132ad261dbf2c71f3ec5ecabf282efe04511ab3553bd72

SHA512
d5780377da2ce64c3753846e16bbf8d9289fcaf5c718034f05895e1e001cc5ee090eb613e20ac33decbcea9fd6d358f049d5bb6f423190d9e24f9e4d5df243f7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
ed8765b1f5795e67f7092b03347a1fdc

SHA1
f3a1643fa301893cff31afa2034129fefd09a080

SHA256
0eea43e759d52677d77d08c58f033bfd7bc8a796d2d8aa70968cb3190828ce7a

SHA512
49682e534ea564b6064fc68ad547b62f62c0e0ef64bd26420a6232ec685099276ac597ce326d0c902dc662a4b9f98528c6cc6bfa45f9e3428c6edf22b5fb9dba

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4440b77c381ba7bdf3bc82a19eaad0d1

SHA1
4dcb038b07231b96e847fefd502099929aefcc9b

SHA256
4d7e943756c63f1ddc9e7eec90f2458b35f163a8e36bed9b5bfe4afdcfffa8a4

SHA512
b24425c52407d49cb3f5ed73081dd9efd19c11822d86436d6b891dd49815f00125976c6b549b44732542bf4169c4c822b82865571363ea073aa36161ee6a88fd

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
9baf3d43198bece4816316c4fe436b23

SHA1
c9024efc913800b15d30e94552670d9a0f6a981d

SHA256
0fe1d4af270f821766b814986773e5030c7fe7ee3227c9a218af96711f3ca53f

SHA512
7dae51fe1016d761efa90afed85993365a1f3942240f0af86dcd864e6ca44058b16cbc03c5fcda3fdd422aba12eb02bded4666551b6db0fd5a0fd495fec38250

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
9ae34942e25830eac5388256f9e2d6bf

SHA1
a38c026d2b300b129f0d7bce1a332063fe7fba45

SHA256
9db5c2c2b27124997312b81a10f6890df25e639441a35960567dbef8d331f38f

SHA512
42260d704c9be9f53aad73898574ef8ca21ec17f652122faa47d65add0722ce1875fe1c54ce7e0fbe4f3b2977eb2c1c8f037e31f26fdcc4b66eac6306b7a9c5d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
ad01c4b7f0765c05b473d49f5604721c

SHA1
1ffaccf6a58d4a08c4ecb8654de4da875f629ec0

SHA256
29fac52919dc8b9efc5cd5025640a04f5c5aecff37b8a2a395550007628416d0

SHA512
63ed2f53e776ff4f9dd62b06203d6152a3224e848db9be0624d9dab7563c07865ebfee793a155f91a8b7a79a483cd3c65d1057318adaeddfbade6cdba845c881

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1e722fef8cef9dcee28cd5f8af46c202

SHA1
60ea7befb139f49affc6e176b6fe4b0267bb5bbc

SHA256
b1db2fe4dbc1e83a511149e0fc89fd1e2ce9d80da91fdac10f28d689e845706c

SHA512
169d5b0001a52b22f933705f5fc48d9ec47980084bb5accc15486d3a322dc3d8d58f6fab89f809b3b8571c909397ffcc6c2edb9f74b5206052199a6b87e4d446

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8fe63cbdffa835fb676bfce86b551325

SHA1
894bffecd00a3e1b5a626f7ecf92cb62c9df3210

SHA256
31a7e33a378521440ed0b2be7754fefc5907f607d6f63739a1440ce0e8d0551c

SHA512
6c484f2fb29f85d3ac53e309516426517d38ef32dd09f9f24d13f3fb1e30dc6238f2e5da0b0e56cbda0d481178a759207e71bb1d4d7e907e984d06cb6bdd87ed

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f8ad3a96744ea242e31e1f00244b3c57

SHA1
fb2bd0cc06af89425f50059adcdd478fdb6789ec

SHA256
ebb9188d5b86d3eccd06f4850b4287b53c5216062781aa3cf401edd63effd6fa

SHA512
5bac1e851a3ea98ef9b687b9893d12b3208dc3f0db55c2b1e34bd9360ba3b8e54afaf12cd28ee60fc5b28a99460772247b5785352739d7def02ecc59739dfe07

