565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
Size

1.8MB
MD5

dcd650dc1d3bb431a0dbe7fdca78da20
SHA1

bb13198a6f86baa5f36fba389718441f386b4015
SHA256

565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c
SHA512

3449ad379ed2afe3d84096138ca140220c9c8f4164efeff420526bc11c429478efe843cc1dd77e0497d3af49bcaf947a9ba4464c7ddb9c68c137e0e268cc9aed
SSDEEP

49152:dKJ0WR7AFPyyiSruXKpk3WFDL9zxnSq+pFzz+/2fNR:dKlBAFPydSS6W6X9lnX+pFtFR

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2880	alg.exe
2792	DiagnosticsHub.StandardCollector.Service.exe
1852	fxssvc.exe
5000	elevation_service.exe
4412	elevation_service.exe
3488	maintenanceservice.exe
2280	msdtc.exe
3980	OSE.EXE
948	PerceptionSimulationService.exe
3880	perfhost.exe
2860	locator.exe
2140	SensorDataService.exe
4336	snmptrap.exe
2888	spectrum.exe
2656	ssh-agent.exe
4400	TieringEngineService.exe
3848	AgentService.exe
4540	vds.exe
3200	vssvc.exe
4012	wbengine.exe
3444	WmiApSrv.exe
1624	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\system32\fxssvc.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Windows\system32\locator.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Windows\system32\wbengine.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Windows\system32\msiexec.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Windows\system32\vssvc.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\21c0b3f6e703f493.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Windows\system32\AgentService.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Windows\system32\spectrum.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM56BB.tmp\goopdateres_uk.dll	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM56BB.tmp\goopdate.dll	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM56BB.tmp\GoogleUpdateOnDemand.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM56BB.tmp\goopdateres_es-419.dll	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM56BB.tmp\goopdateres_is.dll	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM56BB.tmp\goopdateres_it.dll	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM56BB.tmp\goopdateres_ml.dll	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM56BB.tmp\goopdateres_zh-CN.dll	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM56BB.tmp\goopdateres_am.dll	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM56BB.tmp\goopdateres_sk.dll	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM56BB.tmp\GoogleUpdateCore.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe

Drops file in Windows directory 4 IoCs

Processes:

565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038dbde4de8adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000995c834ee8adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008080c84ee8adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093365d4ee8adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016ad724ee8adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002784e44ce8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000521a74ee8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
2792	DiagnosticsHub.StandardCollector.Service.exe
2792	DiagnosticsHub.StandardCollector.Service.exe
2792	DiagnosticsHub.StandardCollector.Service.exe
2792	DiagnosticsHub.StandardCollector.Service.exe
2792	DiagnosticsHub.StandardCollector.Service.exe
2792	DiagnosticsHub.StandardCollector.Service.exe
2792	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3928	565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
Token: SeAuditPrivilege	1852	fxssvc.exe
Token: SeRestorePrivilege	4400	TieringEngineService.exe
Token: SeManageVolumePrivilege	4400	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3848	AgentService.exe
Token: SeBackupPrivilege	3200	vssvc.exe
Token: SeRestorePrivilege	3200	vssvc.exe
Token: SeAuditPrivilege	3200	vssvc.exe
Token: SeBackupPrivilege	4012	wbengine.exe
Token: SeRestorePrivilege	4012	wbengine.exe
Token: SeSecurityPrivilege	4012	wbengine.exe
Token: 33	1624	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1624	SearchIndexer.exe
Token: SeDebugPrivilege	2880	alg.exe
Token: SeDebugPrivilege	2880	alg.exe
Token: SeDebugPrivilege	2880	alg.exe
Token: SeDebugPrivilege	2792	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1624 wrote to memory of 1952	1624	SearchIndexer.exe	SearchProtocolHost.exe
PID 1624 wrote to memory of 1952	1624	SearchIndexer.exe	SearchProtocolHost.exe
PID 1624 wrote to memory of 4520	1624	SearchIndexer.exe	SearchFilterHost.exe
PID 1624 wrote to memory of 4520	1624	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe
"C:\Users\Admin\AppData\Local\Temp\565083087159c893bd1983438b9dfe0098a8fa09dd326112bebe07f36b1b135c.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2864

