fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
Size

1.8MB
MD5

9746350d69bea274116d4eaef1017325
SHA1

76dd6e99baa07b28cef67aeb306c1c757c0ff2d9
SHA256

fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c
SHA512

3703b9e42aa0137c46893d421a4e0a4868ba43118f43fef0dece76b5b1bf9074b0858c2ebf4791789715ca37594295f6770a37aec25af196d747a73de142cede
SSDEEP

49152:NKJ0WR7AFPyyiSruXKpk3WFDL9zxnS/isGcnlQHPxi:NKlBAFPydSS6W6X9lnOnlS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4000	alg.exe
1580	DiagnosticsHub.StandardCollector.Service.exe
872	fxssvc.exe
4152	elevation_service.exe
1456	elevation_service.exe
3180	maintenanceservice.exe
1284	msdtc.exe
3088	OSE.EXE
2256	PerceptionSimulationService.exe
4604	perfhost.exe
364	locator.exe
4332	SensorDataService.exe
828	snmptrap.exe
1856	spectrum.exe
1076	ssh-agent.exe
2104	TieringEngineService.exe
4200	AgentService.exe
3344	vds.exe
4944	vssvc.exe
3196	wbengine.exe
700	WmiApSrv.exe
4868	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

alg.exefbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dad66cae293b476c.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Windows\system32\vssvc.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Windows\system32\AgentService.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Windows\system32\msiexec.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Windows\system32\wbengine.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Windows\system32\spectrum.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Windows\System32\vds.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4E8D.tmp\goopdateres_iw.dll	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4E8D.tmp\goopdateres_en-GB.dll	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4E8D.tmp\GoogleUpdateOnDemand.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4E8D.tmp\goopdateres_ar.dll	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4E8D.tmp\goopdateres_ms.dll	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4E8D.tmp\goopdateres_et.dll	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4E8D.tmp\goopdateres_ja.dll	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4E8D.tmp\goopdateres_no.dll	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT4E8E.tmp	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4E8D.tmp\psmachine.dll	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4E8D.tmp\GoogleUpdateComRegisterShell64.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4E8D.tmp\GoogleUpdateCore.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4E8D.tmp\goopdateres_sw.dll	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exefbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000955395ee08aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021ab8fef08aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004dff02ef08aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d65c7ee08aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b82529ef08aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000872267ef08aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b82529ef08aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e9985def08aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
1580	DiagnosticsHub.StandardCollector.Service.exe
1580	DiagnosticsHub.StandardCollector.Service.exe
1580	DiagnosticsHub.StandardCollector.Service.exe
1580	DiagnosticsHub.StandardCollector.Service.exe
1580	DiagnosticsHub.StandardCollector.Service.exe
1580	DiagnosticsHub.StandardCollector.Service.exe
1580	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	208	fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
Token: SeAuditPrivilege	872	fxssvc.exe
Token: SeRestorePrivilege	2104	TieringEngineService.exe
Token: SeManageVolumePrivilege	2104	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4200	AgentService.exe
Token: SeBackupPrivilege	4944	vssvc.exe
Token: SeRestorePrivilege	4944	vssvc.exe
Token: SeAuditPrivilege	4944	vssvc.exe
Token: SeBackupPrivilege	3196	wbengine.exe
Token: SeRestorePrivilege	3196	wbengine.exe
Token: SeSecurityPrivilege	3196	wbengine.exe
Token: 33	4868	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeDebugPrivilege	4000	alg.exe
Token: SeDebugPrivilege	4000	alg.exe
Token: SeDebugPrivilege	4000	alg.exe
Token: SeDebugPrivilege	1580	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4868 wrote to memory of 2060	4868	SearchIndexer.exe	SearchProtocolHost.exe
PID 4868 wrote to memory of 2060	4868	SearchIndexer.exe	SearchProtocolHost.exe
PID 4868 wrote to memory of 1720	4868	SearchIndexer.exe	SearchFilterHost.exe
PID 4868 wrote to memory of 1720	4868	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe
"C:\Users\Admin\AppData\Local\Temp\fbd9c8d2ba36b3bbbcaba6c81fa33238a8cc32dddc0377044993b83367c6341c.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1988

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4152

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1456

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3180

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1284

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3088

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2256

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4604

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:364

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4332

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:828

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1856

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3660

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3344

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:700

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2060

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
9048ab7c73e7eac5e25dc73a9038c7ce

