2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
Size

1.8MB
MD5

61b36bc2a452d27e7e5d8bccf885496b
SHA1

e1897de3cbbc6bace0e5b53ca531c38d89ce40ae
SHA256

2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2
SHA512

107f67616843aca33fc0bf81cdda95147fbf2e1391774f71bc15ffe155993ce266339f3af7621c234d974cfd39479935be5da223ade4a029c2e5473646e60312
SSDEEP

49152:0M9QPdxwfE7WlFwKAfzuTiDFUFkHaB0zj0yjoB2:01PdVQFwKZCFgvB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
60	alg.exe
2156	DiagnosticsHub.StandardCollector.Service.exe
1596	fxssvc.exe
556	elevation_service.exe
840	elevation_service.exe
1084	maintenanceservice.exe
3156	msdtc.exe
1420	OSE.EXE
1388	PerceptionSimulationService.exe
3568	perfhost.exe
4832	locator.exe
4896	SensorDataService.exe
3124	snmptrap.exe
3376	spectrum.exe
216	ssh-agent.exe
3952	TieringEngineService.exe
3280	AgentService.exe
1812	vds.exe
404	vssvc.exe
1184	wbengine.exe
4704	WmiApSrv.exe
4392	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5f983c17293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Windows\system32\locator.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Windows\System32\vds.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8ABB.tmp\goopdateres_ro.dll	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8ABB.tmp\GoogleUpdateCore.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8ABB.tmp\goopdateres_nl.dll	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8ABB.tmp\goopdateres_lt.dll	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8ABB.tmp\goopdateres_pt-PT.dll	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8ABB.tmp\goopdateres_ca.dll	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000195d37f19ca3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df0e29f19ca3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a80c67f19ca3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000095843ef19ca3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dda3e0f19ca3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8318df19ca3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000746704f29ca3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b39913f19ca3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022fc15f19ca3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080f2eef19ca3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e223cf19ca3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e3630f19ca3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2156	DiagnosticsHub.StandardCollector.Service.exe
2156	DiagnosticsHub.StandardCollector.Service.exe
2156	DiagnosticsHub.StandardCollector.Service.exe
2156	DiagnosticsHub.StandardCollector.Service.exe
2156	DiagnosticsHub.StandardCollector.Service.exe
2156	DiagnosticsHub.StandardCollector.Service.exe
2156	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2208	2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
Token: SeAuditPrivilege	1596	fxssvc.exe
Token: SeRestorePrivilege	3952	TieringEngineService.exe
Token: SeManageVolumePrivilege	3952	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3280	AgentService.exe
Token: SeBackupPrivilege	404	vssvc.exe
Token: SeRestorePrivilege	404	vssvc.exe
Token: SeAuditPrivilege	404	vssvc.exe
Token: SeBackupPrivilege	1184	wbengine.exe
Token: SeRestorePrivilege	1184	wbengine.exe
Token: SeSecurityPrivilege	1184	wbengine.exe
Token: 33	4392	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4392	SearchIndexer.exe
Token: SeDebugPrivilege	60	alg.exe
Token: SeDebugPrivilege	60	alg.exe
Token: SeDebugPrivilege	60	alg.exe
Token: SeDebugPrivilege	2156	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 5036	4392	SearchIndexer.exe	113
PID 4392 wrote to memory of 5036	4392	SearchIndexer.exe	113
PID 4392 wrote to memory of 1376	4392	SearchIndexer.exe	114
PID 4392 wrote to memory of 1376	4392	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe
"C:\Users\Admin\AppData\Local\Temp\2268166936bbce1d5092c50d706891aa991814f1ce1d8c7ef70aa655e96aaad2.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:60

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3164

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:556

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:840

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1084

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3156

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1420

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1388

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3568

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4832

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4896

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3124

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3376

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1208

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3280

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1812

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4704

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5036
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2d3c2f6d3508061d5194d4b422807e08

SHA1
391426d4a09da045fda922d0f24c7a7bccd0a64e

SHA256
50dbb3402e7ba94dcd9370dacab6a254c0d2603757331c7f72a0db3e2177aa36

SHA512
63534073829152903926ad454e3b200a3ef3716aca79b75478396a69558fa45f7891ef3b7c6817271dd97ab766dd1f5dce2546e5aa376fd9def74257dc6c67f5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
3b379ccc8d4e55cceef3bdd34b4a50c9