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5000

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4412

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3488

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2280

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3980

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:948

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3880

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2860

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2140

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4336

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2888

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4720

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4540

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3444

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1952

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4520

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
2a834cbe1b388eef4a8308c339a2defd

SHA1
d28491767e555666150214cd90efa225d61ea5e8

SHA256
4004b682d3dd807fe32bd96769a3f1749be733f81759ba1f778294198c288cf7

SHA512
a58e6a928f5e0acf6c1d7a392f82036c7f6d84b9bd7a8a349c044186fd50278967fe470bd4617a3b0d2c699b17d2ed8880a2a5932151c3a42f9d946fff0f2156

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
d3dcdb83bdc1ca44adbdd94698a9bcdb

SHA1
41482b337e3244e91aac6471dd31f219aeee627e

SHA256
af8a5abb94cd62ec6d1b0b57d4f40652b12b01fad42ab474477fbac01af4d86f

SHA512
2ae0c33b121eaa0af86441590c78c8feb03ad889335128022b8bcafec817c38ae1b71ba6526a1afe9e4ac00ab7fc9763f9ecf014779c34177ff43a503518af6c

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
fd37561399829c296fb56d4efad722c1

SHA1
0512a75741d74a68057791185f7bc263332d1878

SHA256
eab5f05a2f6ad6e7fd10dc81740caaf9bf57fa129e10f3471b5160707871dcdf

SHA512
cd51b9f445e9d08f6090411828afeaaf9defb59ce149fd9768ca7e24b217c3cff3ec37f6d04188d864cd5b258422ee86fb347ebd3839a77667481c40ca22a103

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
57f537a4b626bcf7769103683430086d

SHA1
a3f7fb054dc260bbdbc2b5afea42f4a1c6284a63

SHA256
5576e6a82fceadae14d57f489f8ac1856b68b84ba8a63bf1c81a5a2297c8bf8e

SHA512
0d8e2b10a1edb300cc99816c6cc06feb11935c5de9e479ad16dffd712f8fcef2c870ad16b476f5442743c5c0d4d1069a83f45e54cbe65b054896a7bdf47109d2

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
6379f172a839e1f82001a598bc8de1e5

SHA1
8849a7a9fc34b47523df6143fa1fea62448be102

SHA256
621dddc5177d50c36571b1ec2b31b3005f25d786c6766e3a8c94b4f594c6ad84

SHA512
7c388c663a84f26afd7956c311b1e7d0423d0ab985e5f48011304a99980d5869c98c535f3363e842f0a643ce0e6ca8a18c5c5398a709b7059b2e61b856ff28a5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
33a974ede9e503c67c527eeaf36e7cd1

SHA1
930273f112b6123dc20cb5a721895cfae013799e

SHA256
bb5f3ca1996bee2877c72736a9c84474c24bd1c86286a1b4ff88ee2313f63e8a

SHA512
ed91fc6df9f38a4397ea950ae9b440794db44fec708617d80c0d90fd8274348ba75a91113a88718fee527e926d16427e9daa8b56e0041342bc3624615256f846

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
d7053b244a62ef65de7bc1808623f18d

SHA1
c02dff409621cf46018aac89f76d0d97d8bf1708

SHA256
3aec34ed6bd9d9691ddda2b30d6a5786594439b5204ea7e08e840a68fd96a214

SHA512
3efa79c5fa1ff94ff8a0501b6bd77b5c37127a8ff0c6a919c39b1e3d10b146f5eadb3e088d6e611825058c527c671c1ef696a9cf655c4423fd7a102b5a7102f5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
4cde50e02d8fabb7c973695960493e74

SHA1
6d5882f8639afc1dcacb11d513ef4b1056c188c3

SHA256
044412b1a0ef68aa96251281cfc8b307f21d2eab31cc316e2fddb39610810d3c

SHA512
4db436de31a4b945cfcd4e5f7f3396082f6288d4072de138bda45e945c4d8afc898762aa9746690e5325f032cb93e9e05f761aa10613ab49aba22b8f48fdea5f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
2c31475b0999e5c7e7e0afc4a3ae403b

SHA1
25741fb857993ebcb56438f6e05c757f4753f48f

SHA256
25e98f6f74ddc926cfc752414dd3570bffdaf593d13e58e182f6f30482929b6c

SHA512
e55f97dd068e6de3ddeb700db9939c26e1d6d12bcc14de50a6c206e2bee481b018386b73edf0a4ef10598796a939424e6d82d43a8c7ff6b6ad398373f5bfa73b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
5fbf808206c2ba6667f7db1e9596d918

