4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 22:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
Size

608KB
MD5

cbf549d9d4f2bf12e9d84026eb771181
SHA1

c5dbaa5755fb86582ff57fdf796a1bf18bf406f6
SHA256

4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f
SHA512

d7fe72e8d38234df729a464995e25a3eedd65f868fee85e5a1b089be5bcdc319e0c7f653ca286d65f07f7c5cf19c13209255076889c00102774336fe84ca126a
SSDEEP

12288:eUNU1FBtfcPKcOYRLbzQkbL+Qg+H5oeIj5RLLB+lOakPprNFzSRY:O8S+LbzQkWWbCzLLB+lMP1NFzSRY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4988	alg.exe
5028	DiagnosticsHub.StandardCollector.Service.exe
2840	fxssvc.exe
824	elevation_service.exe
1176	elevation_service.exe
3528	maintenanceservice.exe
1500	msdtc.exe
4952	OSE.EXE
312	PerceptionSimulationService.exe
4708	perfhost.exe
3676	locator.exe
3344	SensorDataService.exe
2268	snmptrap.exe
1340	spectrum.exe
2820	ssh-agent.exe
4040	TieringEngineService.exe
5096	AgentService.exe
5016	vds.exe
3632	vssvc.exe
2888	wbengine.exe
2396	WmiApSrv.exe
872	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8195d6d8293b476c.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Windows\system32\spectrum.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Windows\System32\alg.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Windows\system32\wbengine.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Windows\system32\locator.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Windows\system32\vssvc.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1e6531603abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d34621603abda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063e4721603abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6aa581603abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da49371603abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008483511603abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043c02d1603abda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
Token: SeAuditPrivilege	2840	fxssvc.exe
Token: SeRestorePrivilege	4040	TieringEngineService.exe
Token: SeManageVolumePrivilege	4040	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5096	AgentService.exe
Token: SeBackupPrivilege	3632	vssvc.exe
Token: SeRestorePrivilege	3632	vssvc.exe
Token: SeAuditPrivilege	3632	vssvc.exe
Token: SeBackupPrivilege	2888	wbengine.exe
Token: SeRestorePrivilege	2888	wbengine.exe
Token: SeSecurityPrivilege	2888	wbengine.exe
Token: 33	872	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	872	SearchIndexer.exe
Token: SeDebugPrivilege	4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
Token: SeDebugPrivilege	4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
Token: SeDebugPrivilege	4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
Token: SeDebugPrivilege	4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
Token: SeDebugPrivilege	4576	4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
Token: SeDebugPrivilege	4988	alg.exe
Token: SeDebugPrivilege	4988	alg.exe
Token: SeDebugPrivilege	4988	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 424	872	SearchIndexer.exe	112
PID 872 wrote to memory of 424	872	SearchIndexer.exe	112
PID 872 wrote to memory of 4752	872	SearchIndexer.exe	115
PID 872 wrote to memory of 4752	872	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe
"C:\Users\Admin\AppData\Local\Temp\4db8294a545f05f71ce956231535908834e2c3a2804ac3593519275f5661868f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2616

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:824

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1176

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3528

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1500

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4952

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:312

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4708

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3676

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3344

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2268

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1340

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3252

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2396

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:424
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
384864b978408dc1d35b9299532b9102

SHA1
261ff904bb9346ee4a61deef37f3ba14fd7bfe1c

SHA256
f5f3a7f1bd8ade0660f01b0ecd7a8c3777374c3900c0aa7686619eb2f205c9f5

SHA512
65eddc161df5b0c0938218e32a7163dd34fea668a3bc74005bf5e38b5836f0c8b558dfd03598e148db67f7f83bfd041c70d2f2933fbfd7803aaa80a147d67b1d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
02db10e7be6cede9032a2e3843461ee5

SHA1
177149b8b30f233ef7454d61f13f468f3743bbbb

SHA256
c6bdd8bfa8e703e9b710e2657c16d9028996e027923d5a49c19497b0ac4f3ffa

SHA512
755bc383aed2351657119d8c705665c6a48d869254c18546c9edb7ce96a0ed5b297aacc9519429a9869b5fee1763f30bfd046abdb09490dd1cd00b696c04f00b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
6b589a3fd0429343a9335e807630daf4

