3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
Size

1.2MB
MD5

170d51a980162cad9830d5b594d21e7c
SHA1

5dd9eec907495431439f6954cbc42bb46fada70a
SHA256

3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1
SHA512

1451dda8b92d0e8fadc2c9d6db29d0171e3fd2f07df22bdfff75805fa1cba0e59d51d60a9b3478243525e23d75d2742ec11b5aefb1cb0d2e4654678df18f70f0
SSDEEP

12288:o2o3FN92mrRUDkDTYNmN3Rus3SAFYq8Noz9qirzrEX1fsd7TOoOTd:Vo1N3RUDHNmdPCAaq8Nozgi/rE0TOj

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1252	alg.exe
1016	DiagnosticsHub.StandardCollector.Service.exe
1920	fxssvc.exe
4828	elevation_service.exe
4420	elevation_service.exe
412	maintenanceservice.exe
5008	msdtc.exe
4064	OSE.EXE
3636	PerceptionSimulationService.exe
1848	perfhost.exe
4968	locator.exe
2240	SensorDataService.exe
4040	snmptrap.exe
4812	spectrum.exe
4464	ssh-agent.exe
1348	TieringEngineService.exe
4412	AgentService.exe
4492	vds.exe
4380	vssvc.exe
4860	wbengine.exe
1920	WmiApSrv.exe
2924	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Windows\System32\vds.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\aa95bf13e703f493.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchIndexer.exeSearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089f1f8a2aa99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe52fba2aa99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000885cf59eaa99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc1700a3aa99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050ab25a9aa99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bbe288a2aa99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000aeaeda1aa99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000aeaeda1aa99da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
1016	DiagnosticsHub.StandardCollector.Service.exe
1016	DiagnosticsHub.StandardCollector.Service.exe
1016	DiagnosticsHub.StandardCollector.Service.exe
1016	DiagnosticsHub.StandardCollector.Service.exe
1016	DiagnosticsHub.StandardCollector.Service.exe
1016	DiagnosticsHub.StandardCollector.Service.exe
1016	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1248	3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
Token: SeAuditPrivilege	1920	fxssvc.exe
Token: SeRestorePrivilege	1348	TieringEngineService.exe
Token: SeManageVolumePrivilege	1348	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4412	AgentService.exe
Token: SeBackupPrivilege	4380	vssvc.exe
Token: SeRestorePrivilege	4380	vssvc.exe
Token: SeAuditPrivilege	4380	vssvc.exe
Token: SeBackupPrivilege	4860	wbengine.exe
Token: SeRestorePrivilege	4860	wbengine.exe
Token: SeSecurityPrivilege	4860	wbengine.exe
Token: 33	2924	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2924	SearchIndexer.exe
Token: SeDebugPrivilege	1252	alg.exe
Token: SeDebugPrivilege	1252	alg.exe
Token: SeDebugPrivilege	1252	alg.exe
Token: SeDebugPrivilege	1016	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2924 wrote to memory of 456	2924	SearchIndexer.exe	SearchProtocolHost.exe
PID 2924 wrote to memory of 456	2924	SearchIndexer.exe	SearchProtocolHost.exe
PID 2924 wrote to memory of 3896	2924	SearchIndexer.exe	SearchFilterHost.exe
PID 2924 wrote to memory of 3896	2924	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe
"C:\Users\Admin\AppData\Local\Temp\3f1927b89f9f4d5b2b4c0b74367e8829ad7ce85842eaad3ab2abde0e66e47ce1.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4804

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4420

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:412

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5008

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4064

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3636

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1848

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4968

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2240

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4040

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4812

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1288

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:456

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3896

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
dcebbcd8842c113281d3d9b0e610c356

SHA1
3f8dca878bb09d066d44cddd653f446c568cc735

SHA256
c85fb7f44182844d843ee66f3c563ba0d408769989b127fc230d8fe56d97a0ee

SHA512
3977aee33a3eac6b860e5eaf47b66bd7a65c28f034698195c18cb744b709f01894e74f251060e662e100c2de4032a192fe38414e0ccd2789b6291ea362d24f09

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
c0107aa0748917fc0842c905c25dd1e6

