5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
Size

1.8MB
MD5

a9a77fa003c0eca334f00746986060fd
SHA1

b053a98fca4980eb61d02cb4a40550d05cd940e8
SHA256

5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f
SHA512

3afb85e31b4c9b1756d208eafbd122701b9d1db4522c42b515c8f05268be76860982a04773a8ad8f5a3b8268cf8046a3e261088bdff6ea4f6e049cfc2b104f98
SSDEEP

49152:IKJ0WR7AFPyyiSruXKpk3WFDL9zxnSwarh7P9inm4uLZOkZ:IKlBAFPydSS6W6X9ln7a97P9inmJZNZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2636	alg.exe
2136	DiagnosticsHub.StandardCollector.Service.exe
4844	fxssvc.exe
4540	elevation_service.exe
4176	elevation_service.exe
2040	maintenanceservice.exe
380	msdtc.exe
4964	OSE.EXE
1304	PerceptionSimulationService.exe
3908	perfhost.exe
4092	locator.exe
4600	SensorDataService.exe
2148	snmptrap.exe
4676	spectrum.exe
4936	ssh-agent.exe
872	TieringEngineService.exe
3936	AgentService.exe
2140	vds.exe
3336	vssvc.exe
1348	wbengine.exe
4716	WmiApSrv.exe
2252	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\fxssvc.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Windows\System32\msdtc.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Windows\system32\spectrum.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Windows\system32\wbengine.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Windows\system32\vssvc.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4bebeabf8beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Windows\System32\vds.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe

Drops file in Program Files directory 64 IoCs

Processes:

5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exeDiagnosticsHub.StandardCollector.Service.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FF9.tmp\goopdateres_ko.dll	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FF9.tmp\goopdateres_ru.dll	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM2FF9.tmp\GoogleUpdate.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FF9.tmp\goopdateres_vi.dll	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FF9.tmp\goopdateres_fa.dll	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FF9.tmp\goopdateres_no.dll	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FF9.tmp\goopdateres_pl.dll	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FF9.tmp\goopdateres_zh-TW.dll	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM2FF9.tmp\GoogleUpdateSetup.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FF9.tmp\psmachine_64.dll	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FF9.tmp\goopdateres_ta.dll	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005dfc5b6a1aaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6de406b1aaeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3c4c86b1aaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f9c3a6a1aaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5417e691aaeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000917b98691aaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
2136	DiagnosticsHub.StandardCollector.Service.exe
2136	DiagnosticsHub.StandardCollector.Service.exe
2136	DiagnosticsHub.StandardCollector.Service.exe
2136	DiagnosticsHub.StandardCollector.Service.exe
2136	DiagnosticsHub.StandardCollector.Service.exe
2136	DiagnosticsHub.StandardCollector.Service.exe
2136	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1572	5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
Token: SeAuditPrivilege	4844	fxssvc.exe
Token: SeRestorePrivilege	872	TieringEngineService.exe
Token: SeManageVolumePrivilege	872	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3936	AgentService.exe
Token: SeBackupPrivilege	3336	vssvc.exe
Token: SeRestorePrivilege	3336	vssvc.exe
Token: SeAuditPrivilege	3336	vssvc.exe
Token: SeBackupPrivilege	1348	wbengine.exe
Token: SeRestorePrivilege	1348	wbengine.exe
Token: SeSecurityPrivilege	1348	wbengine.exe
Token: 33	2252	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeDebugPrivilege	2636	alg.exe
Token: SeDebugPrivilege	2636	alg.exe
Token: SeDebugPrivilege	2636	alg.exe
Token: SeDebugPrivilege	2136	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2252 wrote to memory of 3672	2252	SearchIndexer.exe	SearchProtocolHost.exe
PID 2252 wrote to memory of 3672	2252	SearchIndexer.exe	SearchProtocolHost.exe
PID 2252 wrote to memory of 708	2252	SearchIndexer.exe	SearchFilterHost.exe
PID 2252 wrote to memory of 708	2252	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe
"C:\Users\Admin\AppData\Local\Temp\5516025e482adb99bc2aeb945ec11d00647fb6cb613297d8104736c489fa876f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4628

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4176

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2040

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:380

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1304

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3908

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4092

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4600

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2148

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4676

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3640

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2140

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4716

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3672

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:708

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
545e1cd2a09bf526a2f9e01392797808

