8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
Size

1.8MB
MD5

bf48a0d4da6c9cf6d8ebf66577496046
SHA1

51cecbd86040101e00b6bbb1ac51a1944cd0db71
SHA256

8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0
SHA512

bbcb366b8220b61a37144dc52c50e22f2a5847bb5f9e1d924af555ea2291d8c498342461b8cd051449c770a8d6ab7a6e80174aa5f318027ee93991725afcc4e0
SSDEEP

49152:9KJ0WR7AFPyyiSruXKpk3WFDL9zxnS8/i3da1YS6ozB:9KlBAFPydSS6W6X9lnr/iyB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3744	alg.exe
2820	DiagnosticsHub.StandardCollector.Service.exe
1672	fxssvc.exe
4736	elevation_service.exe
4528	elevation_service.exe
3384	maintenanceservice.exe
3604	msdtc.exe
3248	OSE.EXE
4288	PerceptionSimulationService.exe
3644	perfhost.exe
2032	locator.exe
1992	SensorDataService.exe
1292	snmptrap.exe
4000	spectrum.exe
4484	ssh-agent.exe
3748	TieringEngineService.exe
1608	AgentService.exe
4876	vds.exe
3628	vssvc.exe
1912	wbengine.exe
2700	WmiApSrv.exe
2584	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Windows\system32\wbengine.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Windows\system32\AgentService.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Windows\System32\vds.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Windows\System32\alg.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\df2c1eadc3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Windows\system32\spectrum.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Windows\system32\locator.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM4055.tmp\GoogleCrashHandler64.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4055.tmp\psuser_64.dll	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4055.tmp\goopdateres_en.dll	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4055.tmp\goopdateres_sl.dll	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4055.tmp\goopdateres_fi.dll	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4055.tmp\goopdateres_bn.dll	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4055.tmp\GoogleUpdateSetup.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

msdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed6e95bfefadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e9fdc8c0efadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa7076bfefadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db1dc5bfefadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6eab5c0efadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007052feb7efadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
2820	DiagnosticsHub.StandardCollector.Service.exe
2820	DiagnosticsHub.StandardCollector.Service.exe
2820	DiagnosticsHub.StandardCollector.Service.exe
2820	DiagnosticsHub.StandardCollector.Service.exe
2820	DiagnosticsHub.StandardCollector.Service.exe
2820	DiagnosticsHub.StandardCollector.Service.exe
2820	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668

pid	process
668
668

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exefxssvc.exeAgentService.exeTieringEngineService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2248	8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
Token: SeAuditPrivilege	1672	fxssvc.exe
Token: SeAssignPrimaryTokenPrivilege	1608	AgentService.exe
Token: SeRestorePrivilege	3748	TieringEngineService.exe
Token: SeManageVolumePrivilege	3748	TieringEngineService.exe
Token: SeBackupPrivilege	3628	vssvc.exe
Token: SeRestorePrivilege	3628	vssvc.exe
Token: SeAuditPrivilege	3628	vssvc.exe
Token: SeBackupPrivilege	1912	wbengine.exe
Token: SeRestorePrivilege	1912	wbengine.exe
Token: SeSecurityPrivilege	1912	wbengine.exe
Token: 33	2584	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeDebugPrivilege	3744	alg.exe
Token: SeDebugPrivilege	3744	alg.exe
Token: SeDebugPrivilege	3744	alg.exe
Token: SeDebugPrivilege	2820	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2584 wrote to memory of 3432	2584	SearchIndexer.exe	SearchProtocolHost.exe
PID 2584 wrote to memory of 3432	2584	SearchIndexer.exe	SearchProtocolHost.exe
PID 2584 wrote to memory of 1784	2584	SearchIndexer.exe	SearchFilterHost.exe
PID 2584 wrote to memory of 1784	2584	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe
"C:\Users\Admin\AppData\Local\Temp\8aa9526c05b726857ceb2d5c765f88a74cb012933fc7942ded686069420cd4e0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4636

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4736

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4528

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3384

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3604

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3248

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4288

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3644

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1992

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1292

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4000

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1256

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2700

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3432

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
2⤵
- Modifies data under HKEY_USERS
PID:1784

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
9fd4583d45bb4aa7b40e3721583270a5

