3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 22:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
Size

1.8MB
MD5

61c52305e305342bb8bebc261a96db60
SHA1

5b1b99f0b10fc2652111afe46c4a3ceddf8bb94e
SHA256

3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8
SHA512

69afc0ecae35dfd4f83d4e70a66290de0772dafa2fcb06e4db13da0b84b0076fe9b286e2975d7c4f62a5123494394aa93ae7c29c21a00a158ddb17f03e96984a
SSDEEP

49152:xKJ0WR7AFPyyiSruXKpk3WFDL9zxnSiMomUj2:xKlBAFPydSS6W6X9lnMbv

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3988	alg.exe
3248	DiagnosticsHub.StandardCollector.Service.exe
468	fxssvc.exe
4372	elevation_service.exe
1216	elevation_service.exe
4796	maintenanceservice.exe
2468	msdtc.exe
3088	OSE.EXE
3492	PerceptionSimulationService.exe
2008	perfhost.exe
4484	locator.exe
4792	SensorDataService.exe
4332	snmptrap.exe
3176	spectrum.exe
3528	ssh-agent.exe
2832	TieringEngineService.exe
3196	AgentService.exe
2784	vds.exe
1308	vssvc.exe
744	wbengine.exe
116	WmiApSrv.exe
3100	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a9ec9ff9bb5459c0.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM417D.tmp\goopdateres_zh-CN.dll	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM417D.tmp\goopdateres_de.dll	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File created	C:\Program Files (x86)\Google\Temp\GUM417D.tmp\goopdateres_gu.dll	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM417D.tmp\goopdateres_hi.dll	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File created	C:\Program Files (x86)\Google\Temp\GUM417D.tmp\goopdateres_uk.dll	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM417D.tmp\goopdateres_et.dll	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM417D.tmp\goopdateres_lv.dll	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\PopDebug.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM417D.tmp\goopdateres_es-419.dll	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File created	C:\Program Files (x86)\Google\Temp\GUM417D.tmp\goopdateres_is.dll	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM417D.tmp\goopdateres_ko.dll	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078950f572caeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c9d74562caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a5bb74e2caeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052a2f8552caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b774e562caeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f453f572caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009cb249562caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e44014f2caeda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3248	DiagnosticsHub.StandardCollector.Service.exe
3248	DiagnosticsHub.StandardCollector.Service.exe
3248	DiagnosticsHub.StandardCollector.Service.exe
3248	DiagnosticsHub.StandardCollector.Service.exe
3248	DiagnosticsHub.StandardCollector.Service.exe
3248	DiagnosticsHub.StandardCollector.Service.exe
3248	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2852	3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
Token: SeAuditPrivilege	468	fxssvc.exe
Token: SeRestorePrivilege	2832	TieringEngineService.exe
Token: SeManageVolumePrivilege	2832	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3196	AgentService.exe
Token: SeBackupPrivilege	1308	vssvc.exe
Token: SeRestorePrivilege	1308	vssvc.exe
Token: SeAuditPrivilege	1308	vssvc.exe
Token: SeBackupPrivilege	744	wbengine.exe
Token: SeRestorePrivilege	744	wbengine.exe
Token: SeSecurityPrivilege	744	wbengine.exe
Token: 33	3100	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeDebugPrivilege	3988	alg.exe
Token: SeDebugPrivilege	3988	alg.exe
Token: SeDebugPrivilege	3988	alg.exe
Token: SeDebugPrivilege	3248	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 1060	3100	SearchIndexer.exe	114
PID 3100 wrote to memory of 1060	3100	SearchIndexer.exe	114
PID 3100 wrote to memory of 2396	3100	SearchIndexer.exe	115
PID 3100 wrote to memory of 2396	3100	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe
"C:\Users\Admin\AppData\Local\Temp\3aaaa268f3874dd1aa9e13dc8d79e28d0ddc33883039399f145f5377a346eed8.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4496

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1216

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4796

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2468

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3088

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3492

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2008

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4484

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4792

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4332

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3176

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2412

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:116

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1060
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
044db0dc3bb93e4d073baa083bef9a87

SHA1
b151b00dec4a8ae73f525632baf6b67801994a83

SHA256
53c3566d17e7517cebf6b7e3145828f2b47db1bfac5b16de298cdf6ede6ccd82

SHA512
5bdb7676dddc0f05a08e555a43bea59f72a87052b6b5c85133fea61224ad442cdb5ece7a3ab7323534aaee8c8222d733db505e5259eee476217b148efda6fb97