SHA1
b12ba180ed86d89b0c726e007b10d0b085f230e6

SHA256
2da956d312fa1539604681926ccda280d8038ae6003fa89970e2c8b4328e1332

SHA512
d90bf7bb729eabb99807e075eebc7173c826588e72092f43ed820fce135a6725a89667a55d7a7f04afbd80fabbac9a87f00749dd41556b2e14911577ea145532

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
5df0db7e03827faa978e9d6540941b65

SHA1
72a0a2ad15670a43e49c97e465a289c5163e9d15

SHA256
c781a76023bbc63708de0b8b14d209e587d2fb8f4f1452f9d3452af647843f2a

SHA512
2d3801879b6a621c8c721622de791a5a517ccf168c7172141c244b54a4432bd1eecf9f5beb99a9487064a9c55cb9f0712cf337efddb43fa61369571d08d34faa

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
88ba05c346f3d16ad2999a2133d37643

SHA1
d7a1ac1ef07fc1a0a223e79d8276f34935c75569

SHA256
ba4d497da677242c06f8617ce81c85b992d1424666ce3de0fd842a0cb39039ed

SHA512
a061416d25e344ef64e8fd7677f724a0fd7004a773e1a78411e4c3f604b173f5cccd85469da97edae47ae86c47eff89b99323b9ec97bb1c047765d6c684ea492

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
9c740d69eb99e881b3b90331ae6d7be3

SHA1
92c458f5f5f34b727fa28e8d2cbd5de2156cc899

SHA256
6008f9565f5e157f7c131002a599ddfcd90dcde7120590d8a9567cbb543cd8a4

SHA512
5e1a931d64db95d64c10ff5f4fd013af655fb432e08f99128854fa50e6ce29cdc55080f3941ff32b12e8200825e731af30deb86609fe38d929c1806ee55cd8ec

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
561634e063123a23e7c5127e9e2a6f60

SHA1
eb6360c5cb8a1cb84b38d7a8ce072aa0799b688c

SHA256
d61455e1e2f95d9b3fed6778b58d531d53ad4e7a7442a1480fd4ae3d82b3e37f

SHA512
5336dd7db05b4c717672b03fee762eadd8ab5a5818ae583f3252d1288bf871f03b3cad90a97dd2856f43a3e853a3813af54cc840c1a6cf3fcb1b435bc7408e99

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
e61fe9eef95ab2059f676ff2f7f03ac0

SHA1
903185ddf7523f0561c2f9760658ca6291457729

SHA256
0c8274457ac710924ed603165eb5924809d37f7984ef37369c28ca82591c79cf

SHA512
2b885c64c3bd615d6595a6a1449e3670b20b780b04325df446d55c118830baa590ac833953b0f057e0fee87756ad3bd0cbe6fe274e92e7f5c008eccddfc6e70d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
f4d91ae2db32dd9267e865ee3c6800f7

SHA1
0138a209bb63f6b819e776e39636543c9bba976f

SHA256
e7b6c2da4c2c420bc5dcf437f2dea12602ce9628d6fad75300d92fb65575160b

SHA512
e8e633e13bb2748f82400ab73870f16f4a2a0cf169045e196c325b3fb2499345938200238b0c95777c7fdcd7c7087b620b6c0dc7f4f797d2dee5bdf6698dce13

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
441c61d08cca862fc99908f8338214fe

SHA1
e2df9c3eaecd9c5f0cfddf48a56833c7bf2b0a7e

SHA256
706fb63a95a6dbd02047e91634e48ddabe4879596da27573e47a994fe19b08b4

SHA512
0d0429bf142d78a55bb40a2c50e257bb5303eda8b0adc2ad75afe3eaf5ec5b785aa8970916121b87ab15d06af93eb5ed905e40b54780df7868a77389992c25fd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
07fe0fbf071f59181b9cbb40ae8fe39c

SHA1
f8804a0450a3b536f208fa7ba626773d16fda5f8

SHA256
36a7e6ad953d4daee08a25bd3c9ed6569c59d9920463b39f88c9a4a70f8583df

SHA512
465536235938f24d8565490b673c5aae00186ec540bf8cd08e66bdfc85bc0ee902703ace5f0734fabe48fa67244d4bbb0d8d6ac1011b674258607e9d45e7d2be

