801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
Size

1.8MB
MD5

0cab400c2e5b1318c997d488204ff929
SHA1

0dfe1ba3351a78680208aebb9004ecc0e8c10ada
SHA256

801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988
SHA512

0d36c4e5f94be28664f267a0aea5dbce197bb151dba470aa6293c51636ec4802b8220fe62f095ec42a1334a30fe501d5065600bab1b379c2e560662fad0c85d6
SSDEEP

49152:ZKJ0WR7AFPyyiSruXKpk3WFDL9zxnSBxUln6qr/6O:ZKlBAFPydSS6W6X9lnui6qrZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2460	alg.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
4016	fxssvc.exe
1432	elevation_service.exe
3476	elevation_service.exe
3492	maintenanceservice.exe
444	msdtc.exe
3852	OSE.EXE
4616	PerceptionSimulationService.exe
4220	perfhost.exe
4824	locator.exe
216	SensorDataService.exe
3076	snmptrap.exe
1556	spectrum.exe
1900	ssh-agent.exe
1928	TieringEngineService.exe
5084	AgentService.exe
4980	vds.exe
1340	vssvc.exe
1260	wbengine.exe
4748	WmiApSrv.exe
4308	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\msdtc.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Windows\system32\locator.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Windows\system32\msiexec.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\12890c17293b476c.bin	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Windows\system32\AgentService.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Windows\system32\vssvc.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Windows\system32\wbengine.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4AD4.tmp\psuser_64.dll	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4AD4.tmp\goopdateres_es-419.dll	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4AD4.tmp\goopdateres_pt-BR.dll	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4AD4.tmp\psmachine_64.dll	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4AD4.tmp\goopdateres_lv.dll	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4AD4.tmp\GoogleUpdate.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4AD4.tmp\goopdateres_fr.dll	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4AD4.tmp\goopdateres_it.dll	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe

Drops file in Windows directory 4 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008dff03ed96acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8c046ed96acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be5b82ed96acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e8b64e996acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5985eed96acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b57851e996acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1096	801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
Token: SeAuditPrivilege	4016	fxssvc.exe
Token: SeRestorePrivilege	1928	TieringEngineService.exe
Token: SeManageVolumePrivilege	1928	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5084	AgentService.exe
Token: SeBackupPrivilege	1340	vssvc.exe
Token: SeRestorePrivilege	1340	vssvc.exe
Token: SeAuditPrivilege	1340	vssvc.exe
Token: SeBackupPrivilege	1260	wbengine.exe
Token: SeRestorePrivilege	1260	wbengine.exe
Token: SeSecurityPrivilege	1260	wbengine.exe
Token: 33	4308	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeDebugPrivilege	2460	alg.exe
Token: SeDebugPrivilege	2460	alg.exe
Token: SeDebugPrivilege	2460	alg.exe
Token: SeDebugPrivilege	1948	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4308 wrote to memory of 2268	4308	SearchIndexer.exe	SearchProtocolHost.exe
PID 4308 wrote to memory of 2268	4308	SearchIndexer.exe	SearchProtocolHost.exe
PID 4308 wrote to memory of 3972	4308	SearchIndexer.exe	SearchFilterHost.exe
PID 4308 wrote to memory of 3972	4308	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe
"C:\Users\Admin\AppData\Local\Temp\801dcfae15873652784ff3f4f69f9eb805b944318be29d12b40b1864cf637988.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2504

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1432

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3476

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3492

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:444

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3852

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4616

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4220

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4824

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:216

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3076

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1556

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1900

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1540

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4980

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4748

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2268
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4328a3c31f208647532dad257f2300ff

SHA1
bf4e04b99855b670bfac5222c1218cb6305057ec

SHA256
54d2c23e02a3145f442e8f5287f44c9196c0ec3c4b8ad9fd924490e534bc7051

SHA512
398b4251f4fabdf850108f8f235ef0f9521c15bcb89e967613391e04efe4a5a6d0f7b9ccdf11d4a1cb9bf346064bd09fe88a908b2bb6068dd692409449e5d110

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
bb94c7344b91ccbb43b9c1e4a71edfd6