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
8f29a37490b23d23f715e8a721ea0a24

SHA1
5511db8915a4871816be9be66b2281525eaf584d

SHA256
689073d1cdfbf5d1cc8bb606e1a721443b32c885f541266a1f9430e6ea6a710d

SHA512
b893f4d01157953aeb67b6fa4fd9b808fc7978771248e77ed9ed42f05c8457a74683598c7e6ed3fab16047b3b7794a610291494f36cd2cb1000c876552a7f6b4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
64b9a7322112779ec9fdadbb975cdfb0

SHA1
845d248f49bb051da925b962ec1bdc30ca30ae2b

SHA256
28a547e16ed04ea7c8557947b2d4b30f74883a2cf890f4e10d259ef44f258ce1

SHA512
06e2b41c43334794f48a0c4331f4946e390c91efb678773c397e2980651582fa291990cb0c8a05cf3b81289545f2e89ace3b61ca561197276d0e4e00e6c3351f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b44598149e8a2de7801cee808cb6c708

SHA1
fd97f6f4cc9075e3302d5a224b12624b6b5166e4

SHA256
fa76e7885ba691f797b72a0e59d2f57f522dabc7ca72b201eb9e20f6d67f481d

SHA512
955dbd9fb6006336810ef815796d71f14086d3659cd772692959bc16e8f53cf70fb03523cc41a0849a6fbf3492f1a3c55b7817506264ce5ff3150d190b933218

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4d56624e9aae3021a6b9ecaac49537e8

SHA1
b5cf0bb3c6b568873023aeccd6cf7d5fc478a5a2

SHA256
d5495e0b2cf21384208f2aa906779d75b6ec2e0005498ac305142739eb3644bc

SHA512
4f1abcd333922de21e443bbd48e7f96a35609706cd3f7a000a38d54e9ecc64995c1130b69133bf42a61d3a88da79a2d732ad5ae2729e11b15ebd0a3ad7869edc

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
45c02e85ea1d5805e33f86325b627cec

SHA1
930b06b979d5e0ed2d2cf7bdd6efe8872923490a

SHA256
8438c1eff8de8ef482c3022a73afdc8b3b8fb6bdecf4adc7e5749550058440c9

SHA512
34028f475b41e2ba15f64a1371ea6aca696577147753e5c30f55591028b240fcd8d4b4eaa5da1af124ec0a28f08477bb4ee8e35b8f208444511c7724d0a7a8b5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
aeefd5b513d613ecd6045990c13f41f6

SHA1
3f11e6a9f5c16daf8273637195e2e1593ee2c06d

SHA256
b7d50e0f095ccbab25c3fd406913571637c0b95482e3096f887377b260703fd4

SHA512
d7e2ce30f23e9191818e3cbde505c063cfa5cb5b5cc29b88414aa4f24d4c0741048ffc6786bac9b8457b05cb9c2586c60dd75a711558face6c69479bdc813234

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
44127815ebc4894c4523b6cd3b83af22

SHA1
ba089997cb6948a9f8062119ff8fa3bddac8dbab

SHA256
c4e2d9d210a0a63e16e1be36d5aa5f4ee8c94b9483f29235f5d58bf9054df06a

SHA512
b163339323147a8a37225318873f4ae453dfa4312c231a2e1cb818a3bf66c93e2cc6271cbd4889e6a3a5af3255ea0e5b5813a9746457c16a02389859d2d5ec1c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
59ab498fa22f36084049938a28e5d4c6

SHA1
7e6731c0ebac2fdc00150cfb5a87069ced940fc2

SHA256
c4dbfaa55503e7f0ae4bdbca6761295fb14085b18643a329c6a15de166fb07fe

SHA512
ea6a21365f7b95ca05d82c904af818f995578cf31b1360e5ecfff2069c8194992666845ce0ca9072b43154fc6e80958171ed3d9dc6f9f374eccbaf9463a3ea02

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7ed9d853136ef5926ac6531b938b6e89

SHA1
ec8dc3e342b43d407baee20d7b5540d9bbbdd73c

SHA256
027de772bb63c4225a6abd71b3e68edad21bc68f36e64879a28241e67d4123ff

SHA512
30290b77247dc5f61fdc939dc208965fc6f077e668787dbb2d4c309846dfa788dce0077cba83e502a5151eb11edd5e291cb8446015a323652809f7ebca0047fb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6a0ebc7e6deb9d9ce20bbeb0f80b6ab0