SHA1
02bac0123b61db7e4cf3c5f4bb900719dc6e8d1e

SHA256
e7a863c916f49ad95890b1223a5b4dca8dc3813a17e8ce98e7421337a51a4a93

SHA512
f3954be16bb9a8869fa9d6228b2d4114e290a85a774a29416e035b74216c8bdf2b80f7e2d27af5feca08a9959ddd7b17a8215b8e8e5ee28319ea21e8067b390f

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
24eb071abfb6a84360b1819ffa841195

SHA1
5a5a165f539aa6cfef58828c7be3921e8f49fba7

SHA256
8c657f628eee16c09f210c54b377a568dc3211fff1a2d9a6f1d90d64dd169bc3

SHA512
a91fd7fb3a65eb8d06d4304c71c7a2445b4516be33ab73b99ade8a318c769728a5b59d781cbae2e714a94ae0147957c70111ddd3c970b05c457be0039d6998dc

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
9cab0e3511d896131c154c2bef3e6d39

SHA1
3fc33f5fb542896b4dfd05f21e20c5c06be4f2a7

SHA256
eacb2ce24561b2f475f10efc9c337255005a43de9d9d978a085946569ae5ef53

SHA512
915aca457e4bb58c4257361850ea2744ea5dbf7cb3a08a7e5cad27b005c8427da62be6fd97fbe71b59df8e89ca0886a66c175d831ecd1f0affc714af2ef0545c

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
fef6c67a12f3ea3c8b177db394628af5

SHA1
2f102bd49bbdbd1ef0a67229bd12fbc72f25964f

SHA256
354c39f64eb3aae696903d4d47247b32e68fc94e8e4d79a65813ca7a4a326b0f

SHA512
d4e0cde4191a60ef31d77edc161c3774c33307dd41da83239ecce905aafa88c5516cc54331b234bea499089e59f8637465d9089b53635eb1bcc0fe4e364d1719

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
a321e0b3cf98d1ecd2670516551f2867

SHA1
e2e46a3dd3b4debdd7c559a599508fabe617288a

SHA256
348ae2cca338f1cd3f184e6c05b4ec7ce3ae5ea2386e3eae793698846943d5ed

SHA512
6b3561eb4c5980fd661239b9a4b5b76ba1114283b0b9b95a24b0e48fde0483690604fe8a0c3468ed0f6673593eb402a57ac274e9f6264d3ec86b0eee857a48f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
73db0492abc91f517f3d3085a2d1e204

SHA1
a750a793db5f78b978907a0366aeed3a2abe3203

SHA256
3fd0b3a7ffdb4c4971ad4dbf8a6cceedaca0398903db5193c8744bd2e7bf89df

SHA512
8789be683e224ad7b73c0ea8a8bad387e55dc459f6c85fd2f6953373fb85352f704410db8dcbb102744c217459c63a1c74a833374d46b0966f3c21d1821313ad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
a54b0b10d377db0b88af18e0ec39d0ed

SHA1
daa4daf5f1b5c55df94fef7ab5d46a9c78078ffa

SHA256
ba9afb6b5fba419146adabba33d8239928c91173c35e5f436543b9df87328c55

SHA512
69e0340874abc8af20267a4a744a309ac707d6a4025209a1201a5a63c5684539cb7079ade47e63b95b1110ea2d8a0d11213e8b29a4b9d9b4da44dce7cbf5847e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
cc138cb8c876037d9561f9dee283c647

SHA1
c53340ce9115c1efbb72e62714a5b029f6fc2676

SHA256
14b71735b2ce40ca3e570e4584c133ff09b06fb0f89f74a6dea143199638ba9a

SHA512
a6dde5467431119419ad46c7a1af9b13de3add0c537a696beec2b3c92a0fc88fa27a3fd83bef854f4bd6cec9394a4073b4a1c22d460939d9914a3c92d8f2bfa8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
2bd137b9dc18bb536fd441616d5b7bdb

SHA1
bd3e33f4e2f1ea0fa29cb697096ef2e5b643b0e9

SHA256
4f3af346ceaaa675cefb8b5d4d9e49251c4062b4eea1974dc7d703ee9005ee21

SHA512
ee4a63b6ab5648ea2cda377a140251ed05022c3964b92a2a98dc11f06d12a19ad0dff3b9a6e8428790f05107ce8951617105023f683c8388f2c2fbd83bfbdc57