SHA1
fe63abd4b882fc0409211d2e72eefff93446e362

SHA256
5d47e2788b98fa9a4d22d130cb389b891f736234b97cd2936bd922fe0b6ef240

SHA512
f8b0ed5cd86ff71dcce215c532b1144027db95b737cde432f781675748ed8923dd0e7bbd24d6a430de70485b4dd24388ba820f8fc67e923e75420dbc0536b272

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
e317e504b03f2fb15516f4671f06dde9

SHA1
c29ba6e9aa80ef8f077e714efb78f9e1d9e8c804

SHA256
e77922ac143f8a8a9b0ef87ed2cb9f0191f15f97e9e6befec4307aac86fdf8ec

SHA512
9a9f9a67bbd4601f156cdac0777083ab122dc59264cee9ec2821f07639de8c2870d9fc6ea974fe685108c23e8683d58b0c8fad71aa171c2e7dc02b2df90c4d18

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
7810f43e3d74f2687e4e40a9b1121f0e

SHA1
7b569dbabd4f76a6e2ebb2776141aba6052e7b84

SHA256
725dc94df38020e5f25510dc2146ec0a8160ef92e0b228d3a29e3f5b5c14a285

SHA512
2b3e264145d59514f7e17c9ebdfd8ad1a91bc91f00d3f25f6a729cbb4d465e81d9a5d02b7d1c19bf50d530d2f8086162134f63e0c274fffc2d4156fd7003a82b

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
c2fc31dd04aba4c5db04ba766c8c3d47

SHA1
37cd66d2fc77603aef4e68ea3339a701e8f76021

SHA256
10f8861478c9b68abbeefd092a7ac93d4f92da66b740139f33c1b685716bb90a

SHA512
c5d6bc5c5caf26349bdc1be720ecb54098530d8d5388b5fa57c9189fbcec26c747eacc72f2bceef8f7950f64a99a68a8ea0ff093ba346befd8e18ad672b716ef

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
160bf3c87e838a32bdfe0380a69834d7

SHA1
9daa9ea2951270a0d5cfe69bd21df8fd337fe257

SHA256
3de1c169e969a614b093aaa2e8759f0d66ded10d91fe8327557b095b31695608

SHA512
310f2a396f8bb4e75578e73cbcde59f4db694005351df1fccbda6660b5dd3ffdc700e09e265aea8173eed9110645fb420e6be7b7f603e698bf209de71f71da47

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.5MB

MD5
c9f5cadc2aa1a59bc1a6c7fb06b5820c

SHA1
5bc2c3cff67aea53dde63efe3b296b0bf5d67d1a

SHA256
a5c442eb512f6dc08d05eee26d8f1498123f4e018a12edb04255cef479ce80c6

SHA512
0141b0001440d5e8f81b8eccf862b7e850bee8a1aa0ab9130025757bb22bf77365defe123c134a96c181cfe613c23cbb3a27a6c8cbd1de581b51a0e5e9fee120

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.8MB

MD5
afa86f7c3df281d8e1daaa18077d6973

SHA1
ee07974a87a1ccc4f322dc1c3c21a503112c9c8d

SHA256
e7c04affc8ac5b5d40408b7047533792af106f0d2de5eb0eb8a6580587f76c95

SHA512
8f75eabf61469fd2e17d9eda8bae6b76934747b93a528cde35a68d1ad04a37b5cb74665fc1b98058eb80858954b4330d793b453789c8bd1d0612d05641df3c06

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
41b4a3fa3a1140c2e06485ab93c45b78

SHA1
9a595a2602b3073b40d70d73438b1cf81ceefa63

SHA256
ae5470cd2a258d7eb3d3ab500ca120a9d6bc01918415c4b826c1834e8a00758c

SHA512
bf61d082933fc8e7a0608f825172d0767e69ab05ae9f5059a97d69a64a855eeabf49296c25f378897221a6c3241d5a94f2a9f7138d3fcc6c7950b8fa20fc4ce0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
4a38f86733d4d53e53cf6ca0699c6161

SHA1
87cbc4cb786c547a454056b2cda1d455ed3af786

SHA256
170a00aa95bcaabb389658820b3a4a95b1dbc276ca17b99585b628e3ab5eb1a1

SHA512
882eb2e3599dd9e8b9bd365d66eda44ad593c5aadc2825950da53eaddfde9b16b76dfd76dd917da7ec4389dc03801ea7b35c4190744cf5f260e3b0c2d33e2bf2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
21601f89c0b90a5249f026dbb0875430