SHA1
ca88358cbaa97c9f858b1f38285c43eeb498a0e8

SHA256
21c4df86514c1bca78bf6a38e406967c38b98e2ddd09f9daf04b07075ad62b67

SHA512
3bdbe54d2889174ed4b5cd293e7a20df905b87ea1111ffd3658bd34598f05299b0083b61ebb9287446d5315f1da23842fd266898e672ce04dcaccd090e1a4c7b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
7ed1457468f86804feaed4d3a0497b58

SHA1
41ad888b97884a7974649c820957a581384d0849

SHA256
1c8294e5e1752ecbae72feb9cf35cc1a48226092f629a99682c9bb66e2781ef1

SHA512
d026b2465abae7ce4718c24c9e8b287c9fc0af7ee6486caf8440f2f03f80fecd9feeca9fb388609e6abf92be3618a034c43bdcb98d6508e85c0c9b27b88bd60f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
35ed75233a62de60fadecb9675ade5df

SHA1
214009716443623cbbb1153acb33f7ed247dc3dd

SHA256
ae6506de271606c44b2582c07f2aca1cc208bef00b648f07a396599ce6f11c64

SHA512
d904c72f7d29d7401b28ed194a505920855c9531c8b07debabcf2063c6466036cd19ba22beb625434b04003980a7cea0728a325cb3050fedfef87feeefb56ab2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c047b87b2866adc7901000b70aff44b0

SHA1
cf083f59d10016570bfa9ba383e32c945b14a198

SHA256
843e53292d9fcc8cb0cece2171166ed58298a7a4bb86922387d8c7e4b9343a3b

SHA512
23d90f547e6c0a51341b307c2c555e572972fa4bcf9e4b460e5df4263ed1973fe756525f77406e0056650fa099e8e376dbe1485e46410a78ab6839fada1625d1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
a3d02e776f415b582b01efd4735722e3

SHA1
7d0fc51221833396589235276524fe8fb9431b42

SHA256
55664b212fe3f0364328b66bf27379e363a8c517181a9f5e85b33905d3999705

SHA512
d8ec014c6988cb60b84927405dc2155d4ad8cac3df32c83af12dc7dae6076d2bb484c3d97a8f0d9215b3554436d0821ef13e0e1d219f9f64c484cfe2292a0164

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
0625aae3564d2ccd6d718119b5f61b03

SHA1
227b067f712d2c4b9bed14d1e37d3b78f6306aaa

SHA256
e6d12adab5e09b3c4be8d06de1e7a19c40bdcd9ddc52489b9623d03b5d14136a

SHA512
234a779645f5fcb9e6c50b48a7d920a58e6decac5d68e3849658324eed8db13638939461886ae6d118e37a090f5f1564a9941a1c728826146f672babbd25204b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
54d0bc9bf492e3848bea373326fb460a

SHA1
b9f1878c62577c158c9b4835e834b870f09c61b9

SHA256
f88cd29699ea42f6e32ca2e170b39685d83103bfc68d023c441453eabb705112

SHA512
2d67ecad3a835a9fe2c52f0b79a1197b748839663c992ffde4ce02f9b4292a1443a613a5180dfc357733ae9f76bbec8c4e05e4e1aa301306e3ad7f9e0de4fa9b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
7283659dadcebc19fe4398f3134f418e

SHA1
fecce887195041770b2b3e62ff4c2e1e63773368

SHA256
07207ef16050d2a584cd4d6a1328eb7af8a8c25477b6a319f617b5a6441cd314

SHA512
226a98b3a46f3c357f84061299bcc5e3133328aa00eaafe85dfe8d679f4e26c217d3649f622ec4bf15ad1032641226ebe65f7af3910663db297761a3cfd82df8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
39d6d372d48974d90421e3bf895eaa61

SHA1
2c78dfb02eed83a2ec38e599aa685a6a3d3c66cd

SHA256
e2dd0a5d4517592655a969f269f4283af856794a9107a8084dfce69a240f5790

SHA512
9a6e06b2e6c79528c85c06b2ee05605e0b5cf8c452a9b074437ad3ec1ebcfb85bd484b688d7fbb5429c2158f044a350f943e600e6b83239d33c7bd75a571a8f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e1b9beab4367b5b73387dc79607266b3

