89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
Size

1.8MB
MD5

f253d2b94903205c8bddf99ba9b5292d
SHA1

f53dbd5d76e7474d8350d26c10b49b1cef9883bb
SHA256

89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836
SHA512

32dd456034a6d30e854d1a793f34e1f0d1b8a0ba732766a6e69beb14e8d92fecc47bb1538118e07a7e83eb232253993ba645ca8a2d0d040f10474c730f88fb1a
SSDEEP

49152:xx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAdaB0zj0yjoB2:xvbjVkjjCAzJFB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3688	alg.exe
1296	DiagnosticsHub.StandardCollector.Service.exe
3520	fxssvc.exe
3460	elevation_service.exe
4780	elevation_service.exe
4592	maintenanceservice.exe
2460	msdtc.exe
1768	OSE.EXE
620	PerceptionSimulationService.exe
4396	perfhost.exe
424	locator.exe
4340	SensorDataService.exe
2764	snmptrap.exe
3648	spectrum.exe
5008	ssh-agent.exe
4068	TieringEngineService.exe
4724	AgentService.exe
4652	vds.exe
2392	vssvc.exe
2300	wbengine.exe
4492	WmiApSrv.exe
3172	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

alg.exe89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Windows\system32\spectrum.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Windows\system32\vssvc.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Windows\system32\wbengine.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Windows\system32\msiexec.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6a71739ed590e271.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Windows\system32\AgentService.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Windows\System32\vds.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM69B6.tmp\goopdateres_pt-BR.dll	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File created	C:\Program Files (x86)\Google\Temp\GUM69B6.tmp\goopdateres_sl.dll	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaws.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM69B6.tmp\goopdateres_ar.dll	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM69B6.tmp\goopdateres_nl.dll	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM69B6.tmp\goopdateres_is.dll	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM69B6.tmp\goopdateres_sw.dll	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM69B6.tmp\GoogleUpdate.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT69B7.tmp	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM69B6.tmp\goopdateres_de.dll	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM69B6.tmp\goopdateres_ca.dll	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchIndexer.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075ea29012399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3f5d7012399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd1896002399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d44e6012399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000260cad012399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ba29f002399da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
1296	DiagnosticsHub.StandardCollector.Service.exe
1296	DiagnosticsHub.StandardCollector.Service.exe
1296	DiagnosticsHub.StandardCollector.Service.exe
1296	DiagnosticsHub.StandardCollector.Service.exe
1296	DiagnosticsHub.StandardCollector.Service.exe
1296	DiagnosticsHub.StandardCollector.Service.exe
1296	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4564	89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
Token: SeAuditPrivilege	3520	fxssvc.exe
Token: SeRestorePrivilege	4068	TieringEngineService.exe
Token: SeManageVolumePrivilege	4068	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4724	AgentService.exe
Token: SeBackupPrivilege	2392	vssvc.exe
Token: SeRestorePrivilege	2392	vssvc.exe
Token: SeAuditPrivilege	2392	vssvc.exe
Token: SeBackupPrivilege	2300	wbengine.exe
Token: SeRestorePrivilege	2300	wbengine.exe
Token: SeSecurityPrivilege	2300	wbengine.exe
Token: 33	3172	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeDebugPrivilege	3688	alg.exe
Token: SeDebugPrivilege	3688	alg.exe
Token: SeDebugPrivilege	3688	alg.exe
Token: SeDebugPrivilege	1296	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3172 wrote to memory of 2848	3172	SearchIndexer.exe	SearchProtocolHost.exe
PID 3172 wrote to memory of 2848	3172	SearchIndexer.exe	SearchProtocolHost.exe
PID 3172 wrote to memory of 4064	3172	SearchIndexer.exe	SearchFilterHost.exe
PID 3172 wrote to memory of 4064	3172	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe
"C:\Users\Admin\AppData\Local\Temp\89403b1c46bb91340b7b10012a6f985502fce3cb26ce471b4a6f493c73c0f836.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4596

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3460

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4780

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4592

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2460

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1768

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:620

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4396

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:424

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4340

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2764

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3648

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4600

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2848

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4064

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
20f247de845d16ade982c138e287639d

SHA1
09131c8dd328715884696a3f3707da585f0d866a

SHA256
a65d8e69ddd514ccb23864eb19c9a6559076232f753c73bee8ee1bc29c01b498

SHA512
23067827ff45845ff694f634a966faca7c6f949c473ee01d6336cbecbbb209be87f6a109f8e949dccdf4253ea6cea5052e1ff134bb1bfa06a75350dadc5629af