SHA1
2da0c5a078871e224c9124d934ebcdcdf8136070

SHA256
1e7f5cadce40effd33c037e4cd75f1b44bade4442729ceb6f127b7cef10de20e

SHA512
7502dacbdd6b884597ed9d19e90de07afa3b30fe2afc61900fdde65dc3f3b2b8ac89408fc33b5ff7155e373ad562c62d4e1baefca2d60e608f5a42c4f72655e5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2d33e643130bba50fc8df8170e918508

SHA1
7342fc755421ba05150c6448516ef03e3f232c5d

SHA256
06f97ccd332df6448315572d0d496288de4f77050da9029768291933d3761a14

SHA512
d22c47c585c9a0245bb32735b0c76f74ddd5474fa5f81d2582e11d23790b40239c728810e0cae63c35d8958213167138bd99ca60cc86f017655cf0d3a608b452

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
781da1d5e98617305e652a0a5bd97603

SHA1
c75223e6b7e5f04a8022c69265c1878274170d48

SHA256
824438ff06481142f574ea5aedd33330f4ebb204655793db0fc736d52ebed737

SHA512
b3f4e782e01fc16aee01e2cbe92a6858ec4c4a704b1b1ec16fd7ea7e5de43e28fb4439314c7b86f32b2fb2d4b05679352397a8af3fb4a99a4bbc065c51ab6ecf

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
ef6e48c5373ca750584cef77a3961db5

SHA1
ba29a0ea1edde822ee145d9390ddfdb26d34c5a0

SHA256
c632748581e17ee6052bae0c8fe3d0c8e1520ecc659081d5ecadb3c8d261864e

SHA512
a3703ff43e415be003880c0e7e8324acc8a220aa09a52e353f8385d133143413aa2f11018db1623b47dd96aa1fed522796d9c74c8d3f782ca742f1cfd2907533

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
05f0bafb5da64ed3b6bf81d21f32de1c

SHA1
2037bac011e3463e286e589b3774b7e8e19057e1

SHA256
964de84de528b2a6a0e65f7ccbfa49d73d30d00f686c8430b39b154d8ba3f793

SHA512
e86947ea64d0be03df6270a17a9fc984bbaf8739aee2f40adda545ccf8e77e6c55ec09d3bf8b036834954ece680850d688acb09c09ab119fb5e0fe9883a4ffeb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
b95deed637c3753892940f7e18fc3cd3

SHA1
3474e853fcde36567517ec526a97ba67565e8ba9

SHA256
4fdd81991442e8af5a6c8a4b20e63373c1bef852bd7160bd966c79d3b986dc28

SHA512
b4d16f600caf6afb9e80ec73194d6d87bf872a2d0746aff2ea22dba42d42478f8cb67d48b3d39f9d22573e493ac85887c97555fdb2b077f52dceb3d65f3b7d98

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
76fc174b127c2984e517737604db4450

SHA1
f12d533fc4a19d180ed8c9d6326849186d4a6630

SHA256
8f8e257cb8bd1163460315958aefd2f7deab8d4b6ef7c3697f4bd1272ae60a14

SHA512
3f66c960ed86cf8aadd6417ed9cd1666350173465f4207f56713bd1b7dbed7707631e5ebf137eb14c616227f0a7b394e8895dadbe96a664c03dbc99629ec5b80

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
f338ae524540db644c6a011a31626bd8

SHA1
3702f4446fe8fd8c174743882674370562838c4a

SHA256
5ec123569bbbeefeebe1e60867a345713021eabb8186ec9316f1d60b2f90975b

SHA512
0ad648d8ec85688b794d596e469768f61b488bc7c20c2d9d7e0134558b7b187823c4508e1e99a313eb248a3988943000ed479e0eef5f6ef43f6b2721b9a30273

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
deb13adabe108e2fd6d88e68d8df1d3c

SHA1
b0ba2ca4fe321631140bf865b27e6e88dbbe7b4c

SHA256
1a97e2942b936862d5a9d0771dc6c3bfad1bc3754e551e2c6f9814226cdd4ef9

SHA512
2ec348547880936b03c833dc3cbd1ffb2154f2df1d999a8196d327f7d0b4f4d67774d373d5165f762939ac5b258a49a2f7f944504767e1adc854665fad59d48d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
64c5a6fa29af017a65ce04d0bec7d2e0