SHA1
732e5af558ad24f28d8873a45edb89551aeb3950

SHA256
9a45725a0d00eeaa5a704f970a51861fbb3f935be75eb32042b1209e5063d12a

SHA512
e62bec320046d1799d77e6c99d8cbfc85d605ad33ebb05e7447c1d10163af9d341d18c0b65433c0d739f50021f440a2aa8dc1f040581d1596459f394043378c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
9041d47861ed5a4585626bfae5f670ab

SHA1
5c894d9dda324279bf47448c27a6520bb2bc11e0

SHA256
1754c493d87fcffae642ef30d4011e38acb742508ce56cc149d64ceb2a398e43

SHA512
1da5a0523f93ef85d4c9a50516a9f4423e796b64e7344eba5d6f76c0b288273e75411c0cc0a4afbe1aef3e85fcacdf56502ac52ac160e64e8c7c6787c12083b7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
3ef391e8c8761a45e6972147493e1e32

SHA1
07de79ee09c9bb464a4fc22eb0bdb2d5a34cd96d

SHA256
b02a202cf0246af302dd32caa2d29466a4cdbf66e74926fbd4217a836e4cdf6e

SHA512
2bfbb5df8ee38a17d6623fc14eab578e194973db250a392be18e7a733bbe79594a23fcd600bc40f4f324c5947d4bd4236f9f72ff8e3dda7d9e36140748f6689d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
be05a634a21b5803dd4144f1bfcdb619

SHA1
e76e720946805b545efce72db09c2cd7f536f01d

SHA256
27b108336e8fb97d4099aa33f610d4b57f8f38054ea72b6c08c3928e8d1c81a0

SHA512
c386b01e8171cb620ae0c47d6cc6356bc8b49298cd0ecb5dad560f8020730e6448779bfcc68f8af884c97f561697bb00cb5927d3178b72d7f2a3a044dc0e7d7b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.6MB

MD5
e1eacd8083fda5d8eeb04905cab7f279

SHA1
92c71a17dc72b42cfcaa448ed705cd7e213d6a15

SHA256
2056db90c60ef1a26839829113cee8a0f3c1aea33f42329e0527f831c85057d8

SHA512
a121309297a4afe8537193b6ca2009691f7b7d62cdc2e205f4533c1107818090bbad3db10b48d44603f2b0c435dc96d2f244cbb1cb8ff0e47fa9a0cc90cf3be9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
9835ab5ebb069a434b72386aebbdb3a4

SHA1
b24319ed89917cdf47a7194372981ab2aec9eb12

SHA256
352fb3762c563186152b331423a5153a402b2d7a039c28e06ea43b4471baa53c

SHA512
abc1831ca1a0e905e009b398af54bbacd3af217fa721e055042593fa4fc64cd6b55b614115e6daa7ace09734c95d8e4707f0cdbac6e90fe238668fc4328d3bdf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
055cfef7a96c40905f7c93f986cfb2ed

SHA1
756cd28484faf378d825ae253a2f4f14ab0a76ee

SHA256
a7b69cf9cca87013c1c77622fceab012d3361e84d08b4a8c5cc46f7befbd9554

SHA512
6a6f095366fdc3ce8045f632c800f44757042064f7a7dc778facd587927c4870a75eb7e75fb16c33b7d901478af1f594a4e068567f4f399d59470d7284847ad3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
8335dbe5c14077c86a2b7429fca50abc

SHA1
2f9c4f1f72d3b30573d0b6fd8802ec10bc1f1deb

SHA256
f7576ef69c94405882b6e3441fc9d43e9f073e32c7159b169324b0886c8799ca

SHA512
05dcc81893a37cc2fc7a28326449093e0ac4f01b91681b264388cbd4ffbae7f0df55c9a73be57868af8e17cfd55b933d6a9dfbb96f2aab7f8b94165740000b7e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
94ab82b82ed3239bd49dbd0d56a13fd9

SHA1
65653cf0d52349e85f5deaac5652e9a6e1bc10a8

SHA256
7b13081236f2bd02241c184b4fb532d61f599f3e96e19f0f71e311466a05dfc7

SHA512
6f688db8e6dae85075f451f379be70f8275ce46dbf2dc232b80ab0e4969866d532fb1bdbba25c2613d4af86b4b8596dc8c6ee8726f9ac1b6a5cb2bb42f3b8eed