SHA1
999826b80897f51ef58537c9a995189ce665157f

SHA256
d33a755b43f6d42ff893a20c3c9603d696ca8e3b5f08bfe723e95787bcdee407

SHA512
a50105732e7cb24676dda5bbd19c9317e682cd4bc59144bf854de1875d4e324d0e18024b01c447566ec01cf1606e12d7bffe1166f77c5c63cf65fe9cf368808b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
762da6229af3468ddb15766e25c74f63

SHA1
65c5dd763350f7ea9040bc39a1448dbddab0e687

SHA256
91dbe2c7d4a9d01659a826d61db722edaf14c583a2e24425b8e63dfef1ba8652

SHA512
94c49e696290fcd8f07d7cc565cc9a193753950c1c88712c3163de5e1d0c25c6ec21871f213dabf1fd62d8bb84d5154a17af3c8f9a18b0c7445febef8fbda616

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b95a6234b4490d5722362d3216dd5aad

SHA1
f7bf2eb865a365b839c3eee14252a8689bbbe740

SHA256
8e7f07836a147c11e1bbae2e07ac072f72ec58e92037415069b4a7fbeea2fbc7

SHA512
78ade6b0f26cdecafa3cdcf8add6070060fa3533bfbc5f3b9704e5a4e40f1e9a8272445e6b656f62823e5d749cf84f9cc2d1034bc54000116756a7b061a40696

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
356b47c2859c2c4c2af7328b08241f3f

SHA1
75766182ed0c4151c2a8daf12450a722aa87f0b6

SHA256
06fef7b81eda36111d0e079f0a7e9f2f28e0ab9fb71c98f6f4be77cf2bccd772

SHA512
935c61e76298611d041c7b870b27df0945f50eb76b82b3d4e341e0789f4aa0042d20d2b662f29c1e7d796524c15229b145d9c505cfd86def8c8cbf716fca4c29

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ae8008e4f7090da16bc19ce8ac8c2cc0

SHA1
37889e6068ad3429c5b403a0511d9498ba82eedc

SHA256
c20e492c36a73deefbc7ab0d436222436a846e7218bf80c9b19067f5faf18d7e

SHA512
3336756d56a7d82074a9d497148cfc87dad761328fe20daf66d67aa52cd9224e938a1b12677b11ca2e192035f0da0209737c981e71f35c8243983709adef5e74

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
01279b3e314589f8d6f2d601fa62c3d0

SHA1
7e13fe734c516e2f6cc5ca53bee9eebe21e40f82

SHA256
6820994bdaf1d3e8f04e83876d6196130f7de1667fef28c34de2401919bf74d2

SHA512
5554d4302aa289228ce4b4c9ef52af6610d0d31377024e170e40e3022580b846618db2be8535af3ac9cc7ae1ad02e6ea7ae03fa8751677a123cdf9fab7b22b57

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
4005ff5b2399bf6866bcb2d108fdc98f

SHA1
91a7248c62d8e97ac302a0c5bc6d6fef935e1214

SHA256
3419a7b8c6d4969db2a6b65125ec95bed621336df6e46cf7cef7f5415c39e65c

SHA512
fb86c4cb93b2023bf907796835c8527bd3d6c0aa4d873a74c6a886cb04e8b5eeede6a6aedf3cfb3ffe6e29644d93bfabacc497e6b65f29549e7e23af483a234f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
fc222f7b46ab88149889aab01a82a0a0

SHA1
dfae0c2d9e90ca29b10c8b3ba09cc9d7d6737a8b

SHA256
9941e3e589dda9210b0602c0dab035a4308e6b76607a87b0c0a1e3dba8dbf3f1

SHA512
83fea08cc11c4503257be60c66971b16c24b00d78bd18bde2f6e3b7f01f4b8a26c8e3e1b71e63538bfef0edb393f906fec6a6e34f7067acaed83bde4b097a62f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2786351017cb66f19b77f226d49d52c2

SHA1
3814a821bddc4c1e5590dad0da839212ad0c00d9

SHA256
8959565233db7d20d653dd0c5f40ee527f8ef15d9435acef7f59a954b81c6ca5

SHA512
208988c6ca3a66bc8a406c4f17fa489844c450861c266f83ac7c19be02786815827dd30016c942d98bb0bc1a00ecfdebd2b78d787c4ba70c0e17ff186efa91bf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f6a20c9184adb171fce8b5f14aee092a