SHA1
caf9c6a8e839fc247d14801bd92abfaf3db09bfe

SHA256
5b7d7fd349d028108017b031392dbf2334f5e15b61fedc5854d9e262eec81609

SHA512
da8af09984ae66df67b9b709cf7e1aea91063f0ac214952d4997ee55b4c059a5d95d029d6e85f3daee5bc56572b39deace2400fffa422b452a7ec0f6a4e66454

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a380253f4563e3adc8433ced2b424742

SHA1
b398bfc060f16bbb41a6d0f309d125b4c62ed208

SHA256
f08b532325540723e8827da4ba7320bee0c86549b76e0354bc2938b417641073

SHA512
df190073bef1fd1ba4108bc475df764efc309f2a411628f2b55f99bc2a0e12e3d20f97c6745e7c5f50f9d2dc83f905e1c1deaf969c4f66114e277366d4e4639f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
57d9bb5ecd78c742225134cffa80501e

SHA1
3e32c6e9ea2e9721029e2f8ff46246a781cd688b

SHA256
e35d6bd89f7a103dc4c940b79b92cc4dfcfe37ee0fb9ee414d6410aa0ab47ab0

SHA512
4eb1a267d5815a54f9f05849e9aa38be1e58711da3f6eebeb045693da4528a36ccf110aa8e219160145d1f1f0f8ebc0b85bfee3a7402b5f04c3109d1bb7d17ca

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
d3701208ad431124b2688c5d6016cb14

SHA1
2ba836965679c933d234940d570022ae332d93d2

SHA256
ec7442e6c173cd01788458a1cb87485110fbe49756c6cd21cac02240c31d7938

SHA512
8a8524b02f36b32055fed96dc7c04619cb7a57e78c74320106e42a4f9d1caa360d653a5cf20061b62ba69da80a39126e75d7344a3e4347c1603deaf16eaa09b1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
555ca99379b706b37962ac2ac06ad08b

SHA1
c217cf4e0ff8111b3b3741f187d1c9ae06052f19

SHA256
e697e81c28cad55c2ecc1212076a679918dea453d2d477622aa2876c6c11970f

SHA512
5d69e78108f100cbf19c7bb61c08d91f04cc1b4fba4d28a5a487b358d0dd0f86e9188300aef21ccfce52bd4e30da110b79a5a41ba3327ba71a94e814c38fd17c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
67a61a09bb1ca45cff328c5830523bd2

SHA1
ac57c3e6d8731a6808139ffbff540a150ec6fe0c

SHA256
a35bab1958778f1934331085489d7ce34f16f0bcf43b084a5ea7e7e6eec3e390

SHA512
bfcdc2713d7c334d230472e7b2e2be8c50d26926fc60482d5e9b0ab78397df97a28e906b14ca27cafdfc96666419ef78c112c445329ed8f60139088ee027b7f6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b722b82561844cca78eb773657fb5c89

SHA1
da047257d2b5e4e5b283f9dab295da2b2a711f38

SHA256
8beb4a5f80870ebeba4439b3a4d2034b2708406a6f9324b64af6d2c9fbd28150

SHA512
63c486a0cb7981935d5e40c5dd7527eea7d32d817598ad7211c4cc0de335ea6a60002d485316bb07e1721f83ac9a4a812e4c411a0818278300b61c02c09ef1f9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9836e8050504dd04aa02f7097c809bf0

SHA1
39e3a49a51e0f40f78cec24285ea9eba61ff5ac7

SHA256
297f272ab86a4bbb692a3ee9cc216c45a195c75939edbf7cc981c8b2cad105c3

SHA512
6769b959c161a5c1467dbf79b43899008a07f739957198fe4aff3e4c6af04aaa1131ab7ea22cd141b5a8f3163cc098ab12ba4b2bc48afd290a6fe11d6d60c328

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
f344822a8ade94194aa13fe6407e9f2b

SHA1
90a5fbaef6fafa08e3618fd5b0c5da0a23fb526c

SHA256
091e94a919d5fc874d5b4988c8d18c4461a39191282edabdfba5a33124a99a2f

SHA512
126d981deb4f03bb21cd83dd3cd9e9a741227fe881fb9de14c6e083b5ec5ceebd0a8afc3944bac327fc12db1d5c193b914294ab16e397dc4a21d837a7c80bea2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
340c48b1dcb594e416abe0615c657ea9