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
3f413f51f73efa1621daafe58add5740

SHA1
268d3c71d869e0e3e70220da66913e174d4fb76c

SHA256
42f19338bf7d87507285cfd8c32325026d99fed0cd15591bc5d57f5a6439ee0e

SHA512
d49ac0ccaed01c42f0b794336b3340d3b815a36c155bf467c6be4d47fec781ddbc7e95cd1c005d8db13d2f277e3f0112c4237b5d5c36eab644ec634ca7e54ee6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
752b255a4081c1add8a8ae987145e5ac

SHA1
e2a61aacd63277acd0c3dd72ff2559aaad8cd51c

SHA256
1a6acb135ce376b9de5b2356444c046f2cc177c181bb78f51eb1f6cba4acfee4

SHA512
f9579f91c029e85df1e7de81ab4b7a1f34e0dad99c4c66e4450c00b77ceb8b7a2055304593753d20361cdb51b8621e883daeab27aed386ff0e4696f39036670c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
36306eee50e624282c9dfc5e9a632648

SHA1
095eaf7b8881d3b4b6a26850f62af4c9e08b1d84

SHA256
8ac8c82af3acd27fc4bfb242fb96ab6fc9e5eef4f0f1aa4cc333ea8e0589dce5

SHA512
fdbc4eb66272b34167bf4088f87a6fdb0bb860e9a213237ef42e15c7f677cd01409764d7efd67c678332d583d686a3e77ffa9b9595c405cee4e1bee7a67e05e5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
456790f5f339a5aeb9b1cf2421be2695

SHA1
5ce4b4dc2aa20dc8b53aa363f3ae818230f8e9b0

SHA256
e066eb646236250056d4e8f8b670afdf7be504b0b42e9e6b5f817d282500466d

SHA512
a3489912b5c16a7da8152836f253484f801ecc28a1ad9f076eaa43548044c8e38f216cfdd36fba36484f1a20bd05e4ad7724535c3ee036fc07bc395fae7eae70

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
411e0878072555aa668f89fe1f806c18

SHA1
4e96b98c89e2629f215ae3ab956ffe2349e7116c

SHA256
973a53b82dd2471debf7e98c581a10f6e415154e5e7b3e3f15905694ade75d0c

SHA512
be048d7c1df21399779df8677855fe9813149f6da22d37e4e436a754f00293a03d012b25b8594fdc0027eef7d1f5b5eb5ebffed3f56eec4a78b4de6ed0e1f2f9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
f624bec799bc07b55e7f6bef002132cb

SHA1
53d9ec0ca11e3ce3ca86c4ada0de65e0820b13f0

SHA256
e37ba9ef97edf9757318b8197b81021dbce9bfbea15564166ba9dca6c492fe4e

SHA512
92482b951ddb31a6dcad52b04f36269d7f9156d9e946caa30a1484ddfffba4db860540f38207871a5fad5632648c054a1df3a74d0eede1eaf6ec54356aef3943

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
ede12f9a7f28004869b8abd8d15c44f7

SHA1
86963308981e54e617c8ef482a75e32e2a02ec99

SHA256
7cdde6170e9e2eb277f75d6a415615543498dba91ae428f536a01ccad4a3043c

SHA512
3f14de9342df470eafa9d57ed3a58b3082a0955245ef15540212c441d297691f481ffc8f5db75977cb3a7637c2b86068941fa442a22c6e469d25852420c1d759

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
57a12fb0a3a5e68e8bb0eb45c8803ae9

SHA1
364f36e2ee349808fa53a0a8776c9e35260c0d1b

SHA256
1fcf53e83eae755daeea5340c4bc173ac9b807f677cdb1ae4ef1ea6512961bf5

SHA512
e2bb45c339798635a172f1548a72e81de1feb1c0b33ff3e67c4394848279535246c50df00ae354a7b03482ba08245cfc5c790d61b02b450f028f340c79951023

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
6e977ac41612b1f8f8c4a35f21be5c91

SHA1
21fb12b54010371b9b545ff123797fb07bf1a9df

SHA256
3bb1a17768c988cf5debbc5924a7ad640a9712beae6b4bc10c4789a5ca0e11bb

SHA512
63639f6f248dc4023e7999076410a75c6c17f9657ce1491dfea3ff10d61c573142787e33d07d7ac81cda15ae84a35e4c08d4f4d02c89012e3dcb3b6064aac8ab