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
9e2da8b5857a7c18338991c47c197c8d

SHA1
6c7b51bfa054841f0d212c9e1518e3ba368adea4

SHA256
47e1e0d02e995cb4f02fd9ceab6ad5d486e3707bb26b6a972154ecd57338f4ff

SHA512
7536ebce5fa7921a8a27c109777d863a7d03876df41ee174d61d42d26c51e74e7a5fefa08768dcb79742f43600aeeb59e36f88be4e9c4a4efb17390fba353a1a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
619a2409f32a4e06046272060e97e07e

SHA1
c942af04ee8b8e6eb17fdb444d3a169003195d91

SHA256
6e540dde4cc73bcb84774cb3b1daa4b9cc90a30bd49e5533f05c59adf0cd3cfd

SHA512
4fdb8e8dc029036d26ea145fdca2ce82484783128e5f70d92b2dcea5dd355dad17550003effbcc9c8e609185b8ae544a12b4ce246cecf47b174596ce06cb232b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
d5b3d58df9f98563b953b2592ca5fdb8

SHA1
0a5b6554df060b1aed2e42b842d4a61074cb9b09

SHA256
2bcfa4f15ee7a86ef8bbbc915b0c568359f6eef48e368bd42beb74e6b4f6bd1a

SHA512
45ab7bf728c9988a547afb3582ebf9d6f957bcc863ac0c2f162aa10ae267911fdf4d345e34bcf80e89d00275f1f635c71344a46d9bd727409bc8bffba4940c28

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
36c78761e586d3c330509e712de5f44a

SHA1
8036504f82c5125406325452271888c45aefad07

SHA256
3e643d63698ae62deaed142eb77a5370fd1f99a1e010aeaed007fcb278f40064

SHA512
08c8588a10c1f8d6425cb3c559527c706c809d3da677d71b2e4b1ff8369fa3af706ce43a8e0f5950f7a69a4d16b5a84a0459fff538c0160f8aefd7ff116e3465

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
2ee4b159cd89b1d734757511f7c94d97

SHA1
b1505cc2dab3aa8812bf97939702a73e46a6e5fc

SHA256
648659cfb9acbcd5f70d3fb964bc5a2ca1850c8b5679d5104ff8aac796614198

SHA512
459ba76d56e71ddb94a62d3e787669e61efa279907874385ea646cf9d436361362ef8b6f93b00c5c40408b4ee05c6cf0166e38633ccb099069a210b1594e578b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c11aa860068d693699a597e78b92a94f

SHA1
7137aaa4e55f5d9217672d7971d16e3d7be64da6

SHA256
7662c813d5d7a33b666bf06e38ebb774e12d73279f6aeb7b67b68d2e25319a49

SHA512
97da8706d0362aeb0790a749cd8d083a064ac77e266aea56f9853548b5359eb5ef94d052b880d6f0473c0875faf04e308ca8803ae29c2785837356cd7ac27964

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
404a38abf631a8fe9c12ade9a202b818

SHA1
6f1ba839baacf72df6fbbd70a0ff32f655d6bf35

SHA256
790f1f96b37d647e4c07bf3c58040e3742a1c323f950d4e1f35675b93c812aab

SHA512
9949dc83d5cfa0b34401bd2c5f2c6bd4994ed2df1c3db24e43f3bf252d8501e6ba070c23672773ea54d043a4168c18dcc44f8dcc8e093ef3c0d241496a96a482

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7dd45ac56cd81c043c9cc11a74d7abde

SHA1
30b1576789f9011e73be55943c90c2f6c712c2c0

SHA256
1cd772bc11c092da6212fd47cf6586d41fe3d24d5fcf030fe94b97bec47b87b7

SHA512
6476a4d153f218e9c10a6a6d1ac2e0653e52e4ecdef76fefa981274f412817180d2ab2a4d89efef36650e76dfc6d72bf2d7dc27492c1dc20ed630b944245ab0c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
83a1db64bd9cfa84306556205b8a5a51