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
c42283e7af5bfd3d91b81d7d43611ed5

SHA1
1d1f9c0cae9d56ae21847dcb76c41abdf736a292

SHA256
03fb66533e5b2e769a9604ee6f48b49672be867feffd4f8316f3482385b37fb5

SHA512
d411ed1253d4d041dfbd7ed1da7a4112178308936e24fc1a82522b707551a48dde74f159d119d50151bcd8205fce884de23cef2a5aae0fcd219b26d19ebeca8a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
f2c53e65dffcc807ea32231226f15ab6

SHA1
22ca2af2bf61349386a03c206acce77e65bc8d45

SHA256
ba904f0e483b672cd8ed1bd0fd3bc572602a288fec5457d25f132308e04ec8a6

SHA512
7abbc4bfe7c70172ca96d43aeabfce1310ced5b671f653eb622db9e32d007075648e8f8aa775e2baed3281282d20c5d215cbd43fe2dd7e6618c780c86ddb7629

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
06eba178b821c8c9336118ddebab6fce

SHA1
8045631aabc65dc6e9f964a749ce2a85b8ccfcb7

SHA256
c87528ef7af9805a46290417a75cf7557565bad8055d90d637b0bf92b9872f4d

SHA512
13e259980a601ef33a8abb05a6f4f3bdf334d025ffbdd3449761127d5e61c481ab17e775d4ae84c073c8a4d8215f5a95cfea55b2630457bfc3cbf76c039e87bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
96cdedd7ed4589c628ed20a2f68ac29f

SHA1
ed38cd086e9ef3b0dcccbd380e68664f4afc59d9

SHA256
1c14040bfb3037da014d52fe83bdf2340b9113d50ec1c577f83a1cd3cf5ae1ff

SHA512
cd52dfe5e1e3e743bad20e5dd2a83f5f439a765454d377748d3b7cb02795577988819072bc79f538966d4c55f44f18515e369d33bdbbe17135eb5dc15d718c95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
3f98b1a12e37076b3b6e6f3265044c8b

SHA1
f7ea79137d49eb9831c41f0441d7a22edf2c33ac

SHA256
884e40bb2ce209cc7521729a7007bd796eed549c423f80d799d6a4fba6b69f20

SHA512
fa869bf8319bba190cf2dcf588c6a3974665e0810048cba0377424da8b762ee484b720e27b30ba42f6377998bc0cd9e9d71c3180e9cef878570dad92d3347343

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
6bf77b9d9b2d692f739bf1b770fce61b

SHA1
2720df655197769a6b01ad561d11f73446686982

SHA256
36f8b519bd9515dad7548a8abfaff300bacd510856557bdaa8270eeb64e315bb

SHA512
e001bec2e73a3c9387a450ff4446bc97386cc80577d4624ebfede3391f2ca516981d642aa2c2679a8ab55203d0e20a4fce76a5a698d90950271b806334b0a194

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
453001e8b8425b9aa5c31d1011d1bce4

SHA1
210e2e79497d26454305c4cc22f47193f02440eb

SHA256
4811405b3ca086f95effdadaa3ed0e5f0e25b1a07bcfeea1119131582163dabe

SHA512
16be52dbd09f4eda00b820dc65b00e31104d467b5c4358122480bd69ba37b0eee05c97e5917f861151b4758b55572bb89ceec469949ae1d83df38d036ca622de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
59798ecd857ac327114412ab721de14a

SHA1
68e6ab5769f947579d8159317714785cba62b314

SHA256
ce93984f23e784b22d8b599204dd62c2d595b48746e505abec8243d1eb96ef0a

SHA512
b4cf79a7b8fa03622a3f97a38dfe009f42ffab8158afe12f61b7129bc1f34fa6b964b34e2f1988da45d9fbc5f328ff9e81d1664e986b5fc4f7df26ed6c90d47f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
08ff27ce36e68b53565c13d2d4d0aa89

SHA1
e78cfbb4244f7e6e480938b4205fdc992fc1267b

SHA256
34345033963a3db97296e610eeb2ac0d71ceb8647bdb5e7322372f1c4789a09f

SHA512
2ebcff8be28bbfcba7d553e812379517f4307c7fbb55f056dace427fc1d76e8eed39fd7ef9fde72043342b7b3010b4748a2a9eb943a5050002972beefef6d9b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
65a62dd4c0a3b2398f86c2ed516536f6