SHA1
4cd18e56188640144e6fb6e6e815dd18b5566159

SHA256
cfacd903af9030aaa9b704787064e869a382f2f5194c394ff8965f6c61eab50f

SHA512
b256c044d6f3756c236f3199e12b23bb33dabba2f32e93e91c436ab2117a5a7c6a1342e8a7a312034dd9d92e9b96a9d11cc71d0a9b5d3a1e5110227095374e10

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
31d5e723c81d12528609b2412fc920e8

SHA1
9722dac6389b3c6213ec452286f36e20fd18e404

SHA256
2e870f91638635927c3c51e9c1bd4878af47900ee9ec773e48222814e55ff08e

SHA512
d87e406ce7aee563b5b7ab5d2e8050121e504d400ffb08628dfdd093ac3725e33b6ea50ec6a66dc812cecdc0b362fde23d85475898bb8b2fe562f7afcf6128e0

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
be51e65595d779068bec62bb754a91c3

SHA1
2fd221f9b97001aad81e0a9a5bcb37ad78bd367f

SHA256
252d8a0dfe0247cabca52192cd575e36082755c7533d459d17b0bf2e241cf1e9

SHA512
355a8c8a573734bbbc3674ff787511904ee53ab83710f5c6263f6da3eec05dd4f99edb5e9ccc2f7f27bea33575b503e9f790afd5ba7663f852d52faec9c1e3ca

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
a9bd22f785f80e7e4fef7e1ca21b2746

SHA1
85a710bba970bce7b0d820b84700de6ab1c7148e

SHA256
4b92eea631b1e186fcb95d87d5317e92994d8bee301b298eac72dd1e908933fb

SHA512
760df24303589e7e7a84a0a2d9f028b708a37d7a482f6444b89fe9ee1a4efb2a6027217b15edd7a02c4baa977ea962c1fff77711db6bc53830cd9edfba497b8d

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
4499b41b475fa1e8e30066854283b211

SHA1
96d5c0104ed8cd1160567f65ea1db891b6fcbb06

SHA256
c0ef64abc428ccace50ee0bcb350a4117de8f87ce150d7d3cc5509eb75b6675e

SHA512
403b5e9b38a7118ce169f83acc1caf9292f2f9b0d0fda7d7ba30a45ba210ab876c0510240b7bf6bc63fcdaef285511a381ac5fe5c2a1bdb68aa6a420db799de6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
d27fb864957e3e68f90f5003cf7a7348

SHA1
97ab7083034a058c1765ff269106f324a0bdaee4

SHA256
30e57b28d268bb52ba600d2deffba4ad25d6178f5dab2bbb3ba57d53c45110fe

SHA512
c4dee4008338d6bfeab7451aadae4d20f89dcc6770443c884ca72422908f57bafe32b34b762954ae649227fda5f7ca5c921bdfb135fb5cb6992aefc8fcc369c8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
3eb54d9bc6ddbb84296357689d7b3646

SHA1
bb4d8eb3f34d5babda40c554978af02b28c30e26

SHA256
aa549e1050feb54a338000975c12e91654ff18743212cf15631464f791cbc32a

SHA512
6d8932b452a3839617ebb5769af1faa63d6f52081507500d4224cecbc21f2bb9147a6d3cd2b2f2261e437559d086cfd5d18f39c89f57d5312c26a80743ee8197

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
5db4cca6e512a9c8b9f8da587e146474

SHA1
711e53c88e103adf758cb680aa0a06ed403b7ab9

SHA256
f1307160281a9724fa0497a43dc41284b02a1ad03d2780c35d5a9280950b4504

SHA512
35bd62c8828745a0c6f4bf38e095a6904f2ab1f201f7fed7fe0f78bc8a15eafec3ab272a408281f6a7397929e1d8adec4cdd8da653223e2848eafaf82ae25438

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
cf9b88cdd95765ed49a2c25b8f5d4f2d

SHA1
0d04224237d0b35536406e01bba67d9bd2287ef5

SHA256
26288896d18a8d0794fe88a108abf55004090905fc3d6efa7450e1a48525cbb5

SHA512
f4e4ffc97a5e56ad05aefbe224c75b3a2c764cdaf8f089b45c2fcc3b44126f2e8214e722c04423cfc865c90f4690087da622b997a1244cb1faeec22952541904