SHA1
fe532ff4b33fb9ec9f317d2ea6f39ef0d00fb6c6

SHA256
359c0f269e8ae57fb1ab90e1827f99720f30763c3c717b05d66cc69d54e25060

SHA512
54da53d0a32a5360de67fa0a7072b7addd0f677a5f14a19702de766208dc6f153abf4c9bd251360a352add7c74e0ac029ae7b43dd3cce44ccb927f3114b8c189

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ae139bd705dc9ae0446e26651af9938b

SHA1
5e62ec3f6d3d147fc388d1fe71d444223ad15939

SHA256
ce9bf1ca7505227d3f404c3cac05a374d9c2691e15deae38408de0e45a50dc9b

SHA512
a985ab3913984af55a6e1e728855de0756ac9fb1f3566e3b21e938edbccaea2b0169f2d18a167bfa56c953790ba8111257927d41c6ec57f890983d5762983cb3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
7b74d8e2c0b7f310a7c622b81ef12616

SHA1
aa9753f6487201d4fe04b5f352c2bf029f03df00

SHA256
9d927e427358455759130d142f2e28e88de8f85d1ca419a5c7aa45f037224204

SHA512
a9a3ad17b23fb30506b671aa5e63e550b070896620ef60237ddfa1ac2bf461c13cf51b4a73b87638b3e9d440c315853d4b4a22e39ceafc06b59d696c3c1acf92

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
2588c006dccd3a2d34755e975ed6b980

SHA1
c5507730e57d8a96e1af66429bc337cb92906a69

SHA256
8a811adfe50d6b777e63fe2afb056f22746a7a9cbb6c664b5451cd68d79791f6

SHA512
cbcfe12a3ff5b7a1910c8b4ffbfb238ac23cd988329e5b312c33770ab519586ca74c4d35e82e6c0f6351ca35974156a677e0ac0788ab7c58528b2a5fead5d160

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
22a0bd70515f36ba42139ea0119c4607

SHA1
a7b503707fc2f82761ef1d8cf78cf5666b6cef4e

SHA256
0f974f6bb923ee978e117877c60e69e5e44f173acc0274be7315794e44db6c7a

SHA512
ab88e322f3f601d301024c6866fd07160e31926aad75e34fef701ce0656a5dd23507cf9b0eda841ab98192fbc7e4db6e4e8a7b20ce6f3b496057cab60ec80fb8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
888e3a387a6e25b2341df0f7c3015869

SHA1
4c132fac529b675f89009834038e75cc2fb7582d

SHA256
b0cee5bc2e76d4992edaaac50450d31cded4eacbdac95dd2e8928432d4c7f033

SHA512
1953d2ac90841c23ed25ebc0c491139b681fd90e46d23f71b74e5b374a2202fa152fd6a4135076e1fca982054b54635fa96497c4b9b8aaeb4d7b4d1abda378aa

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
d4b3ff73618101d41a5a4137b30e2d2d

SHA1
99c96e6e72c9462df4a487acf346193fa4873746

SHA256
22bdaca32e370057c4f8d725565f27a43693c8459d126006b1a128ec6c24c853

SHA512
35bbf7c6cbd00c3b7cd903ab34728b7add4792555c8269a72f2d021c06db5c96633b05f4e2992a5a35081c7cc844e186b78754399b98d775f1b5ec162c7faf7e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
32617426c6a3e4beb41cc930d52649e5

SHA1
be6fa44848db317a36adfb5e8278b2524047d3fc

SHA256
37a63b4313734644b09839ba2f39d39ca73af11657e87635a8dea254ce6ea45e

SHA512
ce379512a7ab7be7a9fd28388b1ca9098b64dea5026529914144957cbfaec8fefe2eecb368347ef0aa9a1342793bb100e2e3f358cb5021865df45e34c58dbe35

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
5d1a276005e0c5f15fb8e3e9bb4740ee