SHA1
1c49d5106ab96bdc9d243ff47f0cc4e6b6386a18

SHA256
6aff674079a30db0e41d3251322ee4cbe5993db8174bb99a4d0e9bf0b09605ca

SHA512
f4d4746c737861ae93d65102b7187acb07ece016ac1049560bb5ea8f57e9ca59ac918fe7336eb3f5467147385235b09cf1fbbf7a861dd6854906c560d2d55537

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
91eb75d5a603dd09e5e8bdcabfd74f14

SHA1
f52b526e304966328e74880816af2cc8e9924dfb

SHA256
0088c5750b5c1833eb47e7aab81a4a1e43934f75b178d4f8594a48d7f262e283

SHA512
f6b6a6b94345121458fdc33685cec29d5ff67d075e7f4409413f40712c834b105fab803d7b3f8aa9aa2b9da00588cd2a3da90d16bcc81e716471276ec4ee1789

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
b7568300948a75bf57a1dbb8fa5f5d61

SHA1
f7272b7b5de556c5edb6e19f1dcbaf10a8a192c3

SHA256
7edd51e6c8a7c5b71d371c532e13e4cc09fe47a7fb1e4e1aebf0722725af70e0

SHA512
50b5e0cd857988f7a046627a6bb063b6b276a007b6936ffc4f958599910bd4dcd58328444ef9fd62f0661ecfcce41680899e027aa3a02531246fca39be6eaf35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
ac175bea64f050dccb7606757d9cfd77

SHA1
26d634066df05ace7d0769603de75e763185209e

SHA256
73fab27e76b00d72cd8aaf9ee75500f8428530b45b23ebf100cfb25ee5606971

SHA512
60f7bc6b32823ece6d56d0fdc7755326ec5dbe0bcd707a4c598d1279d9035037aa1029acf2765c6df2d22f37431457e6ab6b858cee3b9c3970278a141b7c0444

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
3c6fade5b7f7d89d4e84ef15380c9189

SHA1
98afee2eaac17f84ffd0fcc1be1f160dac2e7f4d

SHA256
b36f4c7f14eb61595370d6998463d462def1a43065102de13f071744ed0b6fb4

SHA512
387074e26d7ce907945582d547b40c782e78eba1ea13c8f8e9eabccac9b2225eef353b960df0cd2dbe391b2392e08a46cdd407d644e034531c2cec9329a04a0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
a1351b99bc55c7b87d6adfbbe16c695d

SHA1
7c84c72541ce4c24601bb1e97605f468fba53d58

SHA256
c03199ac2b90f2a7cd6babaaf18b225ca5cd1abcd8a3b36cd1f4691028be98ce

SHA512
1aa89c35d3ff2f3925854e51011270bf5c9075a0d96c97154161c2e8de02e7a9fc4d15920482d1e8154dfa1abcecced15a5db7e9fe673a9c6376a309e82922ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
bcaea7920f54c0ede972fcfcd767e9db

SHA1
8f4a9d796aa41b917bfbc261e0c2654d6a3cd8a4

SHA256
6afaa8d988dfa7b55c73ad3fb5451af1b437c8df6c2e2a873294191eb281351b

SHA512
e1d350febd83fd68cb4255428d8d9e89cb85024cdda89647c89b1a0a5d29a21f703cfb42558675112c6fe9458807d3b4f339faec6c7be2c9423559d4cebd83f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
7aa72b3320d8be7d270a288c93712fa6

SHA1
06de8526181775c0ecf569ce36667d038596c9e3

SHA256
aef1504be555c8e39a0695c855dae767ac70dbf33813e3094ceef25b84ac7f66

SHA512
05ef1ef41c1997747527c57eb2a5b82b0476cbac23040dd0f586a3fd30e33770c8b0626358ce40aea15997322192846dd0441cad169945dbf82dd48753467456

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
60cf36e592511f7a5c08149bd036b849

SHA1
81d6eed6689ef554d6d72cff7e9d56e799a07d44

SHA256
c6b46820101d7429dbd09ab4369ab1780e1b9ae39bf306be5953672a5ee538a7

SHA512
2fd425a83d6725b4904c140adc0119b6917e09a3546bb26f1451d94361f3e7b85c4d8945677933c7706859cb550a0c8032e347bb57ad5097a6e229a7aeece3e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
4d70992d4a48873fe5ec30990d642162