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
ed599b21f52fb42c571016a0146800db

SHA1
247d728746e040fa838a49cea2943afc4d98475a

SHA256
ac7dd7abcc5e5522d2e2aecb3dd7436501691d19853d034ffa1e395810788300

SHA512
870291b6cb3ae8a1326a230e5564b0c7391629ab503fe633e3d40312c816c092a539b08606f6d620ca83a1425545b7de79373f2aa13da2a578e55a98df7bc87c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
ed4815e289314a09185ac08b8b1786dd

SHA1
3cbed6e84d11d3699142c8102274730f89d8f815

SHA256
33ac3033465d501ddd64a5eb521d235c2545e47978d9df052ab7f28095d0fe45

SHA512
1af7e69d756785516875eece4a44529d749fbbd7f543b9d6460288cba2e12a4beefba1aea107824ee8b66a4f01d29a54ab2332bbde266dbc5c7b4d8265953b4a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
5909152f3a44f81ed56a0f605a7a51a2

SHA1
5ce08dc0233bcc2c259bc37cc42e93f51a41a6d8

SHA256
a8007b673976d342ba9dd9494f8534461f0be934f8aa30ce3376d800527d396a

SHA512
98772d0fab08f1bd3b7bf49fa9a0557cc0b4b1ff3d5ff14af5b5d0c343ba9575d62a6d625844b31367551fb50797352d2181385ea4651bc1a40d356200f71149

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
ac889c0f7d212b7e298e176e6d97230d

SHA1
90653cf9edc818b531ed964813337bb43e67dd85

SHA256
7ea8847d2a13efeae15dca6103681f889920b6ebc6c66168f1f487ea7d207941

SHA512
ef4ddb62a3cd1021096b9f51125327b7673e079bb1ca251eee3fc8d20510cd4287c890d4cec0eafa4615d989f99a8df7a8eb90fcb845081fb74503db4db75835

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
d18e11ffb0c87361057f80298b8b1821

SHA1
873cab9a9b0ac63fe42b6863f691e89a7e1e659c

SHA256
db4a175949dfc1fa433d78821654fbd64f1cc25e5c6b9fd2075041a846ce1202

SHA512
b714f7b34953ef8a324167a64f1abb43f35b1f864f9f05c8b62eeddfafd6a722789a258985f2b5595f3fb19cb3dacbdfbe403c3ba7c7a6b1c0f50de7f10c14d6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
41257e945c22acea2fd88bf5edd93e24

SHA1
afac86abc6986642ee0f34aa4d32bad40d370106

SHA256
8aa12d7154b331e49925d074af320a10f34766ab139e526278a779bdbb3d4365

SHA512
919767c7e2a85d26e2b875c21b5cda7998ee4dc9b61fbec968110b596601724472cbcf883541cf1992a1658dec99dc41c89299c6d84c89d20cea011422a960e7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
df777ca35506009bacc0fe9412b92e25

SHA1
60bab7937a536e582901a15c1fae7c4a50867e7c

SHA256
32cf3e512d3d251e38c80a8c6df0f363df251cebc1b7b1725807240b0356e495

SHA512
aaf3684a198295edb24b4ec116888789508e6707bc9b76a65bf38917964fffd7a1c42289391034be392b788dd541ec150183b2f58bccc4a0edf5b826846c8882

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
88ad81f214f5aa37a1e592c3ef45f9b4

SHA1
f443ac07a8c3374c923e13f3c8972f33efcaab7c

SHA256
e48f8317955ae4fbd51c18e9c2af736be577d4953b81f9a33e11b7001deb5fa5

SHA512
23c4c8b34bb12dc744812373ca5b97fa26f85061f8e890d2153a80eaf3ae3090844c43387eaca66ba5146e7aa3c5440ae42290b6528fad44083f08ca8d5f280f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
7e9a01d034fd7c24f267fe9359d7271a

SHA1
cf01a40d27942877e3bd04c3ccb6b3899e525f84

SHA256
23d685177b79301e672c036c8e4504201de115f2bfbc5328788c988116e2a194

SHA512
18e31d261143058129eb28b675cb9b74a4c7841bcb128b1fe4eb24b3ca52440ffe0649271a6b6faa197ae42a4f376b67b8ab44e121d8698d96a5e3bafb9394ca