SHA1
9e734f0110c5afa94d4e661b407ea0e16cb0226c

SHA256
2260cabefa96345035c6fed8e6a59351c9baa490d703d4761687edfc55cd3b03

SHA512
185c360757b93157ce0c608afd33a0aa90eb5dfca404a6ac263bfd83c64da49d4fb224a6c6ee12bb52252c8483cf69c896addbdef9e22c917d4b5f83e6cd4896

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
ba582690f7d5b182946ee89cd64adf3c

SHA1
c3aa78134749900e96b44b8003029f144a2fcbd7

SHA256
1af76d3a965f498611c1ec4dd83191144b533067a06825b5f83358fdd0c56e61

SHA512
53946386af19dfc508b8b71488a182223365686f7e9c1e165547d6b728895262e470cb4fb5a9d6a73bba105ccc652114fc46e386524df33b2eb23da062613de6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
dacd8847056a15629a4a11fad10d58e2

SHA1
5c5343ce6cf89cf986ca9c83264b3cf91369e7cc

SHA256
5544c438b9064acfa0baa23e3df4490005370aa621b07b839ac7150b46580a5d

SHA512
675c98edbb6d746569c3875100e1df2690ebda9a91d0327aaa7cccf899ebc8f6c7dd16972370cc4f683e5cb5c8179e0558f82ebba01a367526330b49563f9745

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
21354a39878cf7bd78e481f4798657fe

SHA1
b9cb073054004702dd7e7dd11852073e65b89d00

SHA256
fdd61e4dd7972f9f4ae618c4d502571ac73e3a3956c8c2762073f69268c12916

SHA512
20d9552cee8216958461c9e5abcb0d1cba4c800bf88d10fb45f6feed317b7e1ac372d590dd8b31d37db07cd87387d8823ae462b13eafc6846c042dc8e5b796e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
f1c89d19e34ce02faed600df125c7bda

SHA1
9390fbcf4a4ab8421584f68ac0105cc1dada0da9

SHA256
92ba9c92f97c94bf0a6da04b2761ba0f3473f665ab9b2c2bff37885cbfed32b6

SHA512
1d00b911c86ccb4db7dadc546a0f05b4abb329873b3dc4f72c5d027efad3ca0caa89b2cbb82f3af5d8ae9ded569d5d06cb42b92a6297ccbeedaff8e6b7ac686e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
5c30b84afbee617a3c4c24f084b0a5c7

SHA1
3e456010a07c30217a3839a9c532eecd49f59034

SHA256
4fe0df0c7de26ec28d1db31ea3d0b44fa06c107511a71923d86fbdac742cd84a

SHA512
95cf99036cb0ca1a538478db09f6f3d8b746ec91dcf8fb515cbb2bc01eb17595df2f960e1983a5960c4f306307781028bc531c55f40ae4d81ff6e60ef0d7761e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
b621dd702da48381464dd4239ac113e7

SHA1
86db792628653d9dc5ccb03c147e17727f7c438b

SHA256
d11736abb59cf5a3828a77532caea88ff56d2677ba32dee63f6d2721b4360a7d

SHA512
87b5dd1534d48a6ec9f88d98016493e29e9d074849a8c8498ba86f75918b7c3f238ea2f846c91a8ff1e564a7e2f767766778f674602aaf34959ada332a7f6cba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
012392fbbcb99db0c9473b3abd672f80

SHA1
64da7a20b4b67f1a967aa927336b8947b9589e41

SHA256
d6cf17369bc0bbcd108af75c29eb49e97ae6fe92f4783c49e1bc659fc54b3b8f

SHA512
2702af7ac86fa80697a9147a71a256c7185b6b2b89a691347fa018ae3297ef20fc98657fa35b9bcb5d23490d6810b12d99e6f3947b0d55ad4fb9d63158ca79bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
1331ae80934e3941a6173dad1e9f7c2e

SHA1
ca575b7f5568d646864b1b8996f009b4091ecc8e

SHA256
d8407354911d615f0824985b1bfb1aef1ae99147e2827923633affa2cd18050b

SHA512
7f53dc6957a8ff92ee6c4ca3f89e979d0d5210bc0dc4586a0b3da577cd0036b36abdaeb5d4fadcba0d5af551021dcb9bf45c55ba548502f06adae3c94f931406

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
a54da5e42085f41ce79c49f8116dd780