SHA1
ddb3a815fbaabda1cda8bf796b2a0cf0ecbda299

SHA256
34a84f289a5866df17525f8ccd58c7d8826e0dc995f87ba5d050608d52031f72

SHA512
8347bd72c687128304ac411e0c09577a64f07d41c72d979710a2547c8d6dfdd7ac113847364f202e86b1c53acfc25222129affcbe10fe786276f363a68554c8f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7859b0bb7a66e7d69077c0987ea52758

SHA1
f696a577adf5669fd2aefda5e6dfaeeeae46206f

SHA256
0d37f2e4e73a754cd3e2c374cf01fec70cd497e9380456d21fb38b81c7d09e1e

SHA512
0a04d0c4fe3c5930c20a01e95eb5064c6f733958ed0386a65252fe5c660792fe4b2ea482122b9c928a5f98679e26e02ca270f41bde13a4267756210c1cf53a7d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a54ac4e46d323730e18bab722c3c41ae

SHA1
f2d40aaf0ff6491dbdb3459e8d13f6b86fce3163

SHA256
e78e5976854ed1275f53f367640dfd22d95ce2174472c54b1bfcc5add904aa80

SHA512
d8dfa129bd9de33693afc7457b53d2d2a3d40b350c2b28b64c7e22fb9bb770d5f9cb0d11ee13efa58721aaf72b022f683d96b7ee199a354eecde78931e7baba7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
e388ca8e8a9b3a9306387039fd8b9708

SHA1
1a6bcba4b44055ef0661c4d1a3471812436e6c55

SHA256
26d6f9216ef62b3d33ba61c163cb3b1ee19663c5277df3f0e850e8e62aa5f37d

SHA512
fcd54173484b65ad5208d9491a7ab1a6d9c3b75e6f4f9a3d3a788b3a90df50f3abb586d12b4e20bd841cb1281de87683e0f50eedbf709e543fb29c6b3a8c1622

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
1892be044e77bfd12ae3affc2fc19252

SHA1
41f5807aa0bef19431932c701f5098423778a82d

SHA256
43517cdceeb8da276b0cddf21a5c542d86df321ee984fa11c739dd5534075c39

SHA512
44549a2b2c2e608b7b4a1c735a8c545196db41ce4fa7c4f0b48e730c6ba1c76aa1582f5cfc633ab3b030f3bb6d843b96a8c4c923432e548ca6112e9d9c30bdf8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e303b0d996bd094a09cbd3f06d9fbaec

SHA1
26b95ea33f79217969c4a81e300bd8da4f113431

SHA256
90c96673b9235048b0711a176891c44afaf4d433c50ee55854cf0b83643cef2f

SHA512
f0cfcb62c1367cf3d59a8586a84f3d5a839b34becfc751fdf98055d24091b778d5fa479b2c924150bdcb52cb75b7b37ad712edffe6ed07d941177c139f08fd84

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
800aa632a11161a68054d783961ebcc6

SHA1
362140e0fe6ee43e02a5a3f71a962775e613a19e

SHA256
50adb9116210041bfad406686f1af48f56d14cf8a0cdf40e0e69368a5595f663

SHA512
59a410e27d2fa3a2cab772c3f00aaa2e6d1a7602765e823b0bc8146ab2b8164c980a6001c48cb279c6ba867949ea683ef4b3a19e5ad5df81a2f8313587457bd1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6825b4a9da10d1edb84f5f1c786bf135

SHA1
3abdebaad6a62d632b5a73705e59d1eb78b7376f

SHA256
462ff2950c1488bf983933c17fe9466e31b3e8f67d2d0c17cf3934489c5d528a

SHA512
5c15374fd8bb4c8cfdce3c7a8af5525f0d62ef389c88e9fa70ba4a202af324a92d61baa7c961644e2b3a1ed5b9c8454d012779fc313406445ec46670ffe18a9a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c3bf74b956d90101c4ffe2aec0880aaa