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
297235dd6e04a7750388a943a1a38d23

SHA1
8c86755a9215a6050af1177b9fcc1b2e276c929e

SHA256
8be1afee843dee3996898ab317a41121a457eb8dcbc2efbf795950ae262d4ad0

SHA512
b658c177669c785057f1b08a117eae8bcd497d5f1195eee1d67de11e27058ded25907b8dfad8cbb9cf12edede81ba5802dcf2473b158aef29dbc91e8507e6fc6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
7a8a08331945814096843e6acd7e1f1a

SHA1
b41255e35a1edf8cc2cce25ebc15b5a75ccdd04c

SHA256
72c5b1cdde90885da62867010adf6522186acde537d67bbcb8073dbee2ad5899

SHA512
9b850c21d5bca4c586a427a10c51ca337e11069dd0e8fa34e762d0a611db2cb53b3894c9ac6d8729e25cd46b58857cdeb40ce99f2dce02ffd2b07c037c35deef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
577c2428117a97ce14e4901dbc6b5039

SHA1
47ca592db11c3767e85f3ff5fbf380f0cda8e6a8

SHA256
f6143a534a7a5607ae12f91d1d6c45d8677962eb645d2bdcdef3e97460b99a51

SHA512
8ae9734843b37c0302ea846a0d635edd6cb959e010d8ce0d489bd3b65bc01250dd6095454c3c0b0a5207a20cf3aeb05899e330f656758312e89f43456f6e8314

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
98471ee3b47d9671bf3fa13009090e22

SHA1
b4f416b0caed6475ef2fbe259cb35e86e60dc29c

SHA256
2597ed8cee95c9c7a20323bda6ef5aeac73dc080903bae0bb1c73e8c4ee5db1f

SHA512
c81f840fd3e40fdc4fb714fe9f77d8be13a9b9d1ba9d632abfc1cc67bbdfed9062074eef1fafe963408900da49ef876736b74d5800281b6e7c8992596b4ef335

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
203920f2961c3c0c4675afbc7873229d

SHA1
83ffe0962f4f2bc77f940ccbe555e3a4d97a2f31

SHA256
0f02da0ce3da1053c34187dd8ba9747a96b2df095347a22142c0d42872bc2cda

SHA512
fa6f386493e7bd37a126b3dc2c20bb618d3b62a15b3e99a5641ebcef2aa71534bd328c1bf5bfb2eeaf01f37f5d2108b1a60c6c9ad873993ceef801b1b6c8b909

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
cb3efe645051d3fb1df39bdb4de3179f

SHA1
d5e76e8af1cbeac24f63f1558ab1344b5b284d64

SHA256
2af3f1a6405cd2379b18d9810bb521816aa59a1a3d614b35b5ff20c33f7b46e4

SHA512
61d7b4940322ef45025e7570c636c5cca4484afbe27f8784ea2dc074ab7d495df89e50bc54fa8d6e1ac9b2b719667cdeac99bbf7b69edb2608e8eb8e32c343e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
618232dbc706c81b006a567133413f28

SHA1
9c18ac2f555bbd42799802d988e80afc8f6c38fb

SHA256
07f30a57c944d51ead9c358ce62904922f3c3b39cffc4f7024c7d0099f872a6e

SHA512
dc5dda9b585c61534ca449f9a0d34e9371f22d3d39e7120285d587540b871b716c3ba19a93cf0fa742845bc453a6f0f01c480270cb4f66fd733ed1c372f9be1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
e19fb36c2557599b2c2744c969a5221f

SHA1
51361ae0247ba1a43bd0986e171d531b1ac804f2

SHA256
9f2e9c3f97a762cf718c484343af1afc22abf22ffa5247a772aa0eaa62fe78a5

SHA512
15018900d98dccb39b8290252c156d18907fb207183d0a97dbcc24c16d76fef874fe2d65fd653be2f45883b2c92e0d9aef612cc71685d61e30297c7880695348

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
5f604eb1b9bcd4a308f541edfaed0754

SHA1
6ba2f0c9218885720902b6f2a476c0331909f0bc

SHA256
7ee698f36c3809b278d1d31e46492115e8508fc411e1d8bb926ce1acc0ad8656

SHA512
fad1440b66e7c32ea933f4392b8cf3fc638cf3b72ffe264eae5cbcfb71582ad8f4ec8e4d73520588dfb05a85f422ed614d5745dc08ae89edb73a804d22ce9e68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
be86a69d8bb79111f70150a9469725b5