SHA1
ac7a8deb79fb32387565784495b6f739e7e48ef5

SHA256
d57e13eaaaf0d50ce567b91a720f5f31cf47bac346adcc22fbac5e0d3e3f0d9e

SHA512
6ee40e6661dbd26866a76c62d55a6e2f6600f9bd7069a201cb0d840c848f7752e1435d7129014ec114351a12fd0c6a5d96ed4f5efb2538d6e20f7ccfd04e13a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
29d1e0f5a74a33485f04f9db2691e27c

SHA1
3cfce5734663282f7f20ad1b15d8c09e84707b37

SHA256
6c1e844729288e16b0a4db212b7d1de0b7148f14c91488e1c01bc865e5c1df6f

SHA512
6b986f5717d5ffba18b9c61c45ce6d6cd20e6fe21c9d53c8ba626a05aa60c0b908d80652d5b6a997b43f1aebea684cb77b2fc8b5739d44bf8fd734ad5c0080aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
18ccd97ab8c8de366a501822815ba06c

SHA1
788a5ca832213df29934ed02a5acffcc9c3059da

SHA256
46b796b4468be9389a55ea4c55b994c51d41718034d2b1604b63c8eb9dc66c67

SHA512
90dfa887b8ebf7fff19b49f9d1e8b1a6a3e9b8da4ceb4b23ddb6bd7be686a25da39b884dbf3786b2e3ca04779b19e657ead862acb4d62a7e3fff9350a5a8b3cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
39fe88de6a6228dada2363634c32de27

SHA1
d15ef3a9e3d6246f9cd5ed5dd10cf1736dc9e003

SHA256
dc7a036bc05669a33bdd5a1f56ea4d2fd76d25a9d3a57a58b53ba45f39b9302b

SHA512
e2b43d81b32aab81eb74da7861281fc92852586e8949956dde59cbf61dec6a20a87598fc34e82f85b2e5716bb52537bfc99010cac66541b7efbfff160373ae2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
1c5a209471c13bbcd542897cb7a8279a

SHA1
bfbc2353aa8e684674fa780c2f3b6e179b5abac7

SHA256
b6d911e022d29367cdd9c5d0aa83472851e3e327417727d23f89272757fbcc44

SHA512
20d584c34b3499ecfda6ef2c18ecbce5a4740e8fbe85529d391e8be233be036792bc9d3c7c715b14b80a4ee4ffa127407c0da7b2824905dc7afa96167f196bd0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
2983d90336572e4c57bc65cf011e512f

SHA1
640c8cad681cf2a89db91854c5acdfaccb0727ae

SHA256
b86da2bc67342d26d6ec5ee202d2f7c5d767b67edc1eb415a0cb8e82845ea12d

SHA512
25f228be357799eadcb8ee2492059a9332f14088bca646962b646a636758b73f88b1932aa2a4a36e201cadc0b17c156bc8923bf0b33d4a35eaffff27808e3a08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
2459ca88c8e1e15f249640d381521963

SHA1
949a752336270c73d81d01e352d7e1a76d052bb2

SHA256
fcda3879d3cf6284a5ed38815c36b6c2feb6aa5d0a5e327a6cf1c9e34a1cf5cf

SHA512
4a39a687ea0e5fa9476cb915e1c608752b3748d9e29e2fe8df0d770e58ed319eea1dadf3d2c87b8d15463948f76e3ab0b5384303083059d0baf273fbdaca197f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
7a478675b036dadf00a8692bb3d7273e

SHA1
5e01dd28cc6d889dd12420bd28ecd7a7de071128

SHA256
ed831f9776d10478a73e7538e4275571c54b5d6ec4c022342f872e420e2fb5d6

SHA512
959c907b48acbc6ab54f9435f6152cc9ac26b9f3055713979b901f37c7cd272cdf01b6ef7eb64ee04cdf04c5b7f0afdb7bfb3c97d5efc68b0e50848438c12a2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
ad4ea08f1f949de7e6eb2c1a4fc0273b

SHA1
8176d018ee7c18728bdd042ff05ea3efb3ac9d6a

SHA256
5b74eb5947399fb3b586f60cc1f0e6c9e998daa67f3bb1b14633275f4e44da89

SHA512
5ef431c96aca2d81abda795404691a7dc5ac1a6f3beecd4e7f2f578b39f3e0a8dc5a6d80f2d0e186603200836292d1809f02274eb2a68d39008131b44e146c2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
ca67b4f53a6e83c882c718ae5149c700