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
f7438e175ac33ca9b852daafcb0f57b9

SHA1
52dc5da90dc4b9a3848f9d1cd72a522d834f1995

SHA256
06dd67b00f8e920a4977c714d6e939d68249e9b35896cd64790fd35d2229e27f

SHA512
f2e0e8e83b02c2e1478b02faf7c7d9b30571dd9f73e092d9798be64fedb897ad23d2927c2eb34589cdc04c89865c1c869fc7e88fa0eeb51cec34f5da27152004

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
38e3f52e6e04ec173e10e861bb90ccac

SHA1
42dea2e10ab887d1fd4e7185791d3a057ccb7c83

SHA256
b507e24ba94f7687596812d0895e2948b432b4dae5473ed86c64968217c71d02

SHA512
6895d788c4e658856aa88c2d7fdc210f7342e55fe818b297dbc5950cf4fd7848ee688f9197896fa6779859a2439bcccc5aa4ae1afbc9b217d0ca0ef807c85908

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
8f2235276295bb8b5444c90c76a7f322

SHA1
0f3641c736017623512bb852198a69e427fe70f5

SHA256
0567281e6d79a17775eecbcd97511dcafd10cbab2453227fc90d642d0101bb1d

SHA512
ed7401c8ecc1646e1f72b2e4c1a576b0fca5075ec56e24168747b7fdb4141fd622d94c2be7e027cbd20a8dec1f91bdac85818e6c30a27018291032dd35605648

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
f4a9f74945892a8d408173224a25d3fa

SHA1
9507a8bff6cbaa77baf6c7462495258ca183d653

SHA256
d835437e01caf65bc014d07d26286be23116d543728dac41149e7ced773c1510

SHA512
150cec28cc34554f1e13e1b4633e7979d39ac95258a25d7c23a65f7a0c696f4d243e1c9bbfac189c91605ae35a8ce2b36ceefa6a8c34defe7825dcccf13b9ac3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.5MB

MD5
0a515b2bd05115962e9c7fdd81dae5fe

SHA1
59ca621d3c7bf57e69a60c79e2e1ebac731dcecb

SHA256
02d6a1ade8d78f2b118b3675d47fea671cce569ba59dd8aac5db6c73cf23520d

SHA512
d8bc0de62ded7947fff84fa8ceab051562ef0e86b760831358f6977e1bd3344f28d772821ca4593b165dacf88d006d8994f1c435960be92afc88985b9bfe5856

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
bebd0bc77634884b7c7398d0f88acf52

SHA1
85961b9eec9cbd95a0228b5986b3f559db48563b

SHA256
4b277f7540a76c7c97f1186de383a35cae1e091ed12b951dab4c52a07e8857cf

SHA512
86bb2b415eb5fc1ef3fe8e70425afa1e401a4be2b3b8facf2343a627d08dc586f8335401deb6ffdd1e82996395e9eda72dd47c956ea4dc95a8407890e0f5d497

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
84319e90de4d0d298f65e20690f48dc4

SHA1
34dada5a9e3d86d62e4d65aca564f0945ee41f45

SHA256
386c0951b6bb43788cea4d76e1f1f36bedf4e8de0f0c58a3f2b68536438ea061

SHA512
471f90e6b92a318db1a39ce7ca4b442664a5b9ccb35d8c8f34a884f5b8dffa139336052b5836e676a58cb266bc954ad673e36c5cd899b7c1c4c02eef6fc9a841

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
c0d55a123c2ad07bd90747ea7f3d796b

SHA1
3e7ec5c2c2d34339e8a2b48463673b8245ea8efb

SHA256
faffc4feddce48aefd24738079b0f1426b638089ae3cff655e87606b46b82af5

SHA512
41806db71acd37d91d8773fda5c96d1b21f3a1e8474eca981db3b27e8e60721f9202a7b252baf8e5ea09e114f004d885b5ea32b12a664b81b16ed55864f64dd7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
71c25a87265beca8ef2a4befbdbaf65c