SHA1
b3a9832ba420b2246463148420a3d38554768fc8

SHA256
1e9109a1b724dbb787c916455d203568428720bf1adfc8091f9c4795c92f38b1

SHA512
e05a6333ec70b9d360f53214a7f92e69a8fe254b2960d7db8ac43ca1692e678f51c1bb5d30450fdd5567ea20bb441fd494405f900459e8de55cdda3fe9f0bbd8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
df3557b0ccad733e754acc284b83059a

SHA1
bd37cb3918d3e549ae2b5fa08fbe3ca67aae0ab3

SHA256
0ba1e3041deffd8a57972a2e438cd5a744df6bb4d0a023fe1103fc03d7cc4c2c

SHA512
b4d2d2e9ad8d9413b998b72d3f0c3d2d002cf5603b0062de73867cea58d40f0cc9271e3561fa3f1a3fd1997ea705df2b73948197a53615df00eea98b535d2736

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
6474d40d6585ac26644a4f16523cc1da

SHA1
5b6dc81ff633806e92dafd1bc7cf87c52d9d12e8

SHA256
92e2b942bf648f5d936b63240dd211f414df2c9cb47e870e71b26bb1e9c35e82

SHA512
18f4f2625075ac2f48c2f7259b46cde80e6cc655fdf69d14b05a45a12bbae6d7695a54c989aaf68decf8170ac7c51c90f8deed5295051ad7ea3ac3ab2f57cc66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
1c85cef827ba82ebe4f0f70f07246fcf

SHA1
f3eb2a3e395cab72f5f0ceb6e3996f7a91d798ff

SHA256
9a0489a6df8c6b1b5c3d9bc041e6d4793d5b4f0c1e0c2146115aea1c622205b5

SHA512
5cc03667b64ca7caf9450feb31e5a9a0ae306c87d0546e83123edd30d17fc75536cda24d11f7d5aaa92c2a1dc60b9f4c65d3f9e1cd8d75afbcb930ca246dd172

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
479b817d3047c86a6ffef61da03572cf

SHA1
d447cc30c3d5b816da7cd48c1527528e1263be02

SHA256
d30a05122087570444257e763a7fc6d66b79990ca200d03eaa7257e08d18d5b8

SHA512
c9278e64fe4a61912ae764f31d86ce228bebf9045049bb1f700a2f5d0c1210b797ef4fab34a4fd040fc2fea0862faa4d67af334f2b4fc404ea68f863e15cd3c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
a2bf1e932d43a0a79fd4daea213941c4

SHA1
2ec71d04987667ef16e0db8599c78e2a6ba554a9

SHA256
b068322a53fb10b7e4ef60cc8d4768e88486333ccb534cfe47e88cbbea63c37c

SHA512
b39ee657b10317427574e3b6c340552daded75d4cd1e20ff40e3e22cb9cd3d189bf95238757007f90a3596b35010546640dde41e9a406c52ae17525be93166cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
daca14ed30547bd72f0b13a69c6ab990

SHA1
f1366e04f3c6182953a8536267eb0f308a2904c1

SHA256
70e8ed4f69e17cb8bd98141485f4180afa7d4188912d8d25f95c53f93e9ef480

SHA512
90a01308a4f7284a72199fe1367b3537e7df81d0a7121be53589916fb2c05c28b0020707b6e803182d745b0efd43f36910bc2b54e1d1056c110ec8b7ae5bb89f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
e0f8a63a417ef5570eeb5abd5e0b2629

SHA1
604eed9d75e5869470a02ad9e524c5895cd30680

SHA256
77334eca307f224ed5513b0a99647d88f0f1249fc9dc45805d410675a2352291

SHA512
1b3122301a0a4472faeabfae5b302d7936f64b5dcbe2660a3636aa8d1b8f77162fb3c52388dea48edb454e29a7c9b65fb075efd5a199a5802b53da0b60efaaa2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
74f50d6c7e0d5983fbb5ab8455139643