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
adbc1bf474fc07fb467307e3331570c1

SHA1
b88262cb9fe44bcc305956c939435f9b50346963

SHA256
13c96dca1e598d484acdca1e9014f0bd33c1533ad188fb36c749e8f881747e19

SHA512
ddb2e93549ec0d43d553cdfc6a683c41bb7578f3fac21d71bfbd8dc95318a85a7323d378ac4538ec49c0aa934fb0b559e7d882f8b0f2a3612aec3baaecafd55b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
f750efe30eebb1509b0e7731ee575687

SHA1
87d84712ee546765aff8a906115e41d58cacf49c

SHA256
500b3bb8b37c64a7fa5be5d7d4254b99b0e487ae43c1851d8c2e1007e127eeb0

SHA512
9c3dfc4ef819674790ed2df0772c290dbb4375a08356e9c55cf9b7706e69c8604f9cf07263850903f1b3771d0c5008425b1e7e09b3023a55386d85a3382d6369

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.5MB

MD5
89a5962e96929b01068de61e5bfc74b8

SHA1
5774874775dc34db9804149be2e666791441419e

SHA256
78998e56e9a8f76ff3c504139b5fe9010dc3ba66043e0c5bd366292f92aa43b0

SHA512
1f30da3a989097211b19c1c7af2a8416da7382f5d0f1a02604e28733e2257b1020bb277224f3a849826dd96537ef84f2baa26291bb63e8bf11470fda38ca4644

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.5MB

MD5
643e50c38c951a318f4f7839bcf63636

SHA1
1c8e827df9c604562c37b7afe2e2e95a9f154df3

SHA256
789c1ec4e64f4a72fa39da07a96ad1a6a705f809b847231903c06e4fa5de8a6d

SHA512
fa1ea639d77e9afac05879a952211d71418ec8edf031741cd61e6228c4112cfe4f80897cb185c12d36620a36886bf83c004145cb32497a66d18bb2939a634606

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.5MB

MD5
4d83bbe93e3bf5006fbb58a6fc6e4ed9

SHA1
03535032a90017c7f43e397075668b6fd1b4c523

SHA256
f12491d16a3dccf749e341c5271fb4343358d6c9928c318f3dc37210ea6bab13

SHA512
ce0aadc4b417b29eb1a73a19b9874f80a161bc4c91ed41be43912c01d9fc1660890ca02ab494b4d784bf725941788cbca027ac343474be420c785b2e987c1c26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
1fdcc290412aa8206f4106c534d9901c

SHA1
ab712a3ab1bfff52b3551160b855fa4bee56e13b

SHA256
3ca96b1b47f10742ee9bed8db560655e6a1cde92c5557a8871584850e657424f

SHA512
cfafd32289d3666b115a85a926579d8c34cf358d298998c432ddb5dc2a8b0fe7df657274e42395efec824f46af38d1e2b5837088a002b8ddaf4aab2ecd61765d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.5MB

MD5
71396426e86d8fae5e9ad1c109fd90b9

SHA1
1a35123683620df33c9357816de06293ea1c5500

SHA256
e371c8904d7b904512f94da53f4c7bfbed90a1cbbdfd6575ffd5d78662f691e3

SHA512
5d96abec262023c1a9e473b611c5f3beebdcb627a4aa53d56ce6c2ee936d4c1a135446d8b4afb36d41c4110088c823156822e5f1bde95b0c83097cfb96ae2d7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.5MB

MD5
02aa0f46617cf338a3bb2f2496125d72

SHA1
ee72d4d97ffeb45df3be6d829292d36cc5e811ca

SHA256
7821f5b64dc9d2cd6ff003667f5ead6cef8368c0d6c8561092ee74806ce15086

SHA512
d8db17e4a6c25d2396359f9e815f5e1f412731b2b7ca63e0c4026a7639f8aad87e364b7c1215c16f708598ad491612e80ac49fc6f21e79b67888a963314bae05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.5MB

MD5
e9f8cc1bf08ba03ffdf825fe954174fa

SHA1
c5c8d978a580797cc9c3c56db58cc77fc8af411f

SHA256
eb2ed46564d30a3914da84dab14f58867733c41409d54f2273e4221df7246290

SHA512
216b05b0d2d812834bb3df99cbefcf151393180f52d4bf6c20c00708e5170300744f1589bce327648759d4473f21c64a59c2feba959adc853635ab4a532a3f25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.8MB