SHA1
1772e8473a3ffc4a7fd268ff94103f952070d335

SHA256
88faaada7000201bebdbabc96d1207569ae35a9ec1df74f1f4ec934bd1ba5a69

SHA512
6c30a4ec226abf20622d0f70e6a347d276c933eda52a8af8efee811e0a8afc14284402358ecb0c792879478830180f5b5967062a81fd3d6eed221ebe5d42fafb

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7f26a1d0c957457383f3b48d6c36354a

SHA1
c5df6501205abbe41ded1ae01736024bcde51904

SHA256
0286fcad9b0bf3f4e1143648181f004203d6e4082416577a4c577b2600afbb2b

SHA512
6f5d50c916aee56fea2c60ff2a64bc1282fd3407ef0afc16155b3f64754f52226604da0d61a231e517a019669c59a5efe9385ac8152a355b2c8c27f24c78b195

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
7d8d0b6b8887483ebd6f7a1f5728a6cc

SHA1
69073f53e0d1f96e24535c60c0f3e0a7ff225c27

SHA256
302a50585a686cb17c1abe17662da8a9fed6509efb552ad9140829854f16291e

SHA512
c199fc3e2c4d3ec17aee05b92ec035cb7dbc474cc19f6ff97856bdc706599646d05d543a685589251d9844f30d79400c57a9f0934327a8cbc95132da9e958838

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
e0c59c1971019674c1c205b92bacec0e

SHA1
d6190dffc5644a21665da59cbbe34377ad31e5d6

SHA256
a0e4cd764f9e034ff5c03b40bf186555f235b921da7b716bebdeffbfb36a68ee

SHA512
2395ac4a057650be2ba11f89a6a164cb63ac7c28131833f3a5b34fdca0229de88db5707521630128ade75a3cc88fcb7717bb3bc4626916791c0c1adc99b9f9de

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c26cd17cade39314cc6291af0747f21a

SHA1
5f933d16e66698c4e9d12e5c2458be9649930ad3

SHA256
0905032a65753580e87f632da4953cef96adb5d51353b06f294ba93c077c8bba

SHA512
967c0c87e20e74c3541d798d4204c0e4abf0f973438fad2cfccd56363babebb58799372f9a248da18955e7273f62fd55698b33b4d3999b36e0f3379b07197dce

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
53b3b16c0d422bee53678993aa197bf8

SHA1
7d1e6485455622c3f6ca644b283797797b2dfb38

SHA256
9abdd8016dad4f3d4d9e12831a8df8b41832de1b10e15522d1bb4279a780863d

SHA512
e6e86cd8420c7b488560937e42963d3efc93f7238a69f32ba1058ae235f6240fe14ec37ea6d41fea77cfb76c03157c7671c3e3627efa759d1273165a5a304ced

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
7d35fcfa759ce46db2e13df3547fe921

SHA1
a1e681c1eba2721ee6af64344d75d882fbbc2718

SHA256
3a8af269c385ad9b7826f00c9c32789ff84a2d49b872051260d4fe4ed83fd567

SHA512
4de2edf90d7480dde30899e6d5e9e9fadf651bbeaf90ece6dd9ed0623bcc891ac9891f6acf821d2f32ba830ff139e803dc6942efde7a67e5658cf9b7e1f4c457

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
f1e90fda23a8f9dc1d0a2944b25a3cd1

SHA1
d793c9881d6de9226da4a734b9e2f42ccb96f74d

SHA256
79d53d43d2a2e7cbe0b295c7997d8e4d0ac001b2c614bef618ece0368c1ff6f0

SHA512
feb0997f1ab858e46706a564be0f572a204967038164775554bce0519c49cfa8a8258ee6f5bf807bbf3d87eac38adfbfc45ab9877b7ea56be84b1c6d6708add2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
c11ce81b8e582d03fd87b7d9fd0e0e55

SHA1
a3d4b8798b0e5011c4452f856ac7fe6100c39458

SHA256
fabfa1ef2230f892af0fb87e924c12e08748d75ab76318f4ee58625781412851

SHA512
4188ac2e65cfd652b5e8126425c0e7f9b0e504806486ac93ac88cab58ada6819431adebac2e8a217990c961e476c3519715f555d29a24ec8d5b7cb341e5dbfde