SHA1
db3ea579834baa44cde8aa7e3f1204cfec2df699

SHA256
f19c3dd8da28827a7725494b9923b2448cdcc6c32454507c05c9dc01a59a60c4

SHA512
ced76d668b8ad326a22e9f787b4b68f97c55b53291ab3a76f89b5949422002cad1c43700456030b086abc99d07347b27b09504340884b702d57527f895b604c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
1a10515e181c75eaa6abe5ec53105697

SHA1
cfa5df5289b8c1839ad3c74fd1d32a49e1101806

SHA256
9cf82e3ab46804bd7a40676062237a69cb9f99a9cab346d3badbd2242c742725

SHA512
164187190f323d11ade289d9575f5758529111488188c144e3d0069663342b39d8cb57e4515d135a8c04ac0dae1f22ca05063dbf8470115c1e70a4c1eb2bfeba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
391131ec9a3f8e3e7a551b09fbd55948

SHA1
f2a1186f05502748948804698ac9a9b7ab95b610

SHA256
60edb8aee0c3260dcb5c88ef05023571cb53934d069c52432c3721a4e6c12c06

SHA512
c8a2256e4a1913cc3011e52c9d814000a5ed471f16d780834e98432ba0638861bae10b959b755838750946ffce5b19a48b5a0c66ff2dbb209a0cb4a6b5e08398

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
00af0a369090570b5228a8c1cf47d9b7

SHA1
3840663a1b122ce99582d7973e4ee546ef89289b

SHA256
eeae45fb82c2697e50a15e08a3ace17335d495a9976d8bc002e0a689867d5d56

SHA512
03eeac2ebb11fb1c5478f783d838ceb63e079e4a6d80379e37e25c87b5cf093dbf6da32212b3f1c3a1e4f5cef386b6c0120659a2d8a94bce21929c126c7c19d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
c4d2e0aff5715fe77fd42c649d654787

SHA1
e088bf7ea97e255b03fec7d3b01859b6760a1baa

SHA256
8a1fe61644be99437954888fa1adfc9fcbb312a18975cdb86a8b0ee96ea27de0

SHA512
0328580e2694145be87bec5a411ae1edf1f4802e64e977cb60cefa30aa200c0114f95684d928e31e891c5d5a2c804bfd1a336e910ff255a0d1ef3175eab23e95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
ed8ca8192212536019a4f17d14d5dc66

SHA1
b46db30725031592db804a86553d14ab340656bf

SHA256
3c946382f5c472593bc98e79b03755d559bdc7a2a655574624149939ef15a73f

SHA512
13a7f04d9dc1cdc12f6702b7129938e76f8fa879f69a13364dd99685b7bdd84b35b96d1dc735ac6cd2af33518bea1d9be2302ae411dd63bfe074eac0448ef264

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
992c437f16a5535f32920e38a5914c54

SHA1
ed520776e03a7ab1625f153c800f5bfdf7b997f6

SHA256
3bd38bd2ac65f95ad2681b2616b62a1493f9f76d8d5c96101b28b6a3b6e64072

SHA512
cebe9c1b0218d96074bda0fc1d7e2f145cbe12d681976b210c079c4438e777d9094caee260254b97d5ca6c52d0d6d3f965a1e88b223454e4a462ffccca6b1e17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
179f667afe48459a5ea07a6d39eb0d92

SHA1
613c961b9e0462c7d7564b436e701f9ae87bfa39

SHA256
935382f572f5011dbbbf6fab887033b7a4533486814dd74016c2250c2820aad3

SHA512
d6c2bfdbc34de32e7f309596f0e4f2f04df75c81345eb406e214511977ad18fc0be025d32f019a9260d83f3a59604217bee9123629adc7405acf53ef919e5b52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
c0de1ff11901c2831520e8defc388334

SHA1
4982f2df7c7e35de893e6fb4d804468870b79709

SHA256
faeda2c4447ae75260bdae1b2abf220dfccff073f445fa17f2170af4e13156f7

SHA512
df7aadfdcd6a5fb14033c88c17757d026c578b0e37f9cda75a15fa9996d179e064b67de1505c8aa8e9cfd6d76c4c4832f5280546f83d05091c8b6ef76d6c12cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
c3c9cdb945394295c369e57b494f775c