SHA1
52f24b529bc46841d88ecb0320f6a05d3b3d0861

SHA256
5bfa5245ab5d73b16a1f9a4bc731f04aa993b72a75383fcd8c3bcd080ff108f7

SHA512
0618583566604433fbc23fb22e61df2ef51cb5f2282c3d25509051ad95219b76c2d25e1f1e9fd64f93e68d105b02aa68b50096c5df35bd9c84adb4d1c4fe6533

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
77c13bfe0a05238b144d7584b9256965

SHA1
94ba5091cc520d8b17baa8d5a2a7c4ee2b7c9b4c

SHA256
25736284862667735c7445a1d0d210fe5f53b8720ef72a526bc796b4e9cdb54f

SHA512
178b20efa0cc9c23ec29efad62e4fe80f8c3d3e05afa25f89502d30f4cd96c5401e139cdd73767750cb86d05d1d654b78207eba0b0126f272e0babd7934624c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
c4c6128601f5636a05222f6a59982a1b

SHA1
4c09be8c9ec42cd38c3f037bd664d8224b47797d

SHA256
3f7118043ad7218aad195b42162243d63ea882ad2537ffd8564220f7c97b0dab

SHA512
ec417a44487f4df0512ebfa1551d566bbcaeec98ad1685666ec5e3768f8127cfd1c91341c6c78c462e14dd96764e963a3baa469bcc2d2c1b42add5bea731d5d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
dba45e988730a834020ce803f75f0fe5

SHA1
b46cc55e0773fe3bf273c65253d3c6031c971abe

SHA256
0d4d38cc8f7fe05673f9e8bc37d976c0692bd841dab9a10956e31c75d98a16b1

SHA512
a80e2cdfa65a1d97306f30bb6fd42e0551f5c2b214384e7264331c2379b0aa85f1da952fadca6ea0b4aba45b0f00d72e305f12f7c1ae839232bda8d4c5e28fd0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
19a530da0dd0e12b36982e286ff46bc9

SHA1
cd1c5f7e2eee715b238e7b4b9c3e4d41d05d922a

SHA256
28dd16561a3cc3a3b55bd8852db9762dd781e5c19f442c7f57fac80453f89faa

SHA512
07d383def6c7ec02700900f9874ea9ae9ec248024d7369dd387d0ed72b050c39aceb9f53e10a43c780dd38c2bf0d4e1cb44d10af802ff8d9e149172545a0df06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
bc2079848db9d74675910763cdb2f29a

SHA1
577b31a652617c98db839438cbd085b7fb94976e

SHA256
d1e5bea1c9ba42d64a1391f50d8fd4537d5c2b6670467a07c6ccc596febce58a

SHA512
cdb886d1c63b2f6ad8238372572683c0654eeebd4dd6d359bf3340569657f6ba2bde33cb66a909a1e2a6c53777911cec5e167d0313eba6895d431d71b2501b00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
fbe2bb3da1239a0cb258c131028f6ce9

SHA1
43045ee19fafff20c08df613f705036fd11a7519

SHA256
566564c94eed634325d5a2a04930ebfe60284bef22e79070b4cb94a58c14ada5

SHA512
78e6961797cc60f271431727bb098c74f8c972149c3ee31531381ad26e1b6397ac0b4aed386e91f05512148d6390f1f3f4546ffaebf11b0e33b6e8fba9a2f2fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
af41aec79c5266ef6c5ededdaa535ba2

SHA1
3a077f35af1aad73b0742f5b92a3f8b680e903c5

SHA256
c850066f99a6887ff29e786273fd7839640d4df95fb7e0981380ff73e4c140d5

SHA512
6be5f043e134f7ded5076c3a1ffa65a492ad6dbb0e61e7d0e2d6321ead2eb81cfaab01a13e422b63e0915f86eb3f6990260d6cc1c2defb96853b3449e711126b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
41516ffb61057c26a1336112e44dea31