MD5
ce3bd8b428753c27da666f15fba9dd66

SHA1
e750c7177093fffb59799958ed789f6aadf02075

SHA256
2d54b4b5c87c1eedeae06aa79f6477b456068318b3eae00133d8298b354f9b30

SHA512
ed0876e33f6280134efd6d7257befeff13084c2cd665b020d73c5a1837ce4093a1e20af525a6c4ab74958762f5b15c9308486eed0e7232cc174e7b46ebd5e160

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.5MB

MD5
3974ab9ed002c029821ed817759bb941

SHA1
cb9f44a077eece1e5ea9e6f3a244e9e9f2bcb2d5

SHA256
e1d4fbe57d391293046cef6229ba7cb79761f56d67177c50fa41e270ef0830dc

SHA512
d73841f7b23780ac9609d0649c32be9bbdbc0c4b8ef6128c9e7cf2394594ad4143b367d4bb7efbd3fc42dafe65e5a66cae222e66976b04d3046ae2721c3e57d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.5MB

MD5
889ffbbbd8d4a523843e5e2000de252d

SHA1
d94cb76f3eee12bac9cfbc7189d1fb87122024a9

SHA256
3ddf217883ee4f6c8e31704a0bccebe97626ab1f67b7f28846739f7fbbf8715f

SHA512
76b70d78c0120f91413bb0bf64c063f91fb9c623cd8cfa13fc1d818808b971b50a3cd60b697bf07dd598a2ca1b0f58816bf85a99bc595e901c1deac4b65f0d00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
b6d0a5db965545d1e9ea7167fcdfb4cb

SHA1
96e63133334113afcb9ed847ea4345460bedc620

SHA256
cb31634301dc3dc0040417b8983262d4dbfebd3dd5a383711e7bce948bb158fa

SHA512
bf7e3f19b371929d1751d20629c082f7d0533f1018111eb92cc530afb730378b050ccc9c279ebbd19dbbef26b8b26048d79483e0f4ef8d57040b3ab5060afcb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.5MB

MD5
c6e57ef2db23131dfd83471c40ac45ec

SHA1
76568f692c3f1b67a15c7b82cd484647169d4d45

SHA256
08d102f5f2f4396b90cb1dd74f5c4ab4d2ed26f9c3bed88dc668277bd1b087af

SHA512
be43da6ad4c2ec45218bce9f596fa1b924fb380a448f4e0ada33216636dd6e873746123eb0c8134f1f2a01d20a81a426c3d4b7dedfd7be8ce7af773f83dca3ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.5MB

MD5
5f8339a368114f081628275500482b11

SHA1
f3d2f53b6e7a1b7a2a35fdf28a2e43c541fb300d

SHA256
e85501b412e181a034f8c063d7e3f89178b4cf288f2ac0382d8250ac0806f862

SHA512
7a9c5157d874b6b5e080e8739e2961e2a75ff4fb3878ddbc9250582acc2e9b82e9e7c31d11019ac3301f35d55ca324aeb95050cf2632654b221ba8f97951cba7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
d9f273e82467cd6a5449892c44d09576

SHA1
d0810c4497b212d29c5c1e2835f6d638e7dba693

SHA256
1fbe7c07388a13ab5bd261b3ecfb24ad144654b51c5d9d4d5813bf88b9c2e633

SHA512
d02dbe0c8fb5500d7572a887b34f44e59c4ff44d73973f2f9f9858436ebead4dcdeb006c02f2347abda97498d1818573a9bb5178e608f99c2bec5f5305f2e154

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.8MB

MD5
34ca3a4b0541e17f52158f8255c95a03

SHA1
5cfa9cf8371c1e6f416e8f4975c9b220c1f5547e

SHA256
d8c4df9ba9d36460798637f317f4d7fb54f6c7ef1ec086c50dedecbb3e465b0c

SHA512
9b781503ef039059a8006047ec149c2456bb9f12288a34d9e97c6a34514c9391bc5c15bc87566964331770d82e99f7316482c41b65dbf8e08c6ef0a7f92223ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
035169b9379a64f6688eeb82537719b4