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
3279c1551e104ed87c8af1f1c6175c02

SHA1
26c3885959d0d67472128fd7f44c09b3eb167a84

SHA256
2864bdc28ef10257e718c3e81406d1a3c21842c2dc6ea3ba1344d6e6c6712e6b

SHA512
83ada0e1c11161ed11937e749a53cba46db69a785dd832597edb7d8c2b2036112ae58ebc1dccb30b6f77b190fa1063bde44a0ed7fd76aa861f55a0102585fce7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
ebd920e756cddfd5f71991806d1a213b

SHA1
d2c7d15a3d1763e8afb575258c620c185da59374

SHA256
87f180ee95e97c1a1ebc1472ea26e423f7aaf8b390c7a50e0a51e530494b6e2c

SHA512
0c7dcef6a3da0abc3320200e19439e7a8068b300e9a9a689f146e959e6c0bcd6e6dd458e8d3ee46e3161760d64de8e9e63bc788600920ae1fd61c17106f1b391

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
2698081e2fa691cc32181a0f528c2142

SHA1
024793f90ede24cd55edf6763e0c2ae373dd7ed5

SHA256
a0e77992a73d2c9055e1874e49124c60265f1ec73735b52191828b32e39574c8

SHA512
31e65f258cf870fc0ae1242ea43e4c8a06142025985c7a7d69f2142c97848526f082acaf07998aa3e7737aac947cb8d7bfac084c49e397aea81a239464503533

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
4daec541c0b0853d9c398357baa10f74

SHA1
8c462d60e584abdcd1d63a096eb734ab615f9bba

SHA256
36e2527e17e5023f4756ec291edbd1ada1323bfbcd743ed62ddb958fb06d88f8

SHA512
9528a90df6eaaa203b5e8620aa6240b2bfedef4afdb01dbbd327961aef5009a04a9171b17aa25905cedd4520b06951140179fee4ac42ef1d2cc28ed0ef1fb364

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
44d9b7c0222b5d6b5391962564df2a5f

SHA1
29c0761edf78903237b122c0968c280d62a292bc

SHA256
b4b1a15676341836e317a64fc1b82fa6acd263089650724fc6289a74cf07c1d3

SHA512
87144c4c59a717beb2f6cf6dfe3e2a483fb2bc22ff42efa65b9740ef48725ed1addd03d2541593c67703b9746c5c99233c86ab47044b920419abe0aa08f6781f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
86a59fe677f158bc7a97f40ddb97e1f2

SHA1
64f44f49ae9541cc7b4a23f89e3e711728cd2161

SHA256
48a8140a00434aa9dbd698d041ee320aa0b57e1762cbe2cd26aabc8e6b34c86c

SHA512
6613631e97d8f51f376cfed064340df024fe74db8b8a8444bbe01b8b0d511e37ec629162579e973300281a63d0323edec4e35ec4242cc7005bfbbaa26011dc34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
df285481c504934c07cae759c3b3917d

SHA1
3f82194bc53adeb2f58a487eca035d73d462a02d

SHA256
a669c4445120041bd1ac3689a6d71fe0ee2272bfbcae0dbef2dfa704e184c4fb

SHA512
7f901e4e74cf8ec6774fcbbcb175cf57dd9d8ffc36a26940a0ce64f94948bcc6074eb4ff96cc3fb7e7f1d5de495fd52ef36d4d8e57d76d30e640c017a1cc7fb9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
4c49449f98fd4a2a0c776f9b335edd74

SHA1
9d3db8dff7405ae7f4bc31d4d62ff7bb3e626da7

SHA256
116e5f9579a317fb7b835160b1393fab3103f12585be84aa02b6ec4c552220e3

SHA512
256448ca3d1e297a9fdf6db1e938e884d64db4bebfba1c9a682dbeaee304978640ac084e55bc22222b85062bf1ba51866b7c8a7e15a2a2b015d6fb20dfdd8cee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
935eef25193d7623302207ff5ad0c367