SHA1
476292931a647b14c1d77a29a84f00a8653f415c

SHA256
81cf46ca2f21e3369f25805f32a6c429c5f8328eb3ff8f1a02aa0b1b0da65ad7

SHA512
74440d1ab54b6e749903d334c4403dfcbead31224b4f594e748873e9e13e152ba1cfb177ba3dc1f00d85b1ab49c244526178cd9c1d3475a99bee5388b8fb7762

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
3e4925280d1f6bec6acd9ebd06bf78d6

SHA1
77414a991cdb967d000839f60d172c2d784cd21a

SHA256
df647761f79ee225a91ea58f13aaa6e5acaae7304ad3c3d3586ecdb1b89a1505

SHA512
16ed97ad76d15a6b3ebd9b7fcf0fcf155a4eb1aa35b3373422dbcb48fe186203084fed7884653cfc760c4491144a555993da83470c412a2606bdb1c214880e31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
c0a2389b99e524d678897bebc6991300

SHA1
15ed473fe041c4a05695bb5074837d0657d5ce2f

SHA256
f86fbe39075ec94c4c7a62dbc52d3b5b640af3adec8546fd817ed89658775c6e

SHA512
6a2f875fc1ea7cb79656a73ea4bf32a54b0218340204a80ffe10d2dc852b824b4ae42bd1870a124b888d151c7d3ec815a5dbd16a9a6bdb785977851eee1c015b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
6c7f720770b761ca32e5ef400d13aa02

SHA1
6e2a6b2fe1235719c9e445ef1b28772e9889e238

SHA256
a51d1dee3d519074adb24856670a09b5b1c39d414a1a59ab808844bdd5b46f32

SHA512
9b2fcd5e15e0b43dbc86428b1118cef58c05bb6d606ada27d1fa94162792acd65f0aa9f63aa2b5df6f99228e53a29b42a3fd393cf3ada4afbf1f811298a062ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
7eb0c586588bbe54a0a5e23379905344

SHA1
7661ccbdaff3be0dea8378896205b0b6c3c7a778

SHA256
828dd8b51b105cb829bed1bee1fae69062235f1a91f8df3a3165223a0cfa7da1

SHA512
65132955429cb9f761aafcb619338e643ea9680f8e96c1de2f9136ed0cdd7d7f1e9103d04d3e75c5acd86ad385388016c4086fe6821094ee0dae8c9c864703d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
e89b7de8dc3002974ad8d5defce18484

SHA1
45f6865a61faf6d9f1e3abf127972b68509c79da

SHA256
241f2beedb79b4d40556023dd2df1aed2689b46883cae8d16a71b3b3a458e290

SHA512
6ecfe02cc234e46fc7e5e2ec8f43fff01272742649e44a531b7ae17605bca35d4b7906b6881cea79bfd7cb4f783c32406b0fd58c26ebab820d81c7cf4d459d83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
0b3f76f7707d6439ea0f5c8dbb0d6eea

SHA1
9d0d12cb9a6589d9089c0307979a829444c5a2af

SHA256
ce96349af5c30b2ebd2611a1979f818c7d39aa071b4c4f7e1ab4a783e647c548

SHA512
064567efaf8e362f1c44f78f435bc82e6bf53d2a52d623b00d006e7f662bcfad86f5453aa25a40293c9d4357fdfd5ae37f4786972c32a6a4be2340b926b54204

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
38dc9440e70c058f1c4e06d1a1ac67d4

SHA1
bb24435090eee8fca5296f1ccb53d5e0fd501af4

SHA256
50a7cd4b405120b42d417dd5d4dac877336e6feb64fb7c550e68dbaca5724c6e

SHA512
5aa24e7d2863666017469bf7a29209ee3fac4483bba2e7423ff8c10ac6d62d29e6281afc69d4380941a767421b0bcbcc70a8c71c78d99542861dbe1f7ba79885

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
603a661883badb07bdc2ad8935b52c37

SHA1
be5d32ef637bcb3ccfea4ac55b5aac0a826e42ee

SHA256
3475766f1f7dc20423dfabe637ad73a81247585b7207a70e405bcedaac59051d

SHA512
188b5fd5e79f4876ebb362411ed5d3cc98b3106d91a957f09a5e212af819896b0d256eda91c77ee836de2e17e299681716ee90c1ec40ef70756f06c9b720bd24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
c16d343891f357d351b81b0462f8c82c