SHA1
1d74d4f22f838578448af5dfb12a559f0046ff33

SHA256
dca6377ccecefbe17b49fcb2ca67c8a68e3f17a8f04db55dc1b6a5c6da7700c2

SHA512
96e57e2558795ceb8071ea0058499ce30fee4747a706c10c3741d1b8856ab5cfdf068328dcbd72885065d48898d0d140d7b010e46992daf08a04826060e96b0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
204c047403811de5da1a890f08e178bf

SHA1
56e9022746d3fe14ea292e84ecd95849a32a8270

SHA256
f4fe5db11e6d37ca4e265bcfbb94af4c0dd353a78eb13c56c0aad1324a90091c

SHA512
265e231080da671eddf17e2f522cbd44ed517dc52228f66525f1612c520dc33f1e2350a3b2d19530854aefc0fe2ab58649258db39830d446604d06b1f32eeb1d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
06a013312747b012fff269b4a2a12584

SHA1
5f6ef0cd8cea280385691129feacafc682b148ae

SHA256
e360523a1a38c2b6f604d6c8ca646955be90fb0a34131ad51a0e8f756053027c

SHA512
7a6e00fd94af2e58a9b1e6c413d7f1f70040c8b5bcce18cfde81109975d608c284339235980a2f37bdfcbfbecfb7a144dc4235ce64c67ca3fae698e056548150

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
eb23fb015b2ad7038e07218eddb02561

SHA1
ac61bb8c6a04cbeb3eb31766d9716d58ab4c6643

SHA256
3cf8a8cd3a1951f51ed0615d6902c87c910ecb28eb794cbed60d39880d48a9a6

SHA512
81a2c77cceaa580020bb67efd72773e8557cf6ab7d2d196d939d5681580e3d45f22b42c931dbed07c52a36df109aeec406a34e72251ae2178e27999a4dae4eb4

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
d727527f781786631ad2dbd1964ffc58

SHA1
579a3be2363107221f7f153d90a4f05771974b33

SHA256
0c1f826acb52780ff40fdb18f6aa35c618b8b4a46ca301d6151bf2dc1a7e2261

SHA512
0295f9056c13ff72f1a966d65ffbbb007950424d8420a289ea987d24c01beb1822ce0e46fa20ae79d95b654639349de08b5f85942225b82809d78a5d6e3ca286

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
ca7e43d80398247b79bc1f9ae2f19dca

SHA1
12ae56c019b0c292bbcbb20b47d3df0865d0df64

SHA256
478a8bb6bad2e80c15bb567aa3411132f0808808225781403a0d2bc87d9c50e2

SHA512
5478ec85cef10cdb6570344ef62b56687aeea4522fb3bb6a46ab7b523af912212524db62dfdab7c4a58bdc7fabb8debfa6982bf82d3a165b9d25d434d557e4cf

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
cf918d02c2ddc33b15f0e1b1cfcbf6c8

SHA1
98d1e6b0e755b2830119fed5fb7f545da00ad03f

SHA256
0d65d0b6c3c70fd8c3ec1f14eeada1f97ca8882d89342c2fe32596f738c17c03

SHA512
66c4ec7eeddda0966a59c2a790a74b1bca407f98dd28a15c3f4d25f9f0387636bfce875b11b2c28eec03b94fbb624d1a1ff19d01e3a40d5a68f60a37eedbdb13

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
fe26c43add986d42da253931570a0650

SHA1
4ce040105b00a831e1c83f71b76bc027edbc470e

SHA256
c068bdcb9a3ecf7cc135fa7ee4d3b6b7514960ea7fc23e5cbadd9f0726c3e0c5

SHA512
6a98d21c35dbb0cadb0bad0a5a94f4b389ef75568d4b913e89666598241ae2aed5e23e6fa5e1627e84721f85ab285af4863f417c2570f28290ab646f109fea4f

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
6a0787c0f7406d17b8664513105e2a60

SHA1
f71c6f66e092f1b55259090accaa73d469fc6c88

SHA256
0e4716659260b04831fe3cb0e2b721968781fac7e540862044b862fe9317f178

SHA512
454449cd3e3ee250c1f4547deee848b08707bce9a27028c75ecc19078f7335e0628469ed847ebb443ad6dc19fe5ae770ab16dbf2c503587f80a26d27ebe19389

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
c5aba0a92f67eb6d7c12b2d9640968ff