SHA1
13d51fd1eda1d83c74ba7be279b234d039a64223

SHA256
16a476e772a9ec0148443e8b953082bdeed647b22bf5dfd0f47ac3991fc966b9

SHA512
c71eaf2991e25ee634e354539a4be2aadef34de33c769cf43640e3b7c1d014faa030eaacb347a8bb94a6aa9512c10df38e2c2ff678fadb1ddb0de9e0e7b6ddf6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
1c866515349f698a2f18ba73b8e15e40

SHA1
fe7005009b6a177fb44c95be851425bb12e77315

SHA256
54059d768a937709b60da7c9ab382e2583164e4307b9c73fe7a8528981967bfd

SHA512
29a7edc4e46ffd57758b894588a24df400d118dfc286e9c50fce7dcacab2f5f065f4f77c2f836730f4db26eb6c1e61affe8a4db8a93a33bf7cf5ac1b5e345f7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
345798782424d9da1085534ea138fe3e

SHA1
b23fc65efe6fe55d0a6017a75c0d9cfd552b3063

SHA256
9f471d65014373251da65df5733bb1c62b4f2138e0aaa9ca4f5a9b396ff647ae

SHA512
afe1a9269cc455e15b0b0446c95860beb3246b17a63b7c2f34505376a7976d397e752d677dfb20739f5b7aadc6ebaf068ff472a4d93742025583a9aefe16ec47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
2e03faa7c5d528aabba948f6bab86441

SHA1
15034ce2a004765b73e76974186903e81dc31581

SHA256
6848a39878c1ffc1e97e661f64c34fab26b8422d838de2d495b397bb2dbc666e

SHA512
8b8ad11f1d5ce0e0194ec2d002147a23a62d99b679d39e90b92a62b7d9d9464af534b32eb4a72e7b16902279fae0d21751da0be1f0d6ffa6aa29e2c3ca0e39a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
cbad4dc7f245c9a492232cbd61ccbe23

SHA1
33a5062de94ad4257b2e39f3264f8b96e87c4b97

SHA256
f5378751d4654827e70c72f5368baff439367d829301757758ace147295e06a0

SHA512
97f3f3474731b9e74b8187ecf5702295009254c8fdcdd5b682d494cf85c363454138ab0d19b7ec4fc18b3362c7ca906962bc78c07298fb1ae516d8a2f9f82b6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
c1d75576fc7fb0085efa41a37feb5353

SHA1
6e0c9df350cbe7db15fdd141cc1ef0bacdf617f3

SHA256
eb81ce9c4c89eecc1af0211387f7f7d71970df4cbd6a472b92adc7d9f45fd6a5

SHA512
8026d84f6ff6b2faa7e910e476180986b4792a2de75ce39c6c0caa118f5f698c2532c90dab56415259ef86caf2853612d36394d8f995a2b34579dccd2f23c409

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
03ed6af2cae355116199b1be325c8e61

SHA1
4901d2eca01dc3b07f361c50970ee1171ee12937

SHA256
8de2ae0d45c87e498cd982b11e570ac5d6408c0f52548c0f086e972fd4af6ecb

SHA512
e9d33d775635b52127bd069778ec1b3cc63074ab591abb846175efc0081702465f11b7151fe7ea41efa602c0d15c071dab798f80b2f8bae16475fb6e6b170626

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
636bc87076844ec47fd65a64cbe3b6ac

SHA1
b58594fb121054f165d50e73d078b864b487034a

SHA256
66cd83057c73481f59851e5cb6c82b0da3061a933b9d2011153188409240af31

SHA512
801f9e3e61622896fb9ea0b04c2a1316b33345902db73c3b0f52bd79ffecac6f55dd4b7fac861744afa3f5e9f6f276a27f17bb08a4623a55d0d7f041ed057622

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
0c1fd1e793f597f936811895a6c82203

SHA1
b75c3683167edbd9870525e549a885f7d23c8903

SHA256
d44b01720dfa3e447d0bec533c6b7cf00ca9c6e9a8faf62bc0ffd82ff0b52cc1

SHA512
11ff16160fbd19730fcb43aec8e2d592f2dd064d02aa43d1ba6c811827e14c0af9e6d20292d78b3d0cf6d9d7bd90df2183a251e2daef641dc7213d0b38382599