SHA1
ab330d420473abd77f125484911ff5e5a0033e7d

SHA256
d43fd51746d3a3a2452c6133f387c06d8b948d1401f3a4a54dd2bf0901397766

SHA512
cba042510ded0b2d5d45657f616ac37514ae0af7017a172e17d215c144dfe1fb5c2e096d1e9e06015fea3089867453ecf955a1b360a3d69d80340ac724f36d73

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
34a940907f9fd3170f7a7a03b9857f6e

SHA1
0f82e7e4f19f50e74558cfc852b9e878a0f74adb

SHA256
75db57dc669133b9bac62e8aecde6b9e0655fe9873fe3824db1ee083f6577907

SHA512
3da27647ab1e031060d348816f0f40d6838775b5ddac49d68c91b94033bcb3f85e8f0aa8461405330c3a477d6b183f60982b1c116ce68604425b8b2c6768956a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
49ac752017943775fc6172d7039ef3c0

SHA1
a0f4074308aa141aa171e07e1a48c0d8050fe87a

SHA256
d7c5112b6cdcfd02ce901a913da7d30b2f8e0fdd5c21b678e9ae8198d91e35a0

SHA512
d9665e3ad6f908b77c024d9bf6f80e0c81df7298f001fecdeaaa1dfeb565d7132c60b573ebed0edaafe03573f75091181c1a67e7ae3a28913cb5932d30796a9e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
3e0c879c8d8f9bd9d672b26de304daf4

SHA1
c8255e69c848ed6fa47cdd1f782cedc214a52ca0

SHA256
ab8156d6a55f9f5be3f9a82a915cecff8ebfe6fd3ae68e0abe97adc2d511834a

SHA512
6a0e66b659aafe5c8b4eba88ca6fdb695430e9803268c5d96fe9a826bc4553df70188e3397ccc983d20838834a2808cd9d406520ff4f89adfb6d6e7f5b4b9f1f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ab1ed034fee389943f9163917fee9de8

SHA1
a55858f48a743e750a8b884a50b432bec5208794

SHA256
d40116475ffe76804dfdbac0388c1af572baaa1c8e27e39656fd21182995badd

SHA512
1da9124e0820197b2437314340d27add7f998d155288849d2a4c26747eeaa849a02a5fa34b1ee8a6570b2011bd053a1f8208cf04c4c84bea0423e381553f66a3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
9e9e66f2901057d04801a40a3d59b004

SHA1
5e680c08d88f8fe7c5630ddc58f7d3c859786bd1

SHA256
2306da621e102c7ecfb7097deec69705c42175e2198b473aa8f54b5242394a69

SHA512
74f2c26b9965204e97b81e54e364d835ec0ba1a94031f65577bd9fd58b8a771eb0cd34818e39996cc432f815d6ac538502a07e813bb48af1c16587310a677f13

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b3f3b67dcba59c5eab346012c6c0d236

SHA1
775f2b71769b153e01a54988e284e021e0881cb0

SHA256
b48711b3bd044159742531fa9e198afcb4483d970e82141df23d0a84b52aeef8

SHA512
851c8ff82c78a04b13b9c2a8e0b12458d7b94e3858e77a167576398ea1e1d9d16764ac2f5d7692049f4b7262c090021f9b3ded8041767245a52d09eccefe01dc

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d29a329512f4daacf4cc97e59ab1adc2

SHA1
b70f5e0bb664c9f79d600d47f70b1b78e6303bd0

SHA256
d1033ca8944cc297e962998c50765f5b792f850d327ea86e9d00a89c23fb1762

SHA512
d0fed0cf6cd7fc820c2537f3ff67ac71907c112a73a6a4a0db212e9217ecf54a7d7247b3b5a82a1caf854349e1c453a7959e61fa9054da84bb90d858d6ab6933

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
dcaf402aded19de929552d60cddaec09

SHA1
c10f41c7e6e83f41533524cfa668db639e239359

SHA256
fa202df1cfdea1995f0aa730d97cfd95b6956d11d570362bad7f07e7e198a261

SHA512
3d0f8d08b6c951aa99febb5f35fae263dd9f6e33807063f4064b8531e98ed7298c6d8c19d2a0a453077b4e75b05b0ec5f13219598ed3e04f55cc9ab419b8eead