SHA1
f2ddeea9361d5db4d2ffd8bcf819fb26e694fc46

SHA256
61817ba48e66d6512b7ec11fff9aee3562bcd81a82d6375de456bc24d31c7b43

SHA512
7dbc4eeb74d1dddbb658cbfdfaa3c7b2a77cdc4f5f130859b6273eac006a02b387c0f9088d73d3ab132069a593125ac13cbccee2ff6f94d14a5b786544f9316d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
16fda67903bf3785ad36050cf790d9a1

SHA1
9068305fab6b55d07ce168b6274e652d82ce9eab

SHA256
8a8591ea8f4a52bccf194c5806c6692eac974f875b4e964b2b5410794e4b7c01

SHA512
d24d00ec88e92f0d4f07b6c4b518c3b0b3916848edc375da29985d6394476d8152a400b9e67309302e8cdd80ab9553448751accf187f81ce03ab22a19a07d048

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
9ac4a1bdb51d85ae9e88e38d934bc270

SHA1
5c91e58c964e1e042c194dda34daa1163c8863a2

SHA256
90c3b2e0fa9561025ccd1f848a1857507e23e79b80f6f5c0e2562ab900f70a39

SHA512
233d96e12abef963081ad29a8e713fa48eed15dcff54ad60de23a078bd0945b405f631ba458c16db7303a16ca5af6267e15182bb9fe394fcdf65293c0d030647

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
16b8a9cf68db64f8e2c75f437add068a

SHA1
8f28a442cfab3272b59307732770f312b0cff9c3

SHA256
fa4566f72f601f676c598865342025d11980feaf70aa477e776378b0689d5774

SHA512
b069b289847bb5400a83392285c764953ccfa8f62e0e0a3863fa6f439bec0b43baf12e7e1b0d8bf58981b073e1719c4cfd51be9b44d0b080330b865694f3a72a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
09cda6d88eb47c1f6edda696fdeeef85

SHA1
1a903309bcd37b69d8da0cedb4044223c7c3ec8d

SHA256
b89dc1704dd66502a3aed1dfa3e55e5c4ffa8c428391a1ef8acd3e08c6a92fc0

SHA512
a14f36f60507cc723f28c661a71ec0432698f28832273f3538326f2e261acd910a2a1d9f362f12ebf56cfd54583fce12505a7385fe2c4e33880ac7b647ce898b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
fc320bc5643622fedbe6f7829d7cac3b

SHA1
480eeebd575e81a27ead06605ed3642a731f1f95

SHA256
c6d2a27861d94d39ea187a1b33fb36b1563e6b94ec41f3e6efa84ae3f7c3c41a

SHA512
082906b536e4d7523655ebeb93b07904228550148bde788568f1cf6686b9ad7b971179a81c3246eceb48387727a52515c6432a8511588310ea7cc4605cbce5fa

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
68fbca7e28dbd54df1dadea32e2acbe4

SHA1
fc8c787ed9ebf25f86a26716b56f2100a6d33969

SHA256
fe4a6b3be52e669f8412d62ded4ddeb35d1edf7ae411130afe4407c061061b2b

SHA512
8fee89724accb6afa2cca5cea3e7d053d8bffab38f6ded0c67c43b2e8985bfe671761ee29ca1e0266dbbfa97ec2afa8c7854b651e92e72f8f4680fdaa8321836

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
936d1e1e70c1ec577e9ce286cd7a0382

SHA1
9ae0c09f2c3e9e869858e2f92016afb89219d0b6

SHA256
c36e0c30da0c358d19db11c70a0c07812a89714683cfe147972fde68e2511241

SHA512
d084ccc5b71d788b487ab862045a401d571f9358b3304ac2ae110b81e769c763b5e3091e78140598f977be250f859e62943f4c5dfcd06be110ec81356a346aed

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
da08bce1201b5d4fa26ac5b55f5197c8

SHA1
d5b45f26c87fa889a6661514b97e98cfdab6b4e8

SHA256
76d9bbd29b01472ec96ba08e5c0efb54597188d22cf3ca23afe49f14a54aead6

SHA512
9bdab0e065a2b9ffc5cb314c6f3d66c1361c8b7dd0a14c3848ede33ccd5ae700c5f891673b84d205a928c30e9f2a17d464e0d691db7a128dc9d28db113701c44

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
d10d3ce48ef5e1dd05906ec61c1f6df5