SHA1
31d435129a2b0b4589d65c79686dcd7a0e043cd7

SHA256
646bb8420a536779112c923705c6880dad3cebe8362be09bdba3b5a554e23acf

SHA512
0de53e0eec960cd2df82150c325cf1e8c96ef10ee55fead1a09fca46cbd625545c3c74fbf65d274f0a1419c1a728539d8a1f6b569081577256d1118bcd0cba9d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
0154b7c39f2375a2eda0ebc790881398

SHA1
e28e81b9ee37e06f8d2a31edb969935f1031a30a

SHA256
d51d5e4517fbde237bd720222dc359d19d5611607934358b9bf10bc1ba6a457a

SHA512
7b08f6e8bd8c96af56a51b037467b98850f6db62617996412f22aa611c736f9ae78e9fe3d8c03f95c56f2b3f2f18016cf6587dcdc99cd4695dd1c26e9a83c864

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
2ae001ad851b198ce0bdb5068d75df97

SHA1
8285850ade211f8b6e6257485829e7be0b4acb3c

SHA256
3c56b6eaf72cdda0eefec4428982ef80b83be808277ae82646b42cc9270c791c

SHA512
ee278a0d650113f25d862be4b299ca3dd0f46b1fd07ad7b9dec96565f5ad02723eb9156cc5fe38f5109878a1d9d8c6e528466ef57ea13395fc67fd0f22885c93

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
8e1d8cb5d121b9866799cba4783b0ccf

SHA1
ab059a4fd40b1ecd15b3b9c6d7a93b5fdcf70a7e

SHA256
a5da32f8455f3eb94c2c82d70f5138f522a43694ea28084c4d7dbe8c1dcbe2e1

SHA512
0b9a98dff2e4ecc42270efab36c4fbb75ff569201a9615721fe3e63e0f774be2320077e5c707b63a1a1bf7a8f6c289a66987e99174ac1f52021629b1ba3fbc91

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
2353b0079d2d4e29d0bc18bdbc8d2c14

SHA1
636ffe50607ad10517aa3055c00475d3c15cee10

SHA256
b1c2b432082b112c72e69bb2607384ec8373d3cfe14ecf4aa3629e2ddf865f9f

SHA512
cd2da7c8734016a6f5de56cac302038d7f7168eba927323d7ea8fdc4dbaf44bdac66a189dea6f1974bd6d3bc3fb40d006749af6532f5ae378a1422b61e4e48b5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
1e131ccb01a316d1656050243d4a785c

SHA1
bf6663614ccc2feb4dc165a2e0189a1363981467

SHA256
6af606d3aa913a953ba701aaa9ff6c83400f004a4bfa3cd8ec8dae600e0fa5b5

SHA512
0896d73aa9fd468cf8c50fee4d44049485bd33c009e100942f2a2fe3df3b0371c63abbe250816a318282bc780b9175d482ae1eaf8ba89872ddf1e763fed871ff

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
64bcdc65fd58669c2c97a0e149733c36

SHA1
0c299b5a06ace13d0e6ba7c985dc262fc0257e91

SHA256
754a6dde18c8ed6ff749170c5a246cbacfb1a0c49e6da33b2836bfe490d95115

SHA512
b062f875a85731920cde8e93351724b17591a6b76ff4eb604ca3b9596e585b992a2e7d8acd52733099fd2f02c117f8d169514f65468f91d043eff367236f3b8b

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
472ce6b1dea0dc8bd9f69a419da672c4

SHA1
dc1ec693a64486a16bde8abd9ba69d9692d2e3ee

SHA256
c85bf449e562e71bc748c381ca8158ca72e2d0f78571d5faeecfa3672eb4aed9

SHA512
9079bc407a2d9acf7f3709cc748a5cfd9cb95f0a4a436041c8b3ac397cec06ba9e6a024738059f9e768f4c57afc08d8517d597db920489ae771dbb218285f1c1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
e31ce9b003b4079831d9498c7ae3a62b