SHA1
ffd8772f7442b3ee88d0158f539dcb581511a2ad

SHA256
d3e718d6f3cdf65e77e3e8edae49fc27fd3d0bb7716501a17adc48d0e1347b91

SHA512
5a063547593b315bb32200236b28e37c94ef9ad404e958daf63fe12030f91c4bc2881603e44c771de937150c6b3a4ac643c3d2ee330d412a95b25a84c5fc110b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
cb8503ce7f9bc0b5c20a261baeaef5e0

SHA1
f2c3fd923e6ee3215cbcaf838578ef8884659a5f

SHA256
d7215ff92fa7142dad964a347d7d1b03523f31bf974ea26010880a7bb8b1d59f

SHA512
f32fc23e91912941133cf0d55d28138593f0be5813fed04ac620817f75e0b36255895890f85bae5913bb330c396e8d8ae42af8362f585a14e9d8b352fb852a5a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
45397999cec2cb34a08708d72ab2f788

SHA1
deaa70e041126878dff2478675627cb31e26a260

SHA256
d26ab300770679002f76d420b49da532ccc2cdf79cbd6c97d17cd55c232b0de8

SHA512
f4e475613bb670ec6ecdae73971d340e33cc7f1ed70cb26cf87fa6c18c786360d453e1810c237687cc1eba674e4cc7ae133099010fffbadcdae1107248ac36d8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
1310b7ebf883dd89ab923f5902d6ca61

SHA1
a02d938b42407e188f50367182cb77c11c40c77b

SHA256
8e077299ec3d70e00507b5524ad5ac0b86f989950af0fa1303b29e1c20263669

SHA512
0eb7b417a79a2a3ea61053b1c35f13e6ac5b43364c619f1a5bc6be9dd4a8db4bfd57884d439f2ea53573e8dddcbeedadc57e9aa51c9e880e8f154b44ce23fe46

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
f2fc90f30142eb74d5cb221d493a6190

SHA1
1ab85964d12fa8f3b0538a815f691a15916e999a

SHA256
9696991d52b125d844d86952dc4d2ada906bb21082e13e112bb7ab457f83e105

SHA512
a14ba5dc8479d4a272119e6da8d1d3b2f24319aea659e164e78761f921cab1e1e9eb7d7f4bc58a2b0cc3da881333af059771d23aa4f6df1b060244f2dae7ced9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
66f296aa5a21e11e1acfa7a6760fa727

SHA1
7c790206a1756d7fd6ef8012bbdda1fa6b615faa

SHA256
b9b007eafe163206b8acd7abecbde2edfed0bcc47dc9b5bccddbc505d7a6c39c

SHA512
7da3c25b6e10c2d37ef43a81b6d825b1b55844177ab32e95dff49d0187bcdee7f86ac064ee211b4a3f1a28b342421e5857f894186022d93ba29afa75ef43caee

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
09cc187bcff9072b52a3688c2330b067

SHA1
a3db6d2dfee2766a69531c56c847f8e8e1fdaaa0

SHA256
498c32561dc9f2089fb56ed6b4dcdcbf4df476c86bc8a48e318991619fab0e73

SHA512
5a544830683ee7df5c044fb5ae4f4d4030e2d82017702a50fdef76b9a331070d62f8e74afa3354680ce256b0efc13f583346e3277d293f56b2c36837ad5a6179

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
7b136726475ffa11bb1cdef460c51f1e

SHA1
188a3e59a56b8b06bb1d66ce9a5a15af6b4f7ea4

SHA256
22f94fcfa70f87c9135f31fc0d00b1452d48af6049f6063dfdf42164cdbba4f4

SHA512
6f56125e1b40f8a76608509011d1a43a7b159b1a6ed7afb31febec5b88b086d936244bbb7d4e9f965c3c937c21950f7f269f7b693d1e87e08cbab82db6cce8e7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
bd8cc39ce2cd09feb223bbd29c30892d

SHA1
5dab3d8d087becdddf6ece75841c5be8837cb6a9

SHA256
094457dbb01fff49f9483004dd5822daa7626825bf64f53aa022245c0693c770

SHA512
7013b9a1a04485cd7f0ccaf9d89f1bf2b1464fb2f969e4b7ba2b987b1862bad9587a6be6297d2bcf291d1c9d3ca6b8c5fff20d8eb1a782779f876df39fcdd837

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
6e60c3a6e4ef5a689c63bbacbeb1743b