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.2MB

MD5
c102fd35b47e8db76dcb881f05811a2b

SHA1
1a3a769c65cdf218015fa2f67fc5af3eb14c07bb

SHA256
3dc15fc88bfa8e91425413f2cd48119b68b12fd45b11a74f0c3cb7cd0b424b54

SHA512
323736bc4f3ff805e2746f3786a9b720b38e16e10ce1cf9354ec20f0636ee0b8ab975c4a4b02f4ffcb4a62ea413979917cacd457af8243b5adeee441d763c325

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
50d9767b0eab8fbc95accc8ff9f195ee

SHA1
0c656c9d6380e89b5db3ca1698bfabdb2c5a9748

SHA256
5ece6295b08548828414e10526d6ad76dadf692a6eba26ad9689bb30bb4580c5

SHA512
da786221416b3a8fe5c78846e8a10b67f4f05856f29b8b2265a0a14571a90d31dcafc5f8781140bd63bcb6897d88df85774b992bc1d93b7728f4a2c0c219014f

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
f70f6c3e50829409bfdc39af43476b89

SHA1
72551fbc29c1ec329c6494409eba38e3bf6a7447

SHA256
ccf0e9c9e7aaf9da5f731ad5308317713a4663f64bd6ca887675eb1d8a315566

SHA512
c54ec57dad45a8b233c2bc7bf5f48e5aabecb261fd06de72e8d5ef699af79b6df261bad0e5f7e42452aa8d964b81a108adce7db0412a8fafa2dce601cc237ebf

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
548875f5565139968c382682d9498170

SHA1
10a6b3408c408a15aa559dafc1e43c2656a1ae13

SHA256
71962b826a3f23ffcae35d955eb84f21b86b40a649d8a9f83932a0e3f6e4c186

SHA512
2193b9a8e7806a917f1bd18e0b089c33ab6a66b468218a21ee24519d5639bd79e0414dd29129aa9a111d631cfdd0e151996fc29443bd82799be1e32ff1928f41

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
59f69455e8eb6b4376a59ee0c5e58a10

SHA1
50be2745823a2595ebb19ad2b7ea43ed361bc22f

SHA256
ef72303af46c8d8358d516307bba30bea304eac034351b03f483018cd7427a98

SHA512
c99cc9230008a75ae2b54a6f8bad23e4590461ee5fa783a13ddd5007e0769841065b665692169bdea86c1ebcfbe2c82dd35f3fde59404171f4f073cc5fb38f17

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
6495763180527d714e55f055e0f2ca2f

SHA1
2facca7def5fdc74d959c1ab90612f3a78bd3e43

SHA256
691e9a3619b1f7c5676ac4e9b28d58124273bae3b72b7dfaf0274521d3cd1154

SHA512
df07891141d2c439e75f102e37e027ba7b45090023c93999fae4f45bf953a07d395b48e02f91bcd87cc5deaf1bda68cf20514846198bd836015c84b4a1d5d074

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
b9c3d0e4229600426e4c316d56d20623

SHA1
5b03bf66eb6b456955fd842ea6d5a60c523ba04c

SHA256
1dc2df16074efbf414e60c3ce25022445b510b4eb69975ebe533020ab81c6c43

SHA512
453575c878d2ff4dbf7c90512ba720a0d509f34cb8c2ffa5585d6aa200a18be202b9699a1e01642577f2cb9a0a087c90bf560e3d7067648a388267aec850601f

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
d076a2e98d2d54265f82a5dd5d5e08f2

SHA1
b083bdcc9885bf129024a1834e2f2ae8fc8f4690

SHA256
3255b626a1872a4f2a3faab251f67307f543829c91413afd89509ddde04cb1fa

SHA512
ea981fb4c4d200209d46c5a711e50c3f9593361074bc6713605cf0eb6f81d0bd4a27dac6c8c7f381e55f8e7438b1f515f7973eb7fbf398e38372bd1cc6e014b8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
6869ccbfbabdabd10eca87b8ab17c497

SHA1
74aa58cc7e2f778a50c4d405ff53218ba4b6aad6

SHA256
1b76cd89be3c93eb30404cfaec112ac0f666b6dfe14123442e28e0dca4d84426

SHA512
cdd46fafb82549c821fa8fc29215cdd6ef830fb96c747d112e5d6993d356f292f8e3aa4771d862a70590d588a0705f3c6203dcc5ae97651a585c377974babfbf