SHA1
c639fbf1b82111c3e757ab7a90bd89403b85c99f

SHA256
165ef5745e518016efebc3fce85ef2601be73c53e08429539fe9a043288c8ec4

SHA512
5f87ec73da5a75c7675edf34e7f2fdbc17d3700dd52aef036c08f50e94f0bf8ae63ebac7c651ee967f2b4f891810e790c76cdfd3acdf45e1872746144caf8386

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
2cbd1d8ba662ba925a89da50e45c489d

SHA1
1d886e5aeaf209785e1c680c8236f43dc762bf9a

SHA256
ce4cca06834f0eec8c87456d6147bf5391235c43e0dd8e44c09ae1433012c943

SHA512
0c5c451c3f2e97e52cce1268841c54b71a9f63c1beaefc7ddbd2f04515c95169b4b8cfb5039afd298897a28028797894fdfa709607c95ad58506133197d6b9da

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
e7a822c658d457f22ed07e17a8718b21

SHA1
0e109d816529f8644b82c3960fb33ec72ac7c744

SHA256
0da2f340aa36e00f62ab64ef82e148f21ce66ded01ea0494a663e73d8cfd5a14

SHA512
b183c3b556bc60cfa0e498ede13ada0ffec8abb17259baf2f7ac5e403b1995fa15226055b639d08001ff710bfc35f07d6fb5f12f5156d2104e656d31502f39f1

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
bfa0bcbdfcbdf091b887a85da0c79377

SHA1
ea129a6810d9f59dbfb2f8fb56135efecf898c60

SHA256
54b0b12337a94259f1afe6f2e0731e6602f472f0200454d174352dd1f7798d6c

SHA512
3a17a73e3e26fd0787bba0698d8f2eb1c9ed671b0e153237d187d7e9ec23e17bf85019671f882a85cc6d26579520195d61bf64786bfd2831522656b8eb120bf6

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
dd505bee033da192a7e16ab65ce4a908

SHA1
7a3552e8e429dfbe5d7909f5a8b63eeeb23b51f1

SHA256
3c3d364a2bf21d8eb413b02b9736d4b646a6d8c996fb782e01a779bb2024c9b5

SHA512
480f6f95ddda9e2eb475a9d434c36f0a5641ff89f0bf3c2dfc20ba8d33b73e947d06170a6348312916b7bcc5f104a4ecbbb8eb224b25984ec9c3bea35cc990b0

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
3a4ee002639778e7a35d903487397b4e

SHA1
8f3ca2de44b8c527a562504750ba3282c6134a28

SHA256
4541abbe6bd3499684a51fdc90f096b83efb11fd78b4ce44432cd0015982d21d

SHA512
44014bd866a701f78bc3ba9ebe76840551863af06f5acd72927fd389d306cd56ea46089e0e7caffd3d552a9598247b1e0920bf8f3cc9433423c8ceb91432b837

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
f46064c564004f9911619697e60ea61b

SHA1
a2bd382e56ed1b0b4d8da4c75c1a348852af41e7

SHA256
5f9d63e21be55df6e09494f42e68c0e04ccb8331be5c0e05590f363d83d2250c

SHA512
ad8356cdd6c7b08d6711dab1d97309c86268cc4d0db1fa82a7be6bf8e8585f87839917ed36c611d739947afc5e0f48ce8958ebf61673e4ba753505e4ee060b51

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
3a4749c9597be0b3011f137c18578b04

SHA1
3d8c418b63b916cc742e1f5f3f655434ec185eb7

SHA256
6709547cf9b6f09cf4aaf9986c48deeb3421cb9f388ad984d2fe428b3b0f27cf

SHA512
3147e70460c883fb2fe5080b3a8518acd0bfec2d5ff812264e6830ddab6961cc787474d45c3ce6fa87bf311ed0c8baab8d02c6ee005259dfea698e5299609a47

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
535ba122c18e961fadd21638633a1a56

SHA1
84c1acb6ca4f647104bef2f6a56f64527bbc5462

SHA256
b030ffef6f7a55fc9e19338b8ca8cc8e7f3fba425c3084145f9851be418bf89c

SHA512
24f1f6fb1f95a9661996e7ca27b419e96800c532df2d3e54c33bf566d7649601958941b8c8d2273df3429c36fdc1f8d8af364c07d79726036927014ce277db14

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
7960d7c936b0199300e94ee47387e732