SHA1
8c0c829f2cb0194966bc18581f4c6334ba16590b

SHA256
a21dea99365600ee865625b047cafb876ecca33c273e223d32061db02578a3cb

SHA512
50ca401e9e07b157882d90e4c133398b25d0236b805f353ddd77040ad62641ab5702ebb76c17fc5b964631507154b669ebf344db8980ed083472611d59baee55

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
0db93e0b8514f9564d09fea7952f3856

SHA1
4611c66e789f835de1c82f303ff5a56d6eaf8660

SHA256
c82a52933f9da46e0f12185b2989cc6edca22e97076bc693d85e19d97f540fe0

SHA512
766001d5d7a3b5919ad34fc7f8bd626b58d6db8f4e9bbc81fcd6c69417f014e39a48ba5136e2ad69dbf351c93ffe0b6e8400258efdfb97d5b9471bed4c055cf5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.5MB

MD5
4c834b47a5dffa1964fbecab3f76bdbc

SHA1
6531d4993ce0bfab169cea936d56895af75fb2ec

SHA256
c7a6fb92693ea2d5b809127e09628fad3ec0030bf18313a777134048dec2cbbc

SHA512
bfc2142b80df04b80cf54521babd6775262983a91542d427a1d249973a87029dfdb04c6b0a017da112fe35c12b5ffa7cb98350a834171f59311eb4d927d613e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.5MB

MD5
da9b21c63aac133479b863485f1d9bb5

SHA1
0b2b5dfb3a9dccfbddc64cd21bea0723879b1628

SHA256
717e6080f5c2044ed7b46dee18701146e4f20a2b4e2edfee11c2c65cf82412e7

SHA512
33684676af0b54e88fd3e94b60a50d94ff56c55b013206035e7a2d4ad1d4f2bede39c6c048db584db9e6849d28769cbde4d2f3e469a1111cd129b4500096ee46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.5MB

MD5
3c21fe2c7266b2fd302ea09c4289a3e6

SHA1
ffed621832852bb6353626381e8acd60951b122e

SHA256
d80b676ccb22c709ca0dc0c8babd2a07af30835dd10b2816473ba94c8e29fdf1

SHA512
80b6c114a0779de939d099f8ca9c728a4fda8bc5ff7ac2693a9bd3411c6c331f37ece7f76897cfe5d25d266ddc05a64b140d88e65289b508a9c08b6b202fd0b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
3debe7bd475a91bb6a896ae4dad37464

SHA1
d53f147c0079744e5025b5fce06b30a24546b5be

SHA256
07ce1764491b010e29fb8f0848fe7ed392f4d2c30521fa35c139455c52a9aa32

SHA512
b6d90c31f725009cdb69aef17f4880057634d0fa3643b47101c2a558c5e37159b97ed596ff896c037453008813a1e3bd99af18572050139bcfd97578578c945b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.5MB

MD5
15ce252888d95715951022cc1de31315

SHA1
bc450e22592617ccf66afaa32d2510d0090cdcf6

SHA256
ad5cbcca1237480591aa4db8e21fbf5c2fed5993565161b45678d472015033f3

SHA512
3d2c39a0cd75a3ee99ea7f82c00b38f5fbdb54748b51e3e48fc0586107019c0b9268185aea12e9da4b89b4224ef694505eee92f49a0e3764aaa4cf7d03525105

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.5MB

MD5
f432dd41ebfc8c1e6ecc08134acaca86

SHA1
11c6d3f5276773c2b963f648eb1e013afe7de179

SHA256
89883d970da74b2bf9a02b75005bee82768d6217b59fc299b77a94f55c580f4e

SHA512
2c35a39378c133d8e0fa1c1d0319d9f378f2fb4e64658573f715b09a74d4d300e00377cdcf495b64bd0b82b9a8c972d9bc7d342e6a9bc9e4b7d6583ec5bc58bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.5MB

MD5
1e459d63a7706e23f555facd1d3b9186

SHA1
07b89e11cc67762b9f4e1872d5b13d7ab74b216e

SHA256
6ad1d09faca93603c40bf124d070b1c9fb3e3607b9596dbad1e66c837e8bb52e

SHA512
3f3baf10f346128fa466a2418cf53505b37ae9c34e9eb6ca663dc7ee13d97f005617a231455dd2ac6d3db689052a70f716d4c2833b3ccc89f76a1a832cd24635

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
835c6c0663566d791fa39ded732a7426