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
df6679739b9ea1305d62577ab02ac54d

SHA1
e07efca54ed8c90cb1e1cff0fe588983c10bcbee

SHA256
3380bc93921cf549686ec6860ba6155d8ff1417b837543096331a54719b0a929

SHA512
b15e6bd4a3a7fbfc310d1753647782655f1f3e5ff92ff1162c928cddf69133f15eba40eefa4380b41dcc0ca15139dbc888bd358ddcea1b19e7d6913508e5de47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
ff2e9a470879842d38cc1218dff6839d

SHA1
7c0b7cdedac7d520012d365dfa2e107d97703dab

SHA256
ff6078a04dc25bafd074da216112ebd44db6643a5df2f0c88098365c914f9a8f

SHA512
3424b2ded73dda204e0985301f995333e3b5a3de89b27fa5616485079d060b5a6ca6533e20ca50e48beb417438655ab63ab6649f21e76d23aba4e628beda408e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
0e7b69ae0a895fa83bbbcd83d0309aa7

SHA1
95e35d6f3172716bec93adcda45b30941b3db44e

SHA256
7e78ae4227313c066603c4aaef1e1a43c3d6fde15e2d69f8b1e85c20893551b7

SHA512
87510a68d8c50d578f998f81aa4036499fc0cb77670ad92f12307b59846f8da85ab1616eee1cef76bd9bb4e887dc638d02d738b0a9f1e3e98973faaa67c5346d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
e5f777453011ebab03a092429ed79f5e

SHA1
4a936d694672000a8be70f5c471e2783a4b4db6f

SHA256
5d171abcbacaf8f1520888ad7a6aec1d757f13d720708c86002fddf01e0dfc0c

SHA512
aecb0e4220ee460ed7086c8e4a3fab3ee791346a038a87286199318973f3aece20f72a33cb767a220fd0e68e829c6935a412cf30e08ebda14366490529f07f19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
f13e5a241f3918c470dc91e0408e2ed8

SHA1
b24d9f1d28bc132a9d85d972764fc0912ac904a6

SHA256
33e0a58debc0b97ba2978b11d85e170fa79ae7a477eaeace2875a89525d7149c

SHA512
b17ab97f3bcef82f536b5802791edb18cc91da5fad58b465334cba2dcf3b3086466e753cafa17c5a35d1345ca2c32407c8b72140f75c0589668a9919ed117c3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
84f51849388a06adedb149c521408735

SHA1
0226cb56c8161e5f85a5912f1b5568043ea79915

SHA256
807aebb72e99f9d97835f7cde60277e11d1e7a3ff6c05c880926ddce59d827eb

SHA512
5da65563acbe851805ab3475b7633d0f63ce0bccd889c61d30d31a5ee331e09850c74f0b9e3e0034b7ccc786a471fcb28ffad5dcd1ad4ab6e0236e353f6b2f3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
59924df739a3ea06a2ac16bad49d78df

SHA1
e06c49492e71e82d9e445c2a001007c5520cb0e8

SHA256
a96dfd5a765cb82f7856f6aa1688bec1c093283eed4cb8fe81b19835d3afdebf

SHA512
3ee28301d94e47d87359e3bd3d6201fb2dc6a3eac5b2ab6ccfda35e01e6ce29329a2df1382f944f0a97296ab24a51daf85e1f1d71d958a3d7088954457d51e0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
53aad10be92f45a8de38b55ca1caac35

SHA1
efdc13b0265106035864eb8fd6c22c2bc1fc3f97

SHA256
384e6f56d0fa7b9d1d9ced3d8c482213ab4e810365af7571ad277a6091ecfd3e

SHA512
d32ad2557243e733b4740a246692d9a0d336bd31577802125f9a1417539d715f94e8e08b82ce68e961212e86314c4aa3b7ef91b1ab94b41f04844347d4dcb9e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
8bbcfd93e3fa0f587695252721330dbb