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
ca40c8ecd4f3292cd121b7e35dcf72dd

SHA1
386ffb6b2011853ad3a3484a0722ee709a8cebe0

SHA256
91c45ed8a20f82d54ca04ab20dba5a25a1445ac0abcba8b39818bc73548db514

SHA512
8f66d7ad6bdaaaf05c4b18034f7dba464ac90031195617f2cb1dda85a0e6c62acde0f10323aedb87726a6693f859116b298d45f314437a8e2658b79b8946e6a2

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
be4276b88a54684301993156b75ff023

SHA1
281e229cc884a99147639d5412970a2b65551586

SHA256
9bb7615aefa7bd01710aa3e775e862f5303142604ca7ec1fd44693735e337dc1

SHA512
20d388a63e1a5e558a4789a482b2cfdf9c1bef19371bca0019c00a45694f406f673158cf83dbc467ee18f64fd88522faa6ce41d48bbfb11ce342f711d5e3dd02

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
3da7bc1c6714f0c9104c2251843df793

SHA1
9e2d1f83ffc8e5526a89fd7a674e2b7feace895e

SHA256
409f371ef694c7572a2ef5cd3ab876e4d9a3b2535d17b426c9a39cf0b29b4642

SHA512
c5a1e595fa0c1c1c1e77e52f5dd97159dff98123fe875eafca9ac5ff24ed0ea2e37e61a8e2a7cb7dd33fb28e09c0b5029628966b3fc1c5cd96c47b4c5e41a783

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
ca6e953d1cda8245b557fb49e36130d9

SHA1
935bfbab2fc48d1451e13c481ed650d33f360391

SHA256
d94e079639783edc5e54190e388a8e64c8805c43712f5cfefea7016cd60ff422

SHA512
8a839dadfc52b1c2f5a70a61ca1784e1f686bd8e1a955b0f1ec287644c5743a126b09bd33da0c8594cfe9a0c0fa2426fb8bad3fa302a2b44accca01253ee48a9

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
30fe66694a98516a8c1fca8d65988ce5

SHA1
6fc3d581c67a08dbf58b65511d2f9599dc8a8e01

SHA256
9e5a77cc768511473cd01d2be4ad6fe2e29cacdef840abea15394a98f3e6aea3

SHA512
1c6670e847a0f41468e1a79f76b843fda67429fa68ce6ee7b8057dccc3fc11c37deb732024762a63c11d484155499b3223981ac090d25184b0462835fd1f8533

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
ec7aadecaba29cb9a5f64a9d66e61992

SHA1
8d5a64e708508d454fc5975e86e562b1824f492b

SHA256
7663ba63afad01f9596935664104bf67e963b503cee5b58a2220a0c265019c9f

SHA512
863a08c1459aac4b42abb215823fabd10ce6a47a69ef9ef90b2c8b8817613304d5fc30266b415838bf5e0124624d3e046459ff1bd3ebbaf90a23889dee1df1b0

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
d78daf546a851e0a03b7472ec1b9364a

SHA1
be4d04e466f0183e3a58ef837bf9739eb066f67b

SHA256
e868f54bff41789526ca8282902b7dfd7987c56d68500b6f950bec43a719cb77

SHA512
2487574378333f389052e13ccab3e9cff0c571575c0c52a71c11dc431759fc54b64e391340415741fb559ea4671b8de9cf19237029ef4609869939e6db020497

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
1612fa7d88630124ada6caa8fbbb503d

SHA1
c5c25e948bd047ea83c7ecaea9709eeff720a056

SHA256
737cbd1f4c2f9204c73cdde9402a1b124dfc814f788b0e7c53a80f7cacca81d4

SHA512
73119cd8e5e0959f4c6259a4de62c657c3380c62eb21cb8fd8e5ae0c6e1d21e6c0814f0ea3abce37ecf4a270b3be27f0130ed7cba85448eeb74ab17949fa5187

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
9ef1fee9fd5c19cdaff34bbbe578e32c

SHA1
bf3b5432bd87287465ea65834c2d1305a29f36ee

SHA256
e36393322804955ef5c15c88973406fdcc9cf6a0254926ff8d0a54df2e788232

SHA512
dda257f7c4d0c198288141997a669a01d4e37d7f0f86d72cdaf2cd8d6b9ebb2dbd3e9a748cd3ca6646af2238e78abb9bc4590ba533a87f52965b9cdab4ddcd3d