SHA1
2ee2da7ec773873122ae995e98dd285d83e43936

SHA256
252cb2bbe7561d011d1ff06dae26232c7099b3f902e8d0c82c6e93593bfc6da1

SHA512
5583ef50c50c394c65b80fa33bb1e1f4f09742db43b1df9c839aa9dff6cd4278c5fcd839a2635cf2d6f71d38899f716a8a86577f875b31e33c618747c6cbe070

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
30b9fa7424fb82da811de8829e929724

SHA1
727855ccfaca9b618c256a3152dd52f88c446cde

SHA256
f381b602515f216e94be6b49af5b8845cf890e8ed3cf1cc75f78c32e98e57561

SHA512
4b6ee8aeadffbc7ff01892042f2b4e0f69a163f7d177a97ef8c9ab2d93d4299c972ba277a2c717580e5d24ddf3868c0703d55dd5d6db725c135cd7deff1d489e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
26d1f0678c106fa31b3eb665ec692882

SHA1
e2aea2c257518ec4f5f188920d7c31ae700fb93a

SHA256
55e8ac6e40176b6ddd689e980f1faf8cf14796598195036c7f2d60cba0b0351e

SHA512
65498e196646b1a468c7728998866d452b01cffd4093b5bee10bb399ed07490ee14f116314873d9c71856a5f36ddc6db13b1e6e017c44220461bcb7cf07dccee

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
47fc5fc075f244c4e7b820b729b886f2

SHA1
abbd8c80a81dd41625a7ad4d5fc0a035c12db702

SHA256
8cd922c3fdb4ead3baba09c3bb17b898994ca32a2aba1faceae6dfe2b1e258cc

SHA512
0ce25b27bc26b54cde281ffb9d0c0e486f84d236ce33f30389e3d07384cd8a9aed538589d22e55e99222daed8897626c7785098e5ceea38e2475d18a67e3c7d6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
6fdaac10d5489c497365c377c0c1ed0e

SHA1
52c9b5ced8f32a3ee9c4665118797b3762d15d30

SHA256
efb0805672b99e11cce7c87f08ea54bc8dd49c6d32768378291c957efbd3cbb0

SHA512
06d4b5552b31845186629d35beb82340e75a167b60cd7f8eabfdae915afce652f31344a35f3a54d19cef65d8c79242768a903fe624d0b74a810efee66b053fa1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3416560404f6a88e300f31196fd21617

SHA1
2c4272e5e5b662aadb44daae1edb930d769ccfd2

SHA256
ad86272ac5e030055aa3d3d0b1556faba116784e3e01a73c4c2992a44fd7f444

SHA512
dc3b2928a65e7a03856571ae579a905f10ede74ac9361cf51deb554bfbd6eafdeb5af23c50dcf14cf1601cbf99de56686846f6db16d257b5f3c2355678d7a9d8

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
b26af7fde51a4e73326bea1675b2529b

SHA1
94ee74e065d7179b55f8fb6b79a6efdbb4aef241

SHA256
9f43ca1255fcb802d51222be11d9bed53234636326ef866bcd6b21120e30db3b

SHA512
b2dd1d8a706fec9fd48960a06a13aac63e2d7c13082cad424372d42e9213141cbfa4dc04f8dd4f8da71a02bf7784b14e3b068b831ea7d824f4f9cc21dac8a1b1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
a41c231a1ffd1d8d285cb55c22a05f62

SHA1
abfd5dec81fd538b9b3a292e1874d092e88aa027

SHA256
de1a927f5891b2ce875b636ddfbf1175dd2204835624256d95f82d4d91bf4d92

SHA512
8c503eb714e5c0c2ada293398e13b4d95b22195d6cebd168d4b3bdc7d52bb733121b87dfa7eb889029d618bae2b2c13a02cce2881d244b6211b70af07caf84c9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
5be3e9807770d1930dc6d0fc3b692797

SHA1
4f8056a633fba304fa1ea3c4c0c1ee12383f28cb

SHA256
ed01957408af08ad9cb320d5799f6d4161993283fcdc916b8c0310a12fc08bbd

SHA512
59ff3fdfa8a8ebbf799b14aeda1f78aad87ea2dc012cb102542ad73eba0d580ecaf0289d9d2870cf2747a6be040b17e0e6307e79357590bd94fa7cc8afb1bb96