SHA1
c62d012ac95aa6c5b073d598571097e530debaf9

SHA256
dca88ea0b76bb79a78c1ac5cf633baf0d4b658ebebd3a0507ce1c4468ce85ca0

SHA512
2548c8e93b0b85c5ebff2bcef611c79814a20ba32f9b8ff0d808aa0b96bafac98b95084f7ac9a3b3f7a22c4e077db1dd31c8a4a91665cab28dc7aadb03aff017

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
f9b0fbb89c2bd6ef9f915a9bd54289cc

SHA1
ae2449ceb712789d1798458b4fcb4117141d8aa8

SHA256
819d4e29baf84c0e184db8a18ef0ae972034a09772927ed7879521bfc6056359

SHA512
960395a33326949113d3e52572d41331b5eacb94918d8635ffe63b222cc898ad862ba7f19027d8d8d74792fcf8969172f7529aaf13bac7c5f52f6f1a5a889de5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
1dbe04003a2ccfe4bf0c4876d175b884

SHA1
7af0e8417e49fd4d5b35dd78a8439884792c04bd

SHA256
0e725ce50a0dfc6f9a01493ef8dfd33cd248c46a9cc1a959af76d70a3cb0813e

SHA512
15acaa8033bf4f6bcd407060cc6bd0155e0401e12984771f26861c45226597be5e3abdaed90313077aa53ea82913eb025bfcaaaf488c77e6a00100c83e2c9c0d

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
8faf137bcf23f1187a496a12d85b7a77

SHA1
3857b7f5458d99f2f5b927e1a34252081310cb7f

SHA256
08435c2be64b4c15f6b8f7933f452a80c20b98f8ff25a7017eba8aa2a275f862

SHA512
20be89444353db1603a045f5a2d6882d41a4c29da1840c4a257483d0d9fb3b0f60ec2cabd7b5d45aa89af15279da775bc0cf36e9f7b4df8ae5f4f44e0238ce25

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
0cc8fde040180dfe4baeb983a209fbf9

SHA1
8acb3196e8ed3626d8859f0dc1ec94fbc32bbe55

SHA256
bf57b91db48ea3f7af1c8c5c65173f068922c4d90c1a1d30e3374fdf9a853388

SHA512
e61ec7c994af1c034d2e316657e75e891dc279b070b4450eedd6a1c135a5039c54102769a20aba84b9544b2a7e7536730b6baa9d5a98147dce611cc4876cb21e

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
2dc15b643ac7beb3502ff7ceaa1d1556

SHA1
1f80c23a21f2d53aa41d441d3a2677807c3d576c

SHA256
84cdfcd0d0b52ad25fb37f08550000ce85056c305e9858746a13d79ad310ff1f

SHA512
f2b112a540d535986c2f13f59f21c3ba1fdc841461acff372d92b7548570440b3270481e5a10325ce2f0353afee4bfedfebb1b3ff32fa825902f00c8ae4c62e2

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
72670537863f2d54cfc535c0ab6c377f

SHA1
a931f20271efbf343791f1e404d3b9d8ea14cf9f

SHA256
7c34f07633bdf0f6052e5b891031c900071b815d98c3a33995d34b160465707a

SHA512
3d9c62469baabfb0a57ddc24a9cfcc34cc83f7bb38f63599688b1e966087f3bf2b01e102f70fa457c956503127d467b37216be3abfae9b7a553210f5f9361f32

Download Submit
memory/948-303-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/948-183-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1624-793-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1624-340-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1852-113-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/1852-127-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1852-104-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/1852-112-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1852-125-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/2140-697-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2140-339-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2140-217-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2280-156-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2280-157-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/2280-268-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2656-781-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2656-255-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2792-93-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2792-102-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2792-99-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2860-207-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2860-326-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2880-195-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2880-20-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2880-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2880-11-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2888-241-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2888-700-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3200-789-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3200-304-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3444-792-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3444-327-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3488-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3488-147-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3488-141-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3488-152-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3488-151-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3848-281-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3848-277-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3880-196-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3928-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3928-172-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3928-560-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3928-1-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/3928-6-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/3980-283-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3980-178-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4012-791-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4012-315-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4336-229-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4336-691-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4400-257-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4400-783-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4412-254-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4412-138-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4412-136-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4412-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4540-284-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4540-786-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5000-240-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5000-116-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/5000-124-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5000-122-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download