SHA1
725a68b2697995e23332bd0f05ae3ea0ec5ef148

SHA256
847cff5de8a44a145c82d618d83a0e7659886604c0e1e58fede5013ae36274dc

SHA512
fa46047702a962c31c5015f42e9287eae0f5b36a6b0feb53c5cdf814d491817a86c0e7c9629c20bdce3939128ad204cd7616a8d4a289bab5165130dd03607c1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
04e003517e7f9438ce326655dac62135

SHA1
e1cbcedd8ed8e425cdd0ec4d6720400427b35588

SHA256
403114fb7891055528d0490099af18adecd86880bb1f23450e2d60c52e2abb02

SHA512
e80b0bb79c9d39b4b0a4501b70216bfa607c41ae80067de59aa2595e88deaa4a860cfaabef84fda11afab37b53cf8d2d1f3cf333532c948a51bd9c84514ebe2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
896b626c21de49c1fb58484f1ff5c242

SHA1
37bb6fadb10eb5d897e538052e68d3ff4e869ed6

SHA256
1e413bfce58b040e930e03a48d703d17c331af940cd04b2f95544635c7e4a2c1

SHA512
949afb95515ed8fc5c33d2843631b60bc09a2e28637c26282e1c3009c8e1f464bb9a0af5c2a9822c1d56129cb50eee836203a272e7e2841cd5dc68e888d07151

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
5293e8f56702cdeb27ec58e218d62792

SHA1
5fbec77aab1d2efcbf407a150f21b8d7e91227e7

SHA256
e317bef9cbe4ec7ed2bdd3e1b3a5f6dc6332a46d9bdb3a3c5c0e341ebbf9e2c7

SHA512
a8be900355350f853e80de97cc73a05b77259cca384a022b3c4bd5b6cd5b47ce808f8f1efa611bac313765d7ca282990c23261962522c24ae01d5b6907db1387

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
686fa9d8528c08ac25d3032abb255cf9

SHA1
8a3acff274e2b77aa07cd1126c3c262a26b618ec

SHA256
48cf21c69d665f67b7a9780e8bcf86511e411050884e7d03db1f83d49f7eb7e0

SHA512
5f22c0804261f787e96c639347e2b962a8c28c163b613e4e66fe1614663773fb158dd0787771e65e8f8f4361f5bbc9ae39f2a02c69059edc47abb9e32f680d20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
8e117e6abba8520966aadf170e8540da

SHA1
c42e68f9c6c89dfea81f34809f032cf920156dc8

SHA256
2458f7fa42d23c93329f0ae05d33d44c3cfafa485c56b6688530584a9ebc4ccc

SHA512
0531717e2ebe155dffba5664675b6c9e511e0bd965a6e2a1266d3e21166faafb82d99e21ba9aead4acde89b8e118f3066ce3ca5936d05ddaf542147963f55093

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
c05c77f100f413b8535c7062ed9febae

SHA1
266f1b7d7e59325aa79915380b30e642390e8070

SHA256
ace6152d187fd81a528020ac047f92007351b289f2b835278abe7221842a60dd

SHA512
45769ba39f559361b27ba0f3354a1dc3618614b4b43e88e601811c48f25eb6b334282dd25f560200d36054b49356db1b2e05c61070342fc0282268dc3f710275

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
c7452d1e481c637b8f1841711103316a

SHA1
424650ab9f3d0310bbf86e2174a28a3b089dbf06

SHA256
7f4d4b96bfc14e16ef584fc572b25498fe45bd858350b516e2dc11dcba05240a

SHA512
cca41ba81688d77d544be4e29d2447bddc477da2dc9f192506a1ad1b703bc8a24c5b056f2cb1d548fffdee7fec006eea37ba757df2c7445b55f1225213c91a65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
5c52238428512310fec2ed400a28f182

SHA1
e4403e02fd0a3601001fd104e40ef12259e1ab72

SHA256
f1e1795b2459543f6bfbd1e18a889f34a43b52ec7a8026e67b0399a9f98ac4ff

SHA512
a93806118b13a1bed8bd8842b7bc548491f21770e947e2bd775b38e0f1f422e53e916eaed4624167ea0f285454fc7833346478585f6df286b19351f70ef31baf