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7b038c595949aa41565efa051bbe2307

SHA1
c24626a48e3ea178235767f930e4779ba46da95b

SHA256
587c913361e257e1c67b65c58f9e669c86f6cd13dd1aea183a3b3e56f0be2128

SHA512
6fa2a1a9dd88d74027cec423d20519321bb527a6712d9ad337876a93220ee7abec4b0b553fe3910027ea8efc736a9d99b261c7e412d6e00762a92997726d924a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
07a815e340ac09f29b0f683b7eeb5fc8

SHA1
a70a1be08ebc9e83dd9923b0c7292c9e0070cd1f

SHA256
7714cdbe57cb4d36971ed58bb5dbb76b95d3933308b07b8df0b500a54cf04eb1

SHA512
9fea1025bd3ab561e0c512c2d59f8a18e457e2e832ee3b810d9e8be892021c665213e41bba676db1f82c5aeec6fcec6b65b85f1ca92d04105c94a521ba46549d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
565cda10d1726a9765bf084a5886ae5f

SHA1
af2a32bd1d4b919c23a664ea3033562185b50867

SHA256
3e7523377feae31aee3fe69b7319e42a7deca2f06d80e7d268ec59fb8e790810

SHA512
7d820b55ddb6275bf3f3bda89cb5ecfe4e7a8d84ca39bb979787666d263768a0c700205fce96955d7a7a313780b74a02f16092a3f46fc8fcba1b37852e0b03ce

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a9f56a7c97553fa9408a55daad1c14a0

SHA1
afb1eaa46bacba8291dc64ab836d94c3f317de87

SHA256
c70d3ab1cd1f95aec24902706d120fbe13b786656d7002c5c7c84c728efd18b5

SHA512
399517e524d6011fea0d1f1ae7cae79251686c35046afc37b02c3e7b899f614fa799d3d73885af3be9cebddffdc20bb993280273eceb0d17764a37d1896be25b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
4ba459cc5f8629db1cefd1e7b337e104

SHA1
aae6e9686088a4e7574f2053091f670a7e16a1ef

SHA256
0ec94fc3fde58439f1695e6b42d2e8c14883a9ac27d1d0d2b1fbbd1aa9296cd3

SHA512
996adefd971feee6696dd53c6b8454c95ffdabe3b8a7f09030a72f2cee77ca8b56bec4537627a50d77549ed888b0a13796c23883a1fb394e978f5f4842b86774

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
1f9bcc7836e25c38ed949191280acd3e

SHA1
3eb9f4518e9955a3c6cd7768274c080b36c7ab27

SHA256
fbaa2a04104810c13550f5f55a3d692e66299f4d6a774773d3b581547b4e0bfa

SHA512
e6ab1eb5880a3ed236c8002d72c0a62deaf926dc104acc8636d53bbb4bc2f4517fb09bef0be61bbe5ea799fc1bb9376e0dcb182d802c0ce546ef43708357b632

Download Submit
memory/60-78-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/60-194-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/60-67-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/60-77-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/60-81-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/216-702-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/216-255-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/404-296-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/404-705-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/556-123-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/556-115-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/556-233-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/556-121-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/840-130-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/840-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/840-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/840-254-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1084-152-0x0000000001F50000-0x0000000001FB0000-memory.dmp

Filesize
384KB

Download
memory/1084-141-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1084-142-0x0000000001F50000-0x0000000001FB0000-memory.dmp

Filesize
384KB

Download
memory/1084-148-0x0000000001F50000-0x0000000001FB0000-memory.dmp

Filesize
384KB

Download
memory/1084-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1184-708-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1184-308-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1388-183-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1388-295-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1420-283-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1420-169-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1596-110-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1596-126-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1596-104-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1596-113-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1596-127-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1812-284-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1812-704-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2156-100-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2156-204-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2156-93-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2156-94-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2208-1-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/2208-573-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2208-168-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2208-6-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/2208-0-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/3124-222-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3124-636-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3156-164-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3156-156-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3280-281-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3280-269-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3376-234-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3376-699-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3568-307-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3568-195-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3952-258-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3952-703-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4392-338-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4392-710-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4704-320-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4704-709-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4832-319-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4832-207-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4896-697-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4896-332-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4896-218-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download