SHA1
fe9d9966e4c1e49f36a78d3979a6f1ef63e0dc74

SHA256
98494742fa2d3f107906120720bbd37ba547406a14ac96f1975873c0dbd8bfe5

SHA512
41d49939b66f5f1bc782cd14010c74573bfa5a3594b85ba43a1fd1be978783d1173f6e4fc0a55e9b4418624322a3a8718dd72b01e6cb2d739b96cbaf9e59f3f8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
ac62d3cbb0f200f5c89256a11a4ec220

SHA1
4dfe2244668d19a989b6986e64e2595670e99b04

SHA256
33647d099979a7cfa64375e205fadff00f7e30766bb242e1a55c8dbfa310b8f6

SHA512
4aff27c72a9866a81e02e5ed99f649afbe309fce287c9e109b8a7e58aa35f73f576d22cf61b3ca4aceee10f00736d874a927f6416fe3396cad6c33aba7cd595a

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
654b2e3b6bbd51ce4ea8a9247f3bf4ae

SHA1
b83602296fef305604ce0d9b0746e5fab727b1f8

SHA256
3afa8ec64e08527e9288d76f87cb2edfcba078f6e6c63ba0975d7249af3ba91a

SHA512
fb75ea03f7221e4501c22d9e872afc6cb4270ca497268000388b2ec55f64edc2338a33a55d02c3150367504741645ff599f77869f1d0f5de86f7647cb84fcfcd

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
7f0ca5f08be70e8c1e9c1d8c9f76dac6

SHA1
90170b20ff7fa54e896f942ffa305979371c450c

SHA256
1a53924a9fb4f06b1494fdb745637fed0fccbe0b2d98cacd5af46a439d0a6e4b

SHA512
4c460202f33ed5e8e25f3df59476100d12ff131808d425719b6931f417254ae3ef76886150b0bc98d9508c8189e61fa822851492f4a3c90564d5b53b65ab7db5

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
22d181a208d441394c568e000a66f036

SHA1
ae23658a35b42fafd6d45906d52f7fbb64f2badc

SHA256
214d01a7029f087d4f93f21cef8466ed7598f5e7b97d361dcc90f0a5ee405500

SHA512
46f4e2caaaa1463b2276eddcceac6088b89564e7988c61f90ff15b1f2314b45164570d244b38745b9291cd82ff43be94d9c29d9d6cf7b6bbda9882a458e65402

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
9301818f2381a1c4ba396da64cbe93b3

SHA1
c094685b299bd964959f86b3dea44307f5661de4

SHA256
f93e9505a41930fe56bb1a0a3ca205f65340924b095617d5b0778476ff5a1345

SHA512
1f3f3d53c547f2680c11db0f23b2d95a4a2eea1e48aa3e0459e31dc033e43d681281b4278c5db49c646ab02d3e1b5afd9ca71f956d8199f37b130fddf422281e

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
2e185664942fa5a29c49c57fcd5e5737

SHA1
ae46003680e2d01b834cff3bee660eea953fad1b

SHA256
a34be20232af60b7ff6a99a0a25716c5ede01ff3e708c9e672e82451648d101a

SHA512
c39ae8948e3c92327c65e15b5b74831c553a2455ad60126a477afa1764637ba80c11d566f4b1ffec48baddc826fe885419687abe14c9a104b15d2c3f84f10c05

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
46d1849af76e4081d5ddbec09b314626

SHA1
2289b5acd5e4a2cf780f979cd2ec9d84df41ba9e

SHA256
ac6a79d08bb0566abbd96ceb35a1a12a561b75d26f2e8e0cff5e31483334cbfc

SHA512
cc551b7850e4ec07adc46f0292417067d8e47b09af601865cdd64819865095131174f9d3d6621b39c5ba94ba0902ee63ca6c06055ccf3aeb6b2922771ac802b8

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
dfefbcacdb23f454219a9cbfa6096a91

SHA1
5fce05fc94ff8942156aca2c296d8bcd0982d12d

SHA256
97e321a4495d90660c867326847210d77f8b3fd237d025c433dcaa43488bdbc0

SHA512
334a1f37b8163708e40d6debb5d74572b5c2dc6f3b35def04aa6ce757d8f9fa559784b538b2462de6f087fc0a4320e85f433f92b7ac90ccbd23cbe3f662b5ff5