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
d20c27855cf759c1146bd1c184f8f6a4

SHA1
236c271f92e61ac8f89b4424adf831c353cd50f0

SHA256
c3f6ca77a70c51ca7d7c6d28d29fa556335cf309ce0f38edac21b0619729e3ef

SHA512
117fecaf264476df2ecf63335879e04d568b9d1309c2503e89854e9ff7eda3e288cd65754bbd3b67d9ee3f47179db45e33619f512fa755791bf0f03e0ba1b303

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0bb649803c4900e02e06d8abad2ea771

SHA1
2ef3a9d5711d2ef4c9896ef1fb84db5303a603bb

SHA256
c3824a8fb9af92331cac985856b5d9e915649f5b638b7a4094ca499c1686c18a

SHA512
ec16f93cecd1ff7a1c7dbee84f8420cc628a5d528aa72c326d00479e46b3bbbff922241ee25473ea4ce2986b537811aa9994d53ac48d3e7416894c62d6a5a96a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
aadff06ed46f0fce56a48a1a02c59d5b

SHA1
987e5b66eb24d8c1eb85f9d49f6036c69e1cd91a

SHA256
dcbebbe407db612d75b3cb3511fbec7e93801b22c8400f8075844a2046b6b49d

SHA512
fdb6b9ae8615c23856687a88f09dc2c94e4c664f6c8e5a7a1d2704f7b58ad638d789c8a8180226d00f78db0ae872db037552729701a804ea1e51adbc9f366548

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
923cc59448ae7bbf0462f01a2fb9371f

SHA1
fa7382960a31fffdce77504625b90121bbd3c611

SHA256
1dc477d168b934526bdbac365945d2a6d172b981469c59ce123fa98e19466be8

SHA512
b396204894044de66229544fcdfdd79c65aa9ad02ba7af47fbb86cf7944ff0560695704b7d8d776d3972ff01186120fbadd7941a578b4ad190fa2e1962eec00c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
c439037065e1816aead0322a96f1dba8

SHA1
6358dca60b8094244d27f9bc080bdf79b711df2e

SHA256
95a04f58a26b9ff848f17e541c52e5b7a48bae122e8717e026d90834ee513013

SHA512
ddcc31b6e4d0d45ca9a944acae99f94a452b1fcbfdf0a0774b04caad24dd4c0387fe042583ed7ce096f52227e5e69caf5a6458ba74d9787d3375e0f094fd0fa7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2df3c20dcb2f289148074a80b8b1f88d

SHA1
8b0a23ffce64a6bc8100a5c3208f23cb8cb219e4

SHA256
8b8c332a3b1b943d40cf30b26b81927081197be3e6bb2b8168636c4843718ba5

SHA512
b35add944eb123ff18020af0700cbd980cf46065d151f2bbbc4d99e9d2726d4107375a12a9cfdf7b67d835ab5e614d59712acd2529e8b649fa82a76ec342f4c7

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
79535174d082713145a019695e2077fb

SHA1
4245a18be5391384c613257c226fc1c734d83647

SHA256
ab213185448832d9e7afdac50679b2eebec227820949228df6f1595a5e1fb7b1

SHA512
ffeeab6b19b89418bc1941760f76aa8ba2fcdd64e94423b6122ef0bbb66606724cf333c8a59807bacd647f53ac9e19531d6934b392011c8aa79402b05cae4cc6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
9a3cd11fc26fb935ee9d49d6a356b623

SHA1
f57bc2d0403e6b78cd31b652dc590c0d8441dd25

SHA256
c1d5f6a912cb181ab86068cec3318fe466b600f6658579558dbeebeab00c5045

SHA512
7dcba331edca6f9505b7cb69b57252f23253164ff6fd7324e4509d97ec83101b78d3f9596be56b0c7bb8b260c7db39fcfbe70dd86f42bdc7f8f5ecc586aaf2a3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
614469479e91cf030c6c477d8f79cab8