SHA1
af350f2ffdb748c3ac46ba19056c91efaa3dc474

SHA256
294af9157d5dbb9c2a523ace717d6c0880108646bd25f3c5374f8b9c0a1c1984

SHA512
60e1bd1895a18a68ff18c2f6b7e4b2d2b26eacc652f2adada6a4a31098d75691db75ab3b58d3e7f442370d955f923336ff27320b3b9514de46cd25e356b3201a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.5MB

MD5
33c0a87692efd11383873e32e3c1dc98

SHA1
a4e04e7eca0bad718efa7989d982e7c41d990728

SHA256
4b983b155861295a0adc9f44a03af60d0050c1ef07a7f7b5fe4a1ffd58a06e8d

SHA512
e1963d1c6f47bba93e77afd7540f42531254c014757eb46b3369919289a5ecb69b2259837ca6919afaa25b13205557a3e3d62888173dff23cac0228df0e3bf01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.5MB

MD5
bd74366c15bf7d38f28216ea73d9fd00

SHA1
b906f65f5bdeda5c45826f319382ecc9ddb4142d

SHA256
1faa22334ec438e2891726873da531493bd5a01dcad45a4d90fdc0e584b8880d

SHA512
aab521895b3dc4cba2db282a15962004c010cfadde2f830e464be7109bcf7d4b4446ca3528a4f7af4e38268e37267921f81bbcfd5738de206ff5a9b73ea32186

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
bededdcd4641e63a1fef70225f2a9357

SHA1
ca6390552d09365abdc0a9c16a2a9c3b6aea7b27

SHA256
f29fff78579e04fd3c0849af184bd6d2e432baa0c1623dc64546fa3f7797f9de

SHA512
a9d1ba6c5b7565a693abc685691cf844e8d95922776a47f2ea2b3ff01daba7d19aad717493b25d4a5c9b3381f9478c0c4aa12471bafbe9646faa58370dd999cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.5MB

MD5
a82451835202850c72d3321ef1c10f84

SHA1
52a120943c306b04e5d5c009ea5debe9acec55da

SHA256
e13a785c4e937ae0eedf17ad27ff1ff06fd73e33843d0cf59d190d3b251c059a

SHA512
acb55fc46d8e833b776c03e9b047089ee6d0308ed6ffc5691b66eab59483fd3fa2980a2d7e12439754e095d1d28499bb68d1dad634611958d4d94602816fb39b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.5MB

MD5
745b8ef405df6b668a4cd76af893426a

SHA1
ced63caabef86693e868b66c01bf0f9c57be53dd

SHA256
c600ef7e2e247c0eefe57aeff62a4125709771633a4cd26f129ea264380225fd

SHA512
1b942eacdcd855ebb68a6e14d4d56096881af7414632c028365dea7270548a08f439a28884608b28605bbc150b7ce7a44a1ef699bc8b2aa72db55525471194f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
46ebf490a465ef6c4051c4c8a6204d67

SHA1
29921ce63df439306b042f806e595a507fb55a72

SHA256
5463916a954769bbe7b3ff9c2b1238a517ba50119c3b009cdc44626e6e7ba869

SHA512
55fcd45c3eb9804266d44ad1483e0bc3b25874137ada4370df0dfb2f125870eb7a2913cc9dd524a4c0fa89bcba7b22a6573e8ec91973f62a5fa98709bb968a5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
bb2c659d15965c7fe2670576382d3d42

SHA1
4f1609037ad7d46b1e3c3bb41b33dd8ef23c6ee3

SHA256
1d48f479ccdcecf09702eb4ce2d5d6d358e26bc965e3136543ff57b239c8fffd

SHA512
754227db3d5c46e66bffc0bfe8d2465aca20dfb299fc05b97597f48caad92b868546a0bdd31ed4112d1f370412e4c958dbf8d0d5488295b6759300712ca1feab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
11a65ed7bc6c087edf91967727f5a6d3

SHA1
c5595cc94555ec7f67d82e07c0b4fe362c3486ea

SHA256
005495e832ffb95a67ad13d92c97a4f2d47f6d4ef362598e33c21bf464175ff9

SHA512
1eadf62678eb65d0a2daed54273663c919fc3b075a08c64310c10132d1fe51c11ecf330bd07c65c481fa9fe0777afa2903c07d52b034f59a17eaf0e8fd656d72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.5MB