SHA1
cb9dcf0e52908d4e1b1ab4abc017626cfd311666

SHA256
c8421737c4da614551932407dca5791b5f69a6be1688bb58747c04cea1ca53f8

SHA512
c15c1def55658cb2cfa212809850db211616f05c9fd4f56a88f6e9be161c9a23e8c8770c31688215f962ecfabaab80948a9fa70e179de61bb876bd2bffe29f8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
7af5a109517113d8f3bc3c072f49f2e1

SHA1
c6e9e5c79d11c17d0cfeb152d5986436f70d74e7

SHA256
0d9207d120f0afffea2c54527ef4d6fd5c00bdacce8f1d1223203eba758ada11

SHA512
e255c79af9873bb2bb9639d937ec30efa4eb1226ed783430ca1c93fcb473b36a9dfdafb6f345e1602092fa1ae05bc3c072ae7072bb4d5b3bab440310a89c0a44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
06f53a31e9294875dde12c08cf32ff35

SHA1
68e4165f20deebdb69a690135b18e44712f307ed

SHA256
14ee0d3255287fa80112278c3704b24db3d0eae036624769c219fa9b7fcf052f

SHA512
8205148e578e271d26ea3cfda508fbf91a67f8d54dd49f017a400eecff1bbeca0f8ce50495a8d5cb723669e9e5870089b43b7a1fe8ab6ae10951638f718164e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
48d8d718c7cf9733f002182ea48221b6

SHA1
68c154d13e2ed8985cc6bd444f1818bc955b8ca1

SHA256
392e46425f5cea1dde2fb33ccc0a568991b6e955fee7ee222b63e216a33801f1

SHA512
453669a14a2116cb02ccd944461e770a204d2178ae1700b3e5418f1c3beca6c1ebfc08e4697a367651188e1d3920660bfd15c6d692e6a66795debcccaf8a944e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
9e168a11ed1c870264a18a4ac58e12ab

SHA1
914dc2d557d7a0c45427c34518de3d2c7bd60521

SHA256
353fbd63a1e505be4194507e57ade9c6725d26a9e4776d0f4a989791c94f2858

SHA512
27630dbea1ba7b70948a885bd3ec39874ceccdae9dbdb562f48c82d8456b163b4d0ee2cfd04eb03dc3d425cc9bada25c299dda06f2366b4b671ad3724668abc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
48dd3e880b7322013493500db411e155

SHA1
b39bbcc3c1db009fbdf08ca34102974071edbcaa

SHA256
6fc2e85fce9e57a43f8afb58e41d679dd58a46dd386e6ae57c796fe698040d1b

SHA512
f0efd2c8dd88de022245b729435f4b04a5993eb337f0a15856a787f4651d54647efaee60c34f1260b20d6c932ef2f65ec95f0fb1f742cf5bd88d8ccaa55e4f04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
90f68271d4a383590a7fff90e054f1ea

SHA1
729259adf80bd28b250c35f7058d8de3155f34d0

SHA256
b504ffad0f8f0f083f5d6554bcb937bea210de9233dca44cca6d3b9753aef7ba

SHA512
e5231fb3e7c30d5ec100f17e293b15b138cb33e672965c6cccaa1320f625878c1584b577a658c7b0835dffe3301dd6b15f24973d1bf1653f36ea0071e64c19cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
3f8cbec7ca4bdbed312e8587053cd1e0

SHA1
bba9d1515bd1511c207ac33ae5e6f92df46ec30e

SHA256
f920f636a0f717b5b89f7fdbf30c3b8640eadc9246e55c1c0c3fcf825bce71a3

SHA512
813c3eaced43ecb8487c52d058b04b2a3ccad194d92dd0bd27ee2a702a15a6ea2d4647aef09ee5fdcfffa644935801c2a7e2ba64277b487118186965736ce29e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
27a80e77a95790ea23d2780c016f52c0

SHA1
5da516fad54fe7eddc1c33b3aa3bc01b91573673

SHA256
ec24d0fa7c63f452ffd3ceaa01f1f3722aa0eb2a0e218f7659eb4205e3073f39

SHA512
6f9afdb779264a6e99f3abc6b65bb3c74034959d950708f2b3a984f724a63376d08859e926d201bc2bbbd0f927d2ed173fbf1a327e1a5607c99d21fcd174a386