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
0ef9f18fc74266e35b2957fe92b833d0

SHA1
0e34a47e3e58f1d7f38c030bc9dd8368598ab0be

SHA256
ae0945f68375c21068020b97867341de94ad3790e65acf66d1a701a41c630885

SHA512
48cf4c0f4828812ddad18f36d6cfe91883c24992e07695069e051b569e6ea98fa65d24a61c9949e4f628c2b83e9c41bf85cb512b9b91fb13eebd7cffb4fd6a59

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
5591de1ad755fe77a26681e941544e54

SHA1
a35eedb8d197ac6d14dbed344da8f3fc32e6c111

SHA256
17b645bbe4b2000cf148c88186ae11beeb0dfdcaec65779aeee5abf0fa907c7a

SHA512
35b894ed139e7779eb1ff9b60324a6583f21b727347df7113bd30a90645c081e768381e81bd5db4e807628882c5dbc70e3f6421c13e59694e7a4403535d98a19

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
46593c0427bcce377c182b71a6f0af8b

SHA1
f65967275907502d13ccad4f0630190fb783e04b

SHA256
d8d8fb18a852bac0efba7f960fc24fd36cc3db4a863400d0d8a5585212e4d996

SHA512
e7e0fd5970722ba9d72aa4641a456d8d9a4f9d6d8b105f7ef990e22456a4229e3d498da780836d7b454978e55f52ec41615a0f11212e21b9fab64ba7429f51e5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5a92a6a5c55f38868f9e6b381578966a

SHA1
9b2aa46f5f6db59ce7047c31a3fc974186b85a57

SHA256
69975377488bf6bc969a9c7d89c26d3aa07d131943a9a2015b1679aa2ecb984b

SHA512
f6aa7b48cc183a3765cedd739dd71c8f1c7391d294ef91610f5a9a7548c67d8aebaf772216af3719fef16f927add799b44470d8d404ee8006c35a109c257e998

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
4943f2bf50018567fa752f8e860f7634

SHA1
2d3bfba4258b0d44ca67d35480dfcbf812a148b8

SHA256
dd6af075be300ae04ee9d582ee0a9021f983d22a8355daac6f1d5159bbfd50ba

SHA512
960eabd60a92955215ee7d3828ee1a132074d795ffdef4874f47c29b7cb63e7e44b089d1f0558a9b8f15a204978673c292d37cdf8808f1da8c32054a81dc23d3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3b92711f2fbbe8ff6989e40785057f7b

SHA1
e495cbd38a68464e48e9de0c92f5d8cbe39c6232

SHA256
4507a1d07b719fb5054e837cdaffd4d53ae6d6e61c360ef57d54cb17fac0ac67

SHA512
2df36edb4c2de721ef269bf56a94f3b2cb57b7c2632bfe91cc83d3c286c2bee14195f1af15b32f1ad80b3e101a729a064b235c1ccd7f09f92f3fb728c817dd08

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
e4a35521eb4b0f6b5d4d174cfcde78d6

SHA1
a68d9d4007064d5f6dfbbb4a023924a3bea968a7

SHA256
ac0edab8917dac38ef281e1480f66164e132c2d1f3d86fd29c122646e96ad6fe

SHA512
73a1366c5e801138310faf93f46a778daf2ecf1e22f3c6c14d3e98e8a187fafae7f8e22fa92fddf437a56dda4f23ab942a0a36be1998bc45f6da53f6e1231c38

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
1de9b310469c53a870a239bd87506338

SHA1
fb04739380edac49c39c2f70fd9695416f09402f

SHA256
1b53481867eb905e26c46fc0b29791502823e2b65f074ba64dc1d69493112dd1

SHA512
c769374192f2e55f4aec4af5916f5153f9b52d975247d6799296a5cbfd40e8baf805037995c3af54dad58a41b36ecf02da0ef7795cc90e5cdb6773afd0aeb095

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e3f5b37a8301264e953fda0fbaeae270