SHA1
b5d6c30d01a14f7136d66a532ec6b1425fb45bdc

SHA256
1d2d77a58b6cad32bf0ec46be4fea318eae1949a70fb5033870cba14675b9ac1

SHA512
5bbb6bea715c20c4110fb026ebf8d19b734d120868e97788743b6dfddb0271bc2dd0f0e0b1a1a152b184899dc46d00b5fa18a866e7ee5fc073ea34f07ef7d0d0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
482a6b3cfeac0c64eee9fe65f9b57fea

SHA1
2a48d9cc6935e98e04db367f4195131196d936ca

SHA256
12589f6f1c6d120092d012d7bcb058c20fd5108417322a134d0e0dfcee28504a

SHA512
d6459b51ce79b9e1595542235f0d80890864fa1c574f20de181ee8b17a5a2bd7dcb19e6452dcd440ae77cbecc02344f47450f383006e29606357249687b573ec

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
7071135a52faa486a8e6305feed8d0be

SHA1
ffba3da58d78fc1d2e7f3e0e506bf81a99db7ce1

SHA256
a2ff348a40fe2ff3b005ebcf67ef25f7b53cc0ad728bfdf1d81e8e5c5097fa92

SHA512
a0373b0cf506b774d1f6f3137eee0972f1bea2dd886ad1a631904d5a4364c416685fdab3ef5b751f096ba6d6027ac6b86d252835bf7e2797608c817c8e022b6b

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.5MB

MD5
900004b510d0248d75d239a7a66abf88

SHA1
b574b7738411af7ef2fa1f634ffa60643681e1ec

SHA256
99912467b39d291468dce3629c1aa2a40a9cd00b8f1d14de2a1db611cd10ff91

SHA512
d64f0a6d18a68fc8f2b190944481d9d58d169c7c6fa70ecfc03166911a4120b0c71275e24165ceedbafa4953b6c29562c6fd5d7000a04ba33c5111f2811e8fd2

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
68a7217994e4f13b9dac962bd7c37908

SHA1
384a96510637121cb9d56dce8445c6f45679576c

SHA256
ae41ece1f1806f6365fb413ff2a88cc295379f6c827fc2ec03f701e3367619a6

SHA512
77992df9190a57a6769cd5d3c3c39f458c2156013bfcf4500ce9126c4aae06bf6737e69d26bf3561d02792be1ad9fa5afe959f9d9174ccbcfb802fb8196548d5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.6MB

MD5
7cb9ad69adc8f8a6c811f786041c3216

SHA1
d623f93b8b0350bfa5743c5b783d17cdb2aa5ab6

SHA256
3515519ce72a2766cc8197ceb5bea79ca6eaad4624536168910e144eefd1128e

SHA512
fb9fca48fa05e01c6c935cf8ca51c073f684e95c4b32a5cfe20b928e1e0962d4c62b72736d30fd1569aa6b40533526da9a4996fd56ae83ccd1850e9f48dc04fb

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
6b79439b260846c03a7b5b31698289b4

SHA1
b31e4665db1c369e5e89504cefcba876dde970ea

SHA256
7f1a3c8520c51104c3cde6a433a110d0f8bf3f6f82a803d3e9255bed7cb4efb4

SHA512
0f3c82d07a5d870bd83c0e7719c8170bac69a97e625879f37ed8b7cc05cc95e6627fb8af4a3b7860779901b2463f43b5d699da311c2e2a085dd5d37b33bfcb72

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.5MB

MD5
30526bb7327dc10da18250e0306ae0fd

SHA1
0a3ab840d5ecf6ed20fb63178e7d67f7e85c21a3

SHA256
f1ecd2dbf5ecf578de05b9f39ab946629a0bfdab5a9854d8632e5e2eb93d504f

SHA512
84afe10c847821454b1d4c7ec9981515866c39132e5904b16259b1b8c5d3c41c5cafe842295f663520ac89dac3766e1eeb7d63505f17d0486261d8ebf6816c07

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.9MB

MD5
397c09dd6c3cc9bdc4dad39ebbc4c817

SHA1
0ea742d923d22511b973df57463e9d03cd43928e

SHA256
241461682d366e0f5705b2efc600c6911ccf05cc540847f08225045a938e4083

SHA512
670042a8fd90fa019d93d60b49ede9ac8267f976b25a42ecba7877ebfbe2521775c90e272b6bf77077862b01ba414c8f3cf481ec63ca1e71174dda04ef1a5866