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a733981dcd7c40d318ac065092b22e19

SHA1
b73eb4628a07ada7edbf23c8a3e6a8c9a5834ea5

SHA256
5f8751640344925c412fa915368202ee5f5a1c502f7883606577da2bf39f291f

SHA512
3c2836ff2fdf6ff763ed5e53e1f0a9c55c75466f322c473ebd53fb0356c29b7ff8a2747351c95475f23c58ac48f7131681c64749c9c9a5bc651079a4b17ec929

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
24b17931e8390ec1a17d57bd8c195b06

SHA1
03a7b4df8eaadf478aa80bcd4919a9bfdd1988a6

SHA256
b4b462bcdfa7dc7fc1adbb0b1e5f578109224056c8b844b9b4f8ba4c9a0fe89a

SHA512
7989c7795d0a3866420b8876fdfbd0c4fc503cf0a476cb32b5ed622f27d1ebe088f7b2f56ad1a6c8909ac68605b19fa4f11ef92a9bbfacaf929e0bd673479500

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
8198016c1ae14f548b7bb6dcf5558204

SHA1
3f93b054d3ac2887bcb7e08aae139248986c59dc

SHA256
298c5707213ef2a4995f5c83b7b2a01eaa869cfba878760a98041c13cd64795f

SHA512
fc14e17e5b0499ee8dfad59d8f6d726a7ad5c8696fab2b0c0a93f8c8c6fdc85c7fe643dc1820a4822ea614eb7b904e4719b54f129fdc9e0f1f4fd8d1741e1218

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ccf70b9eefff8c4b3a9e3c2f6b30b086

SHA1
38bf93a7e0cd343d01ce13790a40c8665c44a97c

SHA256
832d7165e5c7eadbf5e93dde102ac15264ea5fd3142b2e0b43f555e8652130ba

SHA512
dbc478ccbd4d892d3ca664490ff9b7adc7ed9cdd581bdeaa9ad0fa095d3a7a87bfad79b1b2a37dbd200dcc5c5ac48471386e5c6e3c5aa92edf61ec60664e82ba

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
34f98437ce28c23d89c1491ec0e9c8ec

SHA1
b056ad7b1fb6501d217005f3d88b8fe77d02b3f7

SHA256
9985ae77eef8c15f04134bec695254eb15d88ef28d4416289a9474fa2255f12a

SHA512
02d0ba1982c940a834a2187f6eb501c819991086de6a55686ff5360d2506d77a609f08c93c43588236c408c5be6155f3b15090ff369e996201243fa4f1c02331

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
bce718f1ae45d3775d54a6285bc8d6ff

SHA1
401c99d301035f7242f252b28e45d5396944bcae

SHA256
99ad71244d4bb2d4bee9da4b5e9a2433413b04d54eb49850e9b34b1e37069bcc

SHA512
669c6d501d9e0f0a2511096b8fb38201027b0d4b97f331b83b2ff044f6d4dfcce03a5afef95c07e64d5c996a7b10ff42563be33e581280f31868ea389fed10c2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
3c57cdd0148219673d5706dcb53cd022

SHA1
49da62594271753026463e5073c7e2bf14382f84

SHA256
40f4dc34b0aef541e90b9f3147a1d83a1bcd659cf8c1268d163449953f4dffe2

SHA512
748d1fb1b0f6f9259c9ab43548313269453c6071bb76a85706b216df838c90875915a00ba9275ef10cc15c5a51fa1be2cf4c8eb5c122b0ce135b68e827f0c0ab

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
e9ed6a9a5d38ae679c869a1365acd3f2

SHA1
98c66cc5ad273cf20b347941eafa8853df613c81

SHA256
f215af792ee3449854de9a80747158b35a1dad299bee0bf7624eedcb98a596c6

SHA512
81b5f5040af6c79a2e1b2e2c681ec26fdc5e8b14dd63db95add38a296e0c9f4716284acd87124ba1f4678b6abd99d716472e248837bf7134864948d574221617

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
3c29735155824e3c36ba611e114cbf84

SHA1
6a877f39c189cc63a10aaaf20ac0cefe27a1fa0e

SHA256
d0dd7a44f1fd18b4baee8cd2f099767f28de1fd71f228861313f308947641c90

SHA512
d04cfd005694234d0e843a3a486497ebb48cd32d6f3696d7e4ff3de3648a3843ccae05c5e7050eb717950990c95a755ad1f2375ee39990fe941797b2d783bf41