SHA1
7186358534efb9d45afdd49921fd6a3c5911f741

SHA256
4c8e9f045c453bcd18a03a2575b7749a7a21e56c12b8675fdf1220675295f2b3

SHA512
3b181c4eab078453028fdabc7d2870432b42f683d4a5d45e30869ef6b599f9fd5687b47fa21a5a9a737a8ea9c5e29440ac1d223be6c19b16e9c9819bd6743911

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9b1dd1c5fe41b5018d2293a8861b9b6f

SHA1
e133d23a2edacb9264a5934009c368893eb689ec

SHA256
c7c7d7d01e28bf481c3a9b8f5faa6ce4d099e555c1ed7cf5033150e28166bdcd

SHA512
c5431d256e579e7246b3c0d193acff48a2bebb95b7bf71602d5d9b1bfa6c19dc606244076f3c46f68a48a2adaf464a50c8ff968802e6edf59b718d45392b46e0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
092aa02037dc03f1bbf0435d6afc1bd1

SHA1
5ebd7708798e4c2306361ccfaae3db321bb95787

SHA256
2d966fc180d680a930688904b733f91b19a078932288245d1a23ba350f4db51a

SHA512
0f29c3561d7dae12853906f7f10e0538f01ce98bfa5de8f1abe6b2cd6913401c18767e47e1bd0e8d199fa470e8d99de0896eeef3772f0e81e926523a9a6ad9af

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f5aef1bd09539ed30882d2b9efe283bb

SHA1
c8eff0bcae33e316ec5a034e3ee8d30b1ccb59bd

SHA256
3bd1fb368fe946464285e96abf2dbbd66d060db8cb079241c20730783c8f0acd

SHA512
0928319629fbd0df77b77cae46a7529860cc74203f05c83a035243c987f172be63dd304d747629d85ed261f88bb2ef21d27541c5f74bbd173dc93a19b2a88a6d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
dc6f6239e78cd77dbe37c986e72a4e28

SHA1
c327f0050efc3c750839abe4422e153c53c601d4

SHA256
3e5d9cfff4cae91b34a976b883f9b73df8412c85416646acef134c3b647a876a

SHA512
4245fedc2f7de25181f455f48fee59f41f580f85403ed47fd0ab0da2ebabc8a67e48b613782788dd61091ac5ffce62bd4cb1b38024a2bd60f0724f8d64807964

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5374a0c76440e91973791ca1d809ebfd

SHA1
0bea8f2cd8da16b347d3548eeaa55498373e5bcd

SHA256
2e4141ab7828a005b65f32bfcf4c6c40bb9b9fbe0c826bd77238a0d9783ec944

SHA512
bc7699738475924aad893479998380bdd5b7c10296f3b61b6023c5a71da3b365ed8a47479ebab5b5823dbe0d19109099459e2da7a03e551d39c0820e00740f24

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
695ce10af3de14d74b31cba65c1ddba9

SHA1
c62de7dce0ef9676c2b2344d5fc57f8663f59764

SHA256
160421df323b327bf722d1bb9528b2f2cacc723126939065e94d864d942b3e0f

SHA512
16accf697c2ed0f75b6410facd1e57e282ce9b134c91dca7cd5a8e4a535f937011699aec64089b46736fae4fb0c021a97bbe8ed8f1ce613185340c0ec93e3f13

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
6a9007e6acfbe88a61b2c6d3b6217317

SHA1
a9f0580074713a6a1a4ef498e6ac32345e0c94b6

SHA256
f6e510496310f1ff43bc051dab8e62fe34bf38fdb7e2a89a3b8c357cde74692e

SHA512
4b8057086b0382ac305c222b9448f223f44cf02eaf9fc04ad20bb4d83b77d093a81e479763626861dfab49fdac92bea76ceea2f62200aa712d5e0cca2773c6b6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
0f220eba36decdb00602536cbb88b4fa

SHA1
267edd50e222a94aecd37284d97fbd03aae9c8d3

SHA256
8bc36b2b12e9ac52cf0223bd497922042518f2eccc827c267eb1a3d1a2f40077

SHA512
918bae00188309ae600edb6b6a1006ea059766aeadd7dd7c9f2397a3ed5b78d33d58e7369b5735d358e5964838190db7d70da50675019fdcc089e450304f72ce