MD5
69fa103ca328104a060b8e4aa3b78e1a

SHA1
fb22292416cf9ba8b17f73cd1664058e9ed5fa21

SHA256
5f19e932d81344885d9dd7b73eb7767cb2616ad40a44128368edecf31a73bde2

SHA512
1e8aed5d926b2a6bbef21ae5b0d7bc11e059988414da2ed485b774d655445fe5d3bb1ca0216f727e0e37d4947a94742ddf9cdf3c4a150edab6080617dd0dbd57

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
439c4160d0801b4fed5b4659d72cb809

SHA1
2d41cd49f417c91168f428ee9e99a7e2d110b8c8

SHA256
5be0514653bc3b3d0085c26c10defe7fa371fd0d8aab35b58e98df048763908b

SHA512
75264907f391abd4136259fdf869056bd762524f492573ecae92aa47dd40989157e1ba5d8699cfc9ca6c73060800d5da548839975d06ab53f88973da25bb1b14

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
24707c0e919c8d6388697493e287fa3d

SHA1
5a91f0632007cf9b7db056dd9c2cfdb7bd6a3203

SHA256
dcf7397b64bc9ffea69fb25ed50c452dda4650bc034b79c702f88008b88b6e2f

SHA512
03f9780f5d68d6398cf9371707a69bef6b6e897a14424c550a8863c08a06e15d117621c77ff4de183c213482de5e098ddd9506a27f6ca51224c0d2cb6f17563c

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.5MB

MD5
8e8c49c2aea535145d4b895336581343

SHA1
ee529783ed28ccc0486ebdb23d67a3bb99d8e820

SHA256
5776afa1a1045e0e45c5c380c746e2e0c67d35bc494c72bff389e184985401d5

SHA512
3734ce6fcf2f0f1151cc4a8d63c85f3959415bda7b2207617d61ba11ec78fdadda07765c51bf0b26cea8c2460fb0eb78df7fa80848bb0dafe21ec52a83a4562b

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
60e293c55c345dafa511d06457652aba

SHA1
a548e83af55eaa590aa025d5588729c259dfb544

SHA256
323710ca3bb712ae0d5a9fb2fad040efdd180cd25c761762eb90b1c3d72af4af

SHA512
2b3e5475149440642b47c924cdefc3457693d4d6aac787f28b444d9707ff13439e9a31c949da401c00d4f9ef4c47327b299e89bd456babd4c1abaf4ecd1bc340

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
0f19134f31a6ebd9d39579cf7125e4c3

SHA1
2fc6a20ab87a454bcd0b0f3579c85cf198d1885b

SHA256
bcf56b6109c87b37f0c0133ed16824c5888db7d01aa67b65824142ce0a6958a2

SHA512
cd6265b013bdb286b3c0264d8ec5b5e812c7d3a3de9abaac7f79a97eec8968531b6a64a131f73df5d992e62c272033cfe4ba9e595f1e206f0c43601915c8706a

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
70963caad63c5294e487040c9e948ad0

SHA1
a03cf151ce3bde287285ba175a2aaf6ab2a6a127

SHA256
194c29a53237bcc13b8cd8b6aa9c7227661ff85f193f8f1f4298be71a09785e4

SHA512
c70c54d7301f5d41873beef6942f0ee6343f49360651b0bab0b0fd7ded2b646d7254a59b02023efa5fefe9aecdba70cde25f827e5f864862b1ccfdea1cf0d971

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.5MB

MD5
755d17e90cfea32f2613ef4accae4b09

SHA1
91a16339a47ced3e7d754adc15fb401fa8a9d1cb

SHA256
cade16dc505d0651aba3136f952d135db4643d65b96818a04f64d8e112575dbf

SHA512
bdccda505f77b484e9b03a048458f3c097e636fe1f8bd11c448ea89269617a8a552bbfac78f66d6490e97c509ec144343cd6287e9dcc84bcd8c9b475f62cb8cd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
9c01cb9f5324f8b7d24f00316d152b01

SHA1
f4d2c5e23dd58b9f9feaee09fd6816ed023eaa8d

SHA256
c9f3cbf57a1a85696410b30645ab7ab680612a35c6879484ca4d55f066311e38

SHA512
e66e47eca4feba2778b877b3a4f553fe368546505f78b44d1cdb882617ee90c2c260c782bca62617c469720b22c16e67e99f9c84e2c495416344b9b9b45fe6c3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.6MB