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7cf10db498351bc4d0df6648fb49df9b

SHA1
9f3d6ffcd8e963674d5e5e756ce95758297cb686

SHA256
7619576c6a38e0029eba5b2ae51fa1995ee91f239df62192e3d031e4a566eb34

SHA512
f0dcc93c8a5ef48050c56032dca199841658b80e5aa9b2f3d11640bbbd692702ebaa0c4c33a550201ca74da6e75162d6fd80ce5c7d7c97e902cbc0c13080c258

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
aebd15e7a58350bb00a7a688838290c9

SHA1
4cc8e05ce79308bb8a58a70bc952089dfb0b2ef3

SHA256
351437e64251347ca04aa3a3b47e55d033800ceb279584e34ac75471a5c1ed46

SHA512
20d2b0ea9b6da59703814f25c02a49a5e8d247a1867d8571c5dc3af98e5925d367e8ea453c9417a51f7b490df4502aeb513f6417f278c34782a6beceab7cea7a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cace372725a2268b852184b8d32bc1b3

SHA1
a616e807bf58123e68d9f78c255aa0c5168069ab

SHA256
e76dcc9fff6ddcbaab4f3d5204de4083c7088e66831195e3935eac76e0c8e50d

SHA512
f4023fcaf2010b8c0699d669e19563d126fb7425c04d1d38bd9ea3742bd2e7801bae57663fc452857836b1c749fafbd4dc9e420f510d0c1e09a21c776def88b1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
f4a0f764d64def8fac884c018cc9432c

SHA1
e378f6b3cd1428111de8f20553154ae63d27258d

SHA256
7f251e8001edf387630681b1448cbbca352ea1a0385a29bfec0ce5f026290274

SHA512
2b9355bf61334fa2e401b38831ad536ed330869e4d87ea6d06562c11cc393999ec3922fecdae2d216039adadef1fff44c777451dbb628ae03c38e968833ba858

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ce18d3994a856b56cea5782f574c9900

SHA1
1c52024c8c3edc9c702d94ab37f7609abcc67a3c

SHA256
0433877e6ee79ec96c545cd03f8d8d268bacd33864ae654d7cecef9cb384d0cf

SHA512
d4c9d4c24a19111655fbcb37f67f41fd0b3d1557aff43ca28547348c49561f387d644adb0acd53b62e3f3e53adc997884fa471b1158e0e9f51bd6672bf98a121

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
17a22eeaa1b90f825d784fb5d10b5fd8

SHA1
0f721aff14111a3d54e8f80317369994e56fb3a8

SHA256
8c731aa7c18ed09e141ce283f5943423445aad4f7bfde1f557a70a25ad774d9f

SHA512
382903442913b841ae74ac31d005e99328344126de41c6e58858857d9f806ae78067d25cd3d69e2d9654d04aaaf85385f0a253671f493a8803320131317ac7dd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
7c9ecfc364ffc5433ef3b0947a8015aa

SHA1
39e789478d97b1d462d34ccd69546fba1b24d05f

SHA256
d6597581e402e833758e7a075caae1ade2683fdcea1cd46b6645d090e57a6139

SHA512
face5d6d69db8b1c4a64282879e6ac96ef7ac307801ea93d0bde6d8cc2089aabd86a5d334c34bae825bfe107fedbabc954f65c9c1f996ad6b2117dc2973ddce5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
a3dda36636851ff89fc457afcedda315

SHA1
0661d566c7cd139616f0d438596387fac028979a

SHA256
f9473608ba3c78e64d8b24d6db28a3942ea5b60e8fcae7b8f80beb9f88be6fe5

SHA512
bde0d0d06a6a83d4311f60e55387c420ce1e0cad286b556f97257ededad10bf9838de888baa2ee4f9b66a25c04b2dffa67ceeb7d808293e395d170737b9f0ca1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9010f24b46d33111a11cb08a748d3fa2

SHA1
891d6ca9fcaeaca4107a110e707fe697f80bf88e

SHA256
2003c6ed5cdea906ecd4444c843df3889b86bbd04ecf1b971553ff2f9196c143

SHA512
c623ebf9527f1a69fe6405c66664447d511002468ebeaca5f8b64ce1a15ef2c7b0cdb4d0a2312594830dad38075f2223b6058a9bfce6b53b1054b06a9985257c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
2e6709d58460316f049f73e3856fa800