SHA1
351c88df14f20a83542ede8b0123f6febbc0f230

SHA256
a1e120d64afc2323ecbb267eeb7a38d9140817e69fefb5f7e20d9ddef2289e54

SHA512
9a4b7a0dfdf2930f3628ce15854ba2c77fbcc992be4a0ba86ff75b62029211c72918e799b4d865897174b044071538147d4d106fd5a643ea8098abdc1507ffd1

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
35b6b51716151226c94bc2f57cae9498

SHA1
bc1d9d2ad5be11d07f8bc9d81de84b701c8d10d4

SHA256
0bec53f3f71c8431ffaf9c6f829398959a748c7f3c064ae2cf20be945d0b28cd

SHA512
1b628da3e4c2a836303c80dfef2562ad2b0c278d5342bc10bdb476efb20ab9bc0d53ec1a767bbc8fb93d5a7f3b4e6848ec6408f954c57dd18a4ebee1fbdbf590

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
5e551bfb84eee806f8ef1f11ae68cd4e

SHA1
9c94345f79ed74497ff82b775d1fd54249f68e73

SHA256
1d08f18b42e52bb59fadc20ea54f15910b12622c578a5eee801ea389c9768a81

SHA512
9c0ca1b9a5d660a4942daabe47312a87a12af46d17b05a799cb63df4466d675356f8563dc6dee25667e18d2dd05a23006d73f0265e21275c52438dd017ffa2bb

Download Submit
memory/228-237-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/228-566-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/888-95-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/888-97-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/968-233-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/968-560-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1440-204-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1440-245-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1440-195-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1508-137-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1508-134-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/1508-123-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/1508-131-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/1508-125-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2444-150-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2444-203-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2444-156-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2444-148-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2756-240-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/2756-191-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/2928-232-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/2928-183-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3048-107-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3048-99-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3048-169-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3048-100-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3140-161-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3140-160-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3140-167-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3140-217-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3240-140-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/3240-193-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/3456-180-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3456-111-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3456-112-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3456-118-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3528-590-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3528-246-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4032-581-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/4032-241-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/4108-229-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4108-557-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4396-218-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/4396-208-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/4396-555-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/4416-139-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/4416-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/4588-227-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4588-225-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4776-1-0x0000000000B30000-0x0000000000B97000-memory.dmp

Filesize
412KB

Download
memory/4776-440-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4776-122-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4776-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4776-6-0x0000000000B30000-0x0000000000B97000-memory.dmp

Filesize
412KB

Download
memory/4900-221-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/4900-556-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/4960-90-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4960-85-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4960-53-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4960-147-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/5044-224-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/5044-173-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/5044-172-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/5044-178-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/5076-236-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5076-554-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5076-186-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5624-591-0x0000013C24CA0000-0x0000013C24CB0000-memory.dmp

Filesize
64KB

Download
memory/5624-579-0x0000013C24CD0000-0x0000013C24CD1000-memory.dmp

Filesize
4KB

Download
memory/5624-580-0x0000013C24CA0000-0x0000013C24CB0000-memory.dmp

Filesize
64KB

Download
memory/5624-568-0x0000013C24CD0000-0x0000013C24CE0000-memory.dmp

Filesize
64KB

Download
memory/5624-561-0x0000013C24CA0000-0x0000013C24CB0000-memory.dmp

Filesize
64KB

Download
memory/5624-567-0x0000013C24CA0000-0x0000013C24CB0000-memory.dmp

Filesize
64KB

Download
memory/5624-602-0x0000013C24CA0000-0x0000013C24CB0000-memory.dmp

Filesize
64KB

Download
memory/5624-609-0x0000013C24CA0000-0x0000013C24CB0000-memory.dmp

Filesize
64KB

Download
memory/5624-610-0x0000013C24CA0000-0x0000013C24CB0000-memory.dmp

Filesize
64KB

Download
memory/5624-613-0x0000013C24CA0000-0x0000013C24CB0000-memory.dmp

Filesize
64KB

Download
memory/5624-620-0x0000013C24CA0000-0x0000013C24CB0000-memory.dmp

Filesize
64KB

Download