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.6MB

MD5
6353171529ec21d984e31456e9cd4657

SHA1
536859064dac8c92560aa8679bb911a687e71d86

SHA256
f15087dc228e225c32bb92ecf8f5cabe850f2281855373726d6ffbfa649540dd

SHA512
d72a94cf2cb3289d2e31d38249134e5f36d146499e4e845b839c632dc9613edd1b54ff380f313c3586f994e0aa17bb7a65861374ce865d7de97f58f58eee8ec2

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
3e8facdf5b34db8cc2bca6708a478900

SHA1
bb84cdffb6773a961bdc7a5d5e85703a4469f11f

SHA256
92284ea108baf58ecf7160e568046a8d829fdb5afc07a740ce5cb06b11fb2d44

SHA512
1936dae0e151d0b4710ba5f8f3dffa8c1b24a80b9fac63abe3e795c02b0c41c52e93b6168a6e82b25f4eb231599a63e921aa634bbeb03c665ae8bc529fd505c4

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
0ad00f67c83509a34b1e6a424f7fa185

SHA1
7f12758a10ec0bc3f3a8896b910014ad1ea0b25c

SHA256
766f2c937d5bb58e97bb8fca28498bc06785bdd8a0c899431d1f212ab778cffb

SHA512
b10f0aaf2f815de1e18379fbce5151f7b89aabca08deb2b927224db0cd4af9880f6b5f40d059f13c17b592e37bc04d52cb8fd559fbbf666e9e55e3800f5fb321

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
99cc3446943c98138c287282f9875630

SHA1
710ed7cf04053b737d81770bbc941ab92e2c5ce9

SHA256
5f5a146740ccd88f24b90641eb80c49bb15d13ab35ba6e484875dcc25226f308

SHA512
c5e4638033fdfb3ebec280f3d5b8eb80d7a41c7a6bf4906a3f73e1b86d73a9bdb5714733ddf651226eb7678c46bdb7ae3725a795be7be501c406efeded96adf2

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.8MB

MD5
9f7fb2c4a03c114d31faaa7ba980c8c7

SHA1
898822794b55baff6e5bdb9266874d02db4d5139

SHA256
402926d003b1380d0d59f5e5ddd0a8e70794f2b83da3ceade7167188f9fc3abb

SHA512
8e250a059fda4fd99518eef970a31f583b449c9da93965c69ac4049728df34b22a596a588a0451f860e949f1f9a49e3a2e41832c7bc7fb8952aec748a1089732

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
ee5eb219a8e3b71e86393a14a8e78623

SHA1
8e5150082a5947cd7b53458fdf1a93bc5f1ce09d

SHA256
a2c65df0a2e6baf6e66b51e529963830d82ae20dc3ed5d3a18ded77228249d79

SHA512
08cfd243f6a7fef18f761be92633c6da4a60135e8aca848c9fe6c210eea8f514c5289e9a783181d1080dd4ea71f5c25b921bf61d664625b2fc12215db9809b8d

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.6MB

MD5
64003e3e997db2540da404dd65a90a0a

SHA1
d7d220a85453f4b80c3bee6fb8a54c38fc0ddd67

SHA256
ad287e4a5f756cb2f11ce9ef269c0448d52cee5fc737e6b825926b0677b3d78c

SHA512
a2c8d89597dd2cee9e59a7f058faf5b4622d353e80f309cd71f7ceb15daeed275af26efb5139fea325cad7b1d2ebcffce3d39800998db7814eb0170480d8c521

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
7a62e4eb1194b1f95e9fffa0ac071ff5

SHA1
212e3575a8dd1e8059809626a9145cad32d50643

SHA256
3af0111062dd7ed3c70edfbbfd6bd04ead30ed8cd01973acb2c80c43721703ff

SHA512
83ff009048bc424db4edef5ab8c65024aec3b130c60203d937dd861ed6644a71d6b94c0988557fa9376f35dac07fb428bd8055b6b2da2aca0bc31cc4e0c161c4

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.5MB

MD5
cc0b86cc5bc4cb10379093baf09a8e02

SHA1
f33ea186de69a9b5f90603d76e667ba8596a3901

SHA256
cb0f63e70f5454699ad6f668363fcab002856ee7f9376bb1d68432efb5c741b8

SHA512
dc19a91f472c34e4b77a06d2b03fe7466e2014016af3b944109f78efc615edbd9f6e9fe157d3a9577064cb5ab2557428b7162f3b2a4f2517be48c60c86139234