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
5d29cf0bdf5b8d938df7f4a7de73189c

SHA1
02a7dca6832f11c7943ae1d69bf8aad7b2d0893e

SHA256
72d380664515ac73116aa2d3b744783139f71dbf96ec73c2231d4a27c3ed4028

SHA512
16daab7f222cb703734fca5a8bbe2522f298d44f7c750010fea6d170c67c8188be5c800ce08e54d2c62fc9d3896bd7a1ff286fa2c204c4b8dd2fcf4d250e2e46

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
77ad2f29d6ee47807a24a87c69646549

SHA1
5bfdb204c82ebd33cebb00a4e35b3c2ea6a6c22c

SHA256
8f0a61646f93c625e4ef77e5be68b1854a5f37190699a3fd0c00f2e1e3167e8a

SHA512
96caa14563c653f2c171862f9aba306d2e73273b1570b26387b4f42cc2a06d244d0926be96490f1e7d6ad8862201c728937d3983411cadc72963ca7d009856ee

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
5997db9e49c7e6b3b3a7ab2afb44b5b8

SHA1
c78014bb395a0382b42033a5e0071f0a279a9322

SHA256
651329a92302b863d7d07fd66ca6b22e4d3235975185060ea9a113b4613bdfa3

SHA512
9f71b192fc25707e5e615464a60056f8cabf33389ff295a7416bb330c3a42950d7842463192f85a4c37730f215c03b6f5c6e821f77e45b8ff9f5473e39e8e389

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
e402436b669b59dcae392050740275ec

SHA1
6c86572564add9a652222701e56b4c480b8ab2a8

SHA256
ee4ab5f446b4c16d1236d93d710eff99da7cd04dbdf297d45bdb0d7f823e2cb7

SHA512
9dfa2400b39d28c89812f5198c64a9a3a71ebfa998274f1f35112882b1f792d87ece26f37d4b07fc3403117a608fe8f510064b0e4ac387873c96460d350c1b0b

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
687497b3d182ed180d27ab8c78bbf0e6

SHA1
bad901dd01d30e8a2208360b27526d859200ab39

SHA256
121d6cc240c0922785697ebd0f9605117d022166284fe0cede0bdc358b62ff31

SHA512
c16d642b28e2b881fd3aae8f6680092be9cd1a22c6af6314d6014d70142d1665a3201ea976f81df80f9a66bcbfc97982257a6c664ad8ead58a78f27015dccbad

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
63e4c98f7321fc5df4c361643f2da9fc

SHA1
7188e6af2b971287582d03db671991b0e5278469

SHA256
a2dc8cbb8c962c145e3cb87333e3eee00ba80dbc3af9a52c0bc5af444eae45c2

SHA512
1c12c07eee1e7b8318617090fcec36f878eb8c44136b2e22dffc1baba30886ba7a7e8256667d780b4d7737b4270d39fb417408b1bbe6097af52125a2a0338619

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
be009179a6daf0f3091634659ef65751

SHA1
290b73ecda3b2d83eb1626316b2ab936bd7acb06

SHA256
2f256ffb3a09645e477131ebd7b92b07dc08732fe8399c1e94a03394c7256503

SHA512
10d510a5f1098b7cf0b2ea2e1e72c121121a27b03c565cbef34242654a3347724fd85639a92d1c1f7a6db30839c219d2f2898461d8d7efba7d82a39fafa72d7e

Download Submit
memory/1292-252-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1608-279-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1672-114-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/1672-129-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1672-106-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/1672-113-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/1672-112-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1672-127-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/1912-324-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1992-653-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1992-220-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2032-219-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2248-179-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2248-611-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2248-0-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/2248-7-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2248-8-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/2584-338-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2584-777-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2700-325-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2700-776-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2820-50-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2820-66-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2820-67-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2820-69-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2820-320-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3248-180-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3248-656-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3384-154-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3384-143-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3384-150-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3384-156-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3384-149-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3604-655-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3604-158-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3604-159-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3628-775-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3628-322-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3644-218-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3744-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3744-264-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3744-21-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3744-12-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3748-265-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3748-774-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4000-771-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4000-253-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4288-217-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4484-254-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4528-654-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4528-141-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4528-132-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4528-138-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4736-505-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4736-118-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4736-126-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4736-124-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4876-321-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download