SHA1
a64e606e65c0df6673d8bfa4d3002555bbf3da49

SHA256
32e974713fb3ac4b94444e7a924cbd7b98928b70d1e3f32546f6df7d9946a00d

SHA512
da5f206d452eb2c7beefe7be0821fe1c34d758b39d675011455609935f174b0bd009a6c29e90cf4260472e3775f7db36374aa28e86e3b5a058b5d7bd59ee7d03

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
12949f7305c624dfac0cbe0466e56bc9

SHA1
85c1fb0728743a0cf3d702885ccf296f5bfe7d4a

SHA256
3c7fc8d9138f7705d1ed65d28b71fb2307f05f9fba130dc7c42ac2973faa0c4f

SHA512
20622afaeeec651973e7a26499390d2a123e4ca03e0955f6914c60e916d4634b5912837376abd3811f48e4d155fdc1832e0d77b92db9ed6149bce9c5f78a0a79

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ff645dbd3829bbac9fb2983ee98d6a53

SHA1
f11efd8d0cd06fc3f3be27a588059d3a41c54d4b

SHA256
195b0da6a474566777a92d7c3879bf275ea990775d0fd301c710bd86b7a04d92

SHA512
28f9d99aa408b9263674c8297fd3ee135532f553c9aab9b00f814cf5a22f3dc284cb8572b6f3033391343ee743c2f477beadf9b689e5c405548d6fd6d421c8ca

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
c287fcb81433301ddc25629f6fc72635

SHA1
901eb996a6b747ae3609bbf92aaf3820e917a5e5

SHA256
a052a11993ab985bbea9d84c6593c3d0261c062095a9488b220078c22eb764da

SHA512
014a27b26c025793b5176551e1ea287bddefe5531001e580ee979a6f6c7d76b55e453e5281ac9b62557a5c75fa7da1517bbd0a14da2e8432450c3c396d3bd567

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.4MB

MD5
56498633a7b85f6e32a8cc0670ddafe9

SHA1
9d103e331ea23d9af4232d83757a0ce56cac2274

SHA256
fdc979554eeb2752ba7d2fa4a2e24d0eac369e34592554941c4fef6295c6b6f0

SHA512
a477f2a1cbe093aa7780877a73ed6c10508978b80a5d0c24d48a7bf510122c8a6b35e48dd5bee615e340ed5babdddf2ff9d3a0e11687a16672b4b1bd23627c23

Download Submit
memory/116-796-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/116-334-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/468-105-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/468-111-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/468-112-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/468-114-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/468-116-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/744-795-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/744-322-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1216-272-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1216-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1216-136-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1216-138-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1308-301-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1308-794-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2008-333-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/2008-204-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/2468-157-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2468-167-0x0000000140000000-0x000000014025C000-memory.dmp

Filesize
2.4MB

Download
memory/2784-791-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2784-298-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2832-662-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/2832-273-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/2852-1-0x00000000022F0000-0x0000000002357000-memory.dmp

Filesize
412KB

Download
memory/2852-149-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2852-6-0x00000000022F0000-0x0000000002357000-memory.dmp

Filesize
412KB

Download
memory/2852-574-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2852-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3088-179-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/3100-346-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3100-797-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3176-248-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3176-486-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3196-288-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3196-276-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3248-181-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/3248-93-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3248-100-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3248-101-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3248-99-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/3492-321-0x0000000140000000-0x000000014024E000-memory.dmp

Filesize
2.3MB

Download
memory/3492-182-0x0000000140000000-0x000000014024E000-memory.dmp

Filesize
2.3MB

Download
memory/3528-261-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/3528-661-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/3988-68-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3988-166-0x0000000140000000-0x000000014024D000-memory.dmp

Filesize
2.3MB

Download
memory/3988-88-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3988-87-0x0000000140000000-0x000000014024D000-memory.dmp

Filesize
2.3MB

Download
memory/4332-249-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4372-252-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4372-119-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/4372-125-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/4372-127-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4484-215-0x0000000140000000-0x0000000140238000-memory.dmp

Filesize
2.2MB

Download
memory/4792-660-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4792-226-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4792-343-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4796-141-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/4796-147-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/4796-153-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/4796-152-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/4796-155-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download