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c9daaec86c852629ec1c9692fb952c6e

SHA1
c2f7213fce40182316557fe47ef1d84f1bc3bd5e

SHA256
05f4badeea773490dae6e8c0e381cbb8cf26b7164247353de4633e21a0ae6b20

SHA512
00e25741b8df2f0e8b580b5dca5dbae7c4073fe20100235618296c89501d2b49d0c95eec1af491238d4caad4602d5439c6d48d92428cd23bb1e580adf81ebf71

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
ad6ec9757f349594f90de70c1d157517

SHA1
30f205a787dd90c04d5bf502633815a15d682af5

SHA256
25ba405ba923968c37914e38b7482b51c500f9dac3f318a779816ef0f35c0490

SHA512
4859f9d6442f37b75817ae70c9167f39d0573eda3dd134d2a45c87515a13eb09cb9946dff71cbf285b7e7ab30af3719344fe3968fd98460d5f4ed37f4207d5d1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
62fc45f3339764dec92bb1a1ff66301f

SHA1
53196029bfbdec8abf369b138fe433ced9182d47

SHA256
692813d0f761520930012006c6930b317d42a5667dd090ca3fa24b600c4ed43e

SHA512
243449420cd83767875298f8baba340095b29c942e2d7cbc48ef36f93a1d9a183cf49e4569708ce579f3027f60f2bd71e28a3c02f8143e22f9a9e43351a60f87

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
234aea27962bbd11cd7f62d61b5449ed

SHA1
b92511b1bf194729994a772ea9f02025071e3087

SHA256
3dcb207326725ba037477cb62ffde86b2ba82f171e76201e98c90fb94f0ee7f9

SHA512
baccafdb728cbbd6816c584a1363b167357f88fccd8b9b9787b86fdca03ae3302e85cc844f3568d865ec738f854c695e4eac5b207482f04431acdfee6fe8b25c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
8a297828372d3e86901b50de99667388

SHA1
8dd05f6cb4516c21a4f76219eb8ea9886c47d080

SHA256
249fde1d44fa61c5d1fec82ac22c2fb322545b3f507586b6e525233acca4ef80

SHA512
ca3a257a5abed18a520879a49d95e51fa8a97a025b517a8ac3769c8685f36fa13b521e1ceb4aab9c72bd7e9fca1ec0d7cda698a03116b0563538caf71fe46123

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
aa0f5dbd8fffd6a4590c18eba3644141

SHA1
0e5e563beaea1faba96fcd5f54e00702c20731af

SHA256
3951026977b52051bc15833b5604cf377c6ccc408abc257d553db9c0f02c16c4

SHA512
56cd4f5f27606e8a427438ae7c06d65beb8326b62eb1ceaf6990d33e6573b9d6063e00d732491be0ebf69b70af5f08cedd9878ba49c19020861d4c4bcd3d0cdc

Download Submit
memory/312-276-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/312-126-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/824-214-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/824-58-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/824-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/824-52-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/872-277-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/872-582-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1176-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1176-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1176-229-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1176-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1340-468-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1340-180-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1500-99-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1500-89-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2268-169-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2396-264-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2396-581-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2820-476-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2820-184-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2840-37-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2840-46-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2840-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2840-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2840-47-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2888-578-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2888-244-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3344-168-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3344-475-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3528-85-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3528-81-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3528-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3528-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3528-75-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3632-495-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3632-233-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3676-167-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4040-477-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4040-196-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4576-8-0x0000000002070000-0x00000000020D7000-memory.dmp

Filesize
412KB

Download
memory/4576-98-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4576-1-0x0000000002070000-0x00000000020D7000-memory.dmp

Filesize
412KB

Download
memory/4576-0-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4576-6-0x0000000002070000-0x00000000020D7000-memory.dmp

Filesize
412KB

Download
memory/4708-166-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4952-110-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4952-255-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4988-125-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4988-19-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4988-13-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4988-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5016-478-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5016-230-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5028-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/5028-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/5028-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5096-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5096-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download