MD5
9dec1d553dbe16673addbdf551f84100

SHA1
e339fb67091386d9a3ecf182116c8852b3e9b7dd

SHA256
fa3ac2382a82a70fedc95e6ffa57e8e33ca0e84e7bf7163f040abbe10283456a

SHA512
6f46bc3223a96b33533504bb5ec008ff6bc54d07d9e44873be86062428ca40fb3e54a53fa6e54ef079e96355798c47356ac7caabf4f63e4e09d6ebebcd499564

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
250a14451bca621a7db00ca6b5586972

SHA1
c2fb37c835c6aa322843e956410f47bac200e18f

SHA256
7d967e642fe74d9b64048332e1c8d3c953a441edf7dfcec764e644dac687c70c

SHA512
536805d8b83d059e74c417b0f4de2e6171f1277f4b99352db55ec2a588e1ff278ab23d50f755dc46fc19ff104496a6dc8ec57644deb487cb761f3f695d3792d0

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
ba5bc7a2b9ea3cb62a86056265b6d745

SHA1
8c0002d2a86518d7e83ccb7e7f6393332a4cd986

SHA256
796fb611dbc7b77a41deab565e73207c7f3c4ace420822c0fcbdc39adbdc4988

SHA512
ddff6c6fde86832c4d1af2f38269554c96a4872e0cb9e527d5bb1b361a0c5722bc6688a1a709f8cafbe5316cb26de153b91528a3eaa391d1c8fef238d05f3e91

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
7d81dbd916986e30a4f800bc3465c3c9

SHA1
03c6a571781507b794d9d1fd0db1f948d4f574e8

SHA256
1b0f055037cb0e965c866761fb92b7661ce6d24cb19be09686d52ff3dd3e6626

SHA512
c2893ea01551e34536abbba622939706c059b806d2b4a42494235683cd3178ba2cdbbf9162c394a50eb61608ba4b35a5bf4d920017e98431d7211cf76ae51603

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.8MB

MD5
54416d5a78f5db78b2d9e64467365bf7

SHA1
64eb90a8a5cf65ad68e5a4732d08c5e7000e0020

SHA256
a8997c4a238edcfa356cdba495d5cca2d6da617bd332f5470c9fa7754b6a8d65

SHA512
28ba9eec3b018d6d84c6c148a0176317c884aae82d2085f1ab95a453c57aad6e281846e2ffb34545b01c083769a1fabffc4486e88e8445e0702cb13da49e3aa9

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
ec741265aef2dc1ac2fe2803ddac544f

SHA1
9250a394540734be8f0c785f42f3db3b1545ac87

SHA256
0b3301d7f0f5ba516c1af3cbab558b1b078363bdbc9cc78d724ab94150958240

SHA512
4b7d7692753f822bc565b2dddc264f5d388275662aac819953cfec743ef5cda27796fa0e809cf20f91f3c55995a53ece26e2a34e0666109ed97fc5c208552ac2

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
261055ade08de70c2382e2e77d743ed1

SHA1
c287984d70da91eb3766b23dde88ea362b1b417a

SHA256
6d3f6b53598ec3ae5c3a1381473ad4fda384e0f309302926192108ae3e8798e5

SHA512
c3d81da0a611e3f535b23edec142845433ca1127c5a50d00d31543d77cb4bc29e568ef01298c4918d683353543c81c8206c85a123da7390d84de8340642cf545

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
8a27b1e74b2ddd30b4b6b4c91e6be08c

SHA1
97bd17d727004fc7d0d616024d9b09f92c17f650

SHA256
4a61dd98f880ba7e12910d8d79387040571bfa7eab4de688017a3ba574cf7b50

SHA512
ad1fc9df3d6f4ed827c9f88688e6f3ca3364bd92868d85af65451f1b6731fb4dd1fdf9ecc866ae70ebf1f22e2ec86fea9f520974d32dcf15aed10131999135ca

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.5MB

MD5
104f8fe626085480804b84fb8a9a162e

SHA1
bc777c618303a13d539371e88e7efad646254379

SHA256
51b2aa75c5dba5659fd27dc1843f10d11170cf0fe7d82d96f7c9aa3b09d1d4e3

SHA512
1b31df1198e6bc143ecf50620a27348cc0e01dca8a53a48707a366cfb14d5e0d22dee2247664fbec115d5e2952ee8b460b6d9d957c5baa01f8d0f07c4ef314a0