SHA1
3e39b761b2b71c25a1fc8f6ff6777a9dbf6a9ddb

SHA256
9b65c75230d4b9a947cd8067d9e9f991967036eaafb9a39f057af9d9a9242013

SHA512
2d9c16b16e8e4bb18c7dcbebcd7e20a86dd5942333974fda0062ffdc401a9fc982cd180bd8efb77faf87fadea90ebbd596664d4f381b7897272df8175ebc4dd1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a825f95467abb7668718cd81e4ac82f8

SHA1
b00c0420b69ac6652c85e0ae371f1e1f122d027b

SHA256
070bbf833456103763456a3342f4134f862e67c3cc0c0413035ee45e7e3e364e

SHA512
082abcbfa22b8d1f496e71683e300b6cb08760946c6c1690003c3cd861f124584edb0cbb1cf9018bf831d0cb4da5bf7e295d4c3acc81385448f64adaa42e10a8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
37c45495035b333e5f702df7c5d0a698

SHA1
5e550c6dd4d139c826cb7d2c1e1a66a2b563c1d8

SHA256
0a4f9ab9f099e6ebdb80034ca541377c55737e9371eaa8d026acf6d2a3ce838c

SHA512
7c2c6c7d114c436de7f4bf1bc83a992cc0aa83f6574d003998be707a3729535e9fcf68b12b46e3aa8a96214f71d8bfe723f73b8816f018d5ebcaa51ec85ea12e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
17f640cd423978c8bcf131cc71f1e1be

SHA1
88cfbfed1e8c58e22f3954330afbbb4713dfb3bf

SHA256
4ca4b28c8bbbf16b3beb78e7f00e0e34b8ccc06a3154793b38de5ef3e9b891af

SHA512
dab32360ea88ddb16a3e4ab61f604e094b4e9acd8da437e6bf9d8025686e22d53457563524e1ca25bd4443aed326d8664b818cc4740a5ff18caf47aa360aa41b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5bca4ee85239a9d97677821832e08ff6

SHA1
ac37f7f778d83309900ff86a8c374e1437ae2f0d

SHA256
806da79f6fb79fc23e70bd6cc60960964a5a9203d36290bb1efecdd84184ca9c

SHA512
d734f7c7aa492b084b574a581d7564118656a6bee22882990e7967cc039b6d6bf04dc66705af27e477a7c3ee4fe7da5cac494a6dc29bb9cb7f4dea49c10653e6

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
3496c8cd513085deae69424f15d677b6

SHA1
edc2f02aa8b3debc580ca14b2ef42e9fdace063b

SHA256
3ac8de5d691dcface8df6ae36df86ce5b4590aa050c50c60c2f3aaaaaa1b37c9

SHA512
307047b66abbb617b8207312dc674b6b4081664d92345cb13d3a0fc3e769bc0b35ee47f129ac8386c56b20c3784327364f49b8a2e42caa37ff4d5e2e0864e9a7

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
d2739218e6144bbab80c5dbaca257fd6

SHA1
bf53deb32a27798806185beaa54ed516ddbcc1f5

SHA256
0cfe20e5194aec58b68488672b92122c5ea34f6273cc09fc8a9dacf3d6ea87e7

SHA512
4aceb462e4b2a2b5fdc974464d9b97d4acc325fb883ab0098c00fad35992da141ae4fc30b7d7aa071f81519a976958c48ded6bb74fa9648e60bcd0eb9d7098cc

Download Submit
memory/216-247-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/216-627-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/444-158-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/444-167-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1096-1-0x0000000002380000-0x00000000023E7000-memory.dmp

Filesize
412KB

Download
memory/1096-150-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1096-6-0x0000000002380000-0x00000000023E7000-memory.dmp

Filesize
412KB

Download
memory/1096-546-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1096-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1260-345-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1340-342-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1432-120-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1432-121-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/1432-717-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1432-127-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/1556-248-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1556-771-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1900-339-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1928-340-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1948-223-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1948-93-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1948-99-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1948-101-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1948-100-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2460-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2460-11-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2460-20-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2460-166-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3076-249-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3476-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3476-766-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3476-139-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3476-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3492-148-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3492-151-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3492-142-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3492-154-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3492-155-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3852-171-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3852-767-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4016-106-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4016-118-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4016-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4016-114-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4016-116-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4220-226-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4308-347-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4308-775-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4616-224-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4748-346-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4748-774-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4824-227-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4980-341-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5084-284-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download