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
8ba7901ab7b2dc10f3c2d7082c93c1b4

SHA1
9ea3d51e26f7a07e8fd2848317aa69a674673f42

SHA256
3d0930fd47a44f32ba7cf7546d73e410233406c89153045bcab66ee44e571e2d

SHA512
f689921afb0d88c944883d7c8e38e1c497e2f16962280813ca54b467bee9d9c55b5587f7ecea1e63fd83bc2d6afdc282c4aa962142052c6b24d020774539d5e8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
d07386b816544e1583984d88c51d6b41

SHA1
565cbf8ead41d4dc1d3e561177a1899ce9138400

SHA256
2b75578eec749f61ee0f642c73ad2d161b580275e068e29eb01b04d54c5c57bd

SHA512
d82f1a69f1b571ffe2a05ee48afcc82d81d3bedc4d36aca5c42ae4bbe463ba8df74cb667a4705fa52c9b42ce59fb0174d55999893d8d37882fc5023b671ce252

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
924344563d9cada7c7e77cce1a2b02a8

SHA1
a183bb2a0959d400bf995da0383c05886a6d4a57

SHA256
ef2cb1668807f364c25a64ccd5de7fe99e8f0d8456fe455bea5e267a438eb144

SHA512
6542bed8380ef25b8f7ef0a39ef5161dbcca09cce961b7c126fbefed738280c8a860bd845d75645e7fca3cd013cb9773259fb6a4713073867916071f01c7da09

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
b77f3dd350e7c95d8aeb8147358b1f88

SHA1
6fe7ae23517c9201a50b2d1cc2eeb7f5ac3dcfd4

SHA256
7cc9dc20392cd0ae1a647e70add84c8c817ca058527401e51b49c11617803cd8

SHA512
4057272e2746f86128fa7dbc3a36aa3af4d663644deb7d1445fa51947261a4ba4617a25070f8e7e320abd05e8bc4292af75513c58ab633dbc6ecc0e7db6d5edb

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
38b11e4b215e28bda22aa3ff5fc53907

SHA1
8e5636792695a506d5d32250eb3360ce1a40bb10

SHA256
d1c01a02ce0044d3fe393577d28a0f3153e7580d405178fa8b9f9c9eb6c48f1a

SHA512
cb7d0324127f86b47cc315663b23f4b4a5e5192cedffb803762c11c226306114604ea9b13bfe8ae74431b96bbee14fd1bdd5cb5b4f17daff3977a6b2e19c5ebd

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
09308de90c464153d41721569258d49c

SHA1
3d1d989bb186a31dd23cf58317e370c515f4dc07

SHA256
fd5af7c9dd0a32ce1fe49e6b57e7558591a427803f077f0c69b7779f99247dda

SHA512
fbedee21313e9d80ddff3d9f2253534a2fc7b976ae1906f7fe12fa4537b679798727388783d7c09ed3cc2d536366dbe52d4fa8861fbe4d8e060360f4d47ac59c

Download Submit
memory/412-74-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/412-80-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/412-84-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/412-86-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1016-34-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1016-35-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1016-26-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1016-523-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1248-369-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/1248-97-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/1248-1-0x0000000000A50000-0x0000000000AB7000-memory.dmp

Filesize
412KB

Download
memory/1248-8-0x0000000000A50000-0x0000000000AB7000-memory.dmp

Filesize
412KB

Download
memory/1248-0-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/1248-6-0x0000000000A50000-0x0000000000AB7000-memory.dmp

Filesize
412KB

Download
memory/1252-12-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1252-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1252-21-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1252-110-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1348-273-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1848-267-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1920-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1920-39-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1920-277-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1920-617-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1920-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1920-48-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1920-45-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/2240-269-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2240-522-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2924-618-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2924-278-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3636-279-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4040-270-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4064-266-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4064-615-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4380-275-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4380-616-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4412-207-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4420-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4420-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4420-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4420-614-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4464-272-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4492-274-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4812-271-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4828-52-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4828-58-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4828-593-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4828-61-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4860-276-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4968-268-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5008-98-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/5008-88-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download