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
72539a4e3f1bd141f94629d561b70d39

SHA1
70dfbb55b69bed27ea08b85a679bbeb8378e357b

SHA256
6f3cf357af40870e6508379c1e856671476e03e018917be2803ad83db706b1d6

SHA512
624d2268dce228b6952b3df295581b35cf30fb1df426c2e8f776c839dfcf58e9dabc2457c38a74310e81319521041f488c6e002755a2c7032a766426af134e84

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.7MB

MD5
be0cfef238ec5da4f1c47bc91d386e04

SHA1
4004241d651432184251b635de03a82c5e512046

SHA256
620a8742aa78050cc3e1c28cc43c636fe9dae18c4d8aff90286d01c55de89913

SHA512
abd11ed274bcc22225b729a94b7edc20d89b34f7c99a17e5cb9a5626ddd59e3db418112d253cf633cbfa20f4d309ea0fc856e924e5b2ec7ef4091cfadfbd9192

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
9755fff2cbaffd558f7afa654aa9db32

SHA1
89a3b3d299d6edb5a162179058b0fc1411e0fb4b

SHA256
b47b0b64fff409eb280d746eb9e826fb7e920e68ebb5702206beedad309acebd

SHA512
e01a92caf895375c4150da18d15eab7859e81422c33f84e00a69389a38875d9bf2076dd35eec03e6bc5b27be17816a7fe978aa4fd1095f23f1239ee904ed52c6

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
1a430bb1f092691f6506a630725fea34

SHA1
02cb9c473507711d07e2c94aa84bada0fed1119d

SHA256
d67953837d54e1491a174a59c09627ad3254c8a1017fccf46ad75b2a89ad2921

SHA512
73b39d0db2033510b5acb1f3f83965d8f4d68f8640d7795ba47c8ac73b154865b6e1a817bf2a860011f7e71de46897287c6872522390048dab7197797e768423

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.8MB

MD5
e2e7f40fe114883893e0c6f2ccd14a9a

SHA1
deb4581709870b0921980c442beb7becd50662c8

SHA256
78aabd16904b7e09d0558015d4438d4450565ee52bdacb70d1bbf7dcc859aaaf

SHA512
04ed8bc9ba9257dea14c4dd92e2324ab0810aba4cdb6b9f36f28a2e87312b5098a8d18689fc97e4ece5553180bd7ba0e694d9d16aefa819a390a7de35bbd1d38

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
c050499ab04caa0947741868bcb66a7f

SHA1
741881bcf54f6162273bd75ed047ccaced674550

SHA256
fc51269376b7d5310ec4ed44520a0e07f24b9ca4db9ad1bc8e620c863e03f143

SHA512
dfc19d41f0af221e044592fb10a170a965ba21f41bebf46fb4d6ecb9cc5986e5832476686a759f81661f63eef75427b5840f4a4298483dcae125df48447adde5

Download Submit
memory/424-207-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/424-329-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/620-296-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/620-185-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1296-102-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1296-101-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1296-93-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1768-293-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/1768-182-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/2300-318-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2300-823-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2392-305-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2392-820-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2460-158-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/2460-159-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2460-269-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/2764-552-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2764-222-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/3172-334-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3172-825-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3460-116-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3460-122-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3460-124-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3460-233-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3520-128-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3520-106-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3520-129-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3520-112-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3520-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3648-234-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3648-813-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3688-181-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/3688-19-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/3688-11-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3688-22-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4068-266-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/4068-818-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/4340-333-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4340-218-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4340-816-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4396-196-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/4396-317-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/4492-824-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/4492-330-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/4564-6-0x0000000000700000-0x0000000000767000-memory.dmp

Filesize
412KB

Download
memory/4564-1-0x0000000000700000-0x0000000000767000-memory.dmp

Filesize
412KB

Download
memory/4564-157-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4564-544-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4564-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4592-148-0x0000000002A90000-0x0000000002AF0000-memory.dmp

Filesize
384KB

Download
memory/4592-154-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4592-153-0x0000000002A90000-0x0000000002AF0000-memory.dmp

Filesize
384KB

Download
memory/4592-150-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4592-142-0x0000000002A90000-0x0000000002AF0000-memory.dmp

Filesize
384KB

Download
memory/4652-819-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4652-294-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4724-278-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4724-282-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4780-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4780-138-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4780-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4780-245-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5008-817-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/5008-246-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download