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
518e1199639e58c4744907935c17497e

SHA1
99bfecffeedc152a17b9840512a7c509b9770f3d

SHA256
58c036dffd5d87d5decdc246e245f7992dbab4a97368648e5327da84e36c52f5

SHA512
7dbdbe15177a8b302e3f3b042f27dd114dc81e76459c12969e0246b817ad4ac7c1c86d91a6e24b19011deedd7368a84b93fb765877e35ed15b8c9f013f9b717a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.7MB

MD5
9ee283ca3f1b0287092d840f42996449

SHA1
1e37b7daf1dc1c4eebc977e6255aceff4b2b3575

SHA256
d06bcd9defabe625c385b0ed316280303adefa292aa666ab713f0d7b2de3171a

SHA512
ee7e3d0aeff75cd02650cc026e524ffe210f37f8ff5604c1d5ff1c82807c459b67902e74dbd440d788e640b3c86123738d84a895750a7fd7ed7f9913684b6086

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
d82fc17461d164db638d82338e9f46c6

SHA1
2fc65bff08eb6f79fce3d652c70a95ac49d493b4

SHA256
113f784cd51afd32e9a8dea454e043ee2c2455ebdc44e32e96686f6907bcd949

SHA512
f1fe3be362661e05b8eef731e9b40ba1341908e49de601fc56abf7565d81326ec951fa8f97d374f2a68a5333b69058817af172c32a5703da48e2e78d640b3381

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
73cdac17a79ff262c2c2053a032d7c3c

SHA1
bafe618407122bd1125644de4abcb89559f2ac48

SHA256
dc33d8fd38b907d1cf3c3791b2d49e1027643dfbfad487b88604d3fc7d4e146a

SHA512
7fb29659fc45ee9a9901b0fc07e2cc6760033a59b6a758b7157746e54d067a9b0021f9a3499577e2053b418e8b2808674d4c998dcc90931a3f80b01911f1153b

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.8MB

MD5
7025ccac9f631fca751bde74c872be7d

SHA1
49e22ba80962da94b1d38915e8ce89bcfcbe6f68

SHA256
f1305e531105ed2d633355b712046afc805aae1c40333fb1f80c2c37d1193022

SHA512
888d0bb2e64ca0cd421783e1f0ad7572a91623563cb75fe476d99ce46e03c86240fb58d8d28948d84b758b851ac271b45b8ae83db1771ef7713d63bbfae632fe

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.6MB

MD5
ab82d0b09e242e1c49433a6c0b9612c0

SHA1
ca38f24ab7a0176421e45de07bb384e284e56580

SHA256
c29fb01fd60167290763f3ec18213deeeed9df080941f261fc3f377e4392aefb

SHA512
96866f0fec8b7bc04f76220e653593ad65b707f9b186a9491b6fc0d34bf8d1803ddbdd0737279ef961041c8527bfe247bc2e40cfef2e17dc374d343bc08215f7

Download Submit
memory/208-0-0x0000000000AA0000-0x0000000000B06000-memory.dmp

Filesize
408KB

Download
memory/208-8-0x0000000000AA0000-0x0000000000B06000-memory.dmp

Filesize
408KB

Download
memory/208-427-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/208-5-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/208-140-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/364-329-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/364-214-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/700-772-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/700-330-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/828-602-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/828-231-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/872-129-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/872-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/872-108-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/872-113-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/872-130-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/1076-759-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1076-256-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1284-278-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/1284-161-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1284-160-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/1456-132-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1456-138-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1456-141-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1456-255-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1580-102-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/1580-94-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1580-186-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/1580-103-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1856-251-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1856-627-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2104-760-0x0000000140000000-0x00000001401D3000-memory.dmp

Filesize
1.8MB

Download
memory/2104-275-0x0000000140000000-0x00000001401D3000-memory.dmp

Filesize
1.8MB

Download
memory/2256-195-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/2256-305-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/3088-183-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/3088-291-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/3180-155-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/3180-150-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/3180-157-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3180-145-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/3180-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3196-767-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3196-318-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3344-763-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3344-301-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4000-21-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4000-12-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4000-159-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/4000-20-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/4152-117-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4152-125-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4152-123-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4152-248-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4200-279-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4200-302-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4332-225-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4332-350-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4332-630-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4604-206-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4604-317-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4868-773-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4868-351-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4944-306-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4944-764-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download