SHA1
550c922bbec7e5e973422a64af63826e51506081

SHA256
f834080fbb54a285010a37fea07b7399352f10c4c7c8e20b21642800551b6215

SHA512
99acd1d7f6db1b6cd0a06f5f1857a8897628735747b83bf936d32c7d29410265a12015a4eace09e1f598f0cc1bc3a50841ff2a97533ad48bdb8ee2d44963e2ed

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
b39bcc391f1701f5f2229c0b3ff9a6de

SHA1
b020f949c1fc4408bbc3c055c2881ba63156a923

SHA256
319f7525d8e47e41655cfa7bd7dc11f88a8f37fb7837bc36ddbeea033ef53824

SHA512
082a3e146f7b3158aebe665784d3b8743494f1ed41420861274156c7bc383c26d11c87b486d7014b6e4ae3e7cee4cb62a29a4c3db44d26a45438aa0cd3828ac2

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
74661c57ed114d0f054b2bcb0b75b8f3

SHA1
fea76edf01268d95e374044e1da1da45a073c719

SHA256
670c9362051a37690f87524786b02db4fdcf21d6407bcc411f316ea6fd95ecf8

SHA512
b20309ae2ade29b22c80b12afc9509c59a2f9afade20105fb216a801bff949c5aeef5857eaca2df77d5c3348a61b125a806acf653922a724736c2a2d1423b8fe

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
7b87ac0a2866dbb38d61f9b0a4213c71

SHA1
825736051181bd6c96b7be6d7e73e5cfd8c88afc

SHA256
034e2331a6ea063657ec289033a17976e33f3677bda042aa65b1599186edfc9d

SHA512
a58cde6453bc92b05ada361b535f8a36c1d0f065c92d8d2422edeca6dc31e57a1011a8829b76e20bb0539a34abe64528db80be076adc5157e21c58cbf3f7d9a1

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
79e1416127cb65e5e95dbd81c3be1278

SHA1
c85c9dfbe8b02bb70bf9fa852c92deda71cfa1da

SHA256
3a836e87eef86fb96e8dcb109234f7334e834cd2b4494040a63e5b221541f344

SHA512
a7bf2f54c212eb8627eabe813d849f7a30d439d5bb1229d7fb329ea9cb7b6e2dfed7271e2d98867b84189c3db2ae181f8c9c940463172683adc4a966b1d5ef8b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
2dea8134f497baf0f02f1e25e88eb641

SHA1
cc46dd01bdef892e495bd8d0edda4cc2a5a998a0

SHA256
03916538b4faed774abd5219915cb490da2cc6081e500444f2c2bece0b19b4fc

SHA512
0f8432f82a42dfe601165d9455046a5f68c66ff55764e7ab1975968d9973a67b39c9acb90c5ffbaa34bf143e97b26f3d0a27fbf89219a19c6ee57befc683f240

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
2a1c728840e6f7d769b5bd8613b9caf9

SHA1
35c9794a6f22f5d6e75c0a594ba80a40de439020

SHA256
f40b472d9b95f4392b1d214b177e6beb9b2a8cc2c30f2809b46ee8a36b8de538

SHA512
065b09f79f1c4c5699eedd67cf42307000b78c9d1a4df2f13964de3e6c4520d5b55f0830d7955e4faf88c566323d00023260a7351ce1eb3d4d0db2b7279b108e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
42980452e8f9f460551088dec67c7e25

SHA1
30038d5978ddf866b71a25fd36216d1532dcc446

SHA256
5e61f0e587666fe969cf4e70dd711530970006888d47919ae99fcd4c33617426

SHA512
8b16983b948822fa782325e382db6577ac56a66fcabbf45e8a34a23ce12a17c77b1716146b1ccfc246b5ee476cc7dee6568ee8fc64e15295dbd338f21b2c47a3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
71b6d607492a2e6b773868e3003e7b5f

SHA1
04aa357d787e3d1c59a78f96be7ed418b4363ecd

SHA256
11a5faade211ccc9b8f22fa9268c85c6910d4104986ed0d22c5fe594fb17c2a2

SHA512
35f480554955fa76f09b850363d45f4ef53ddb6e3b0716b79b83dffca5e06bbb282059feb86168a961be11c220646b0ce822164f0268691b88c6be99820ce9cd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
1d8ddc256d4740e43fe67f1948df1403

SHA1
376326ee424cfe5703d81a61ec51226ac1fddce0

SHA256
e4ab4b2ee2aa1eb7e67cdfa5cff0afe68d0cab6cee2255b625388eb4582ce472

SHA512
899f7bc7fbb384948891690d7448aa8892e9cbc0306b94d7568725df838042acac7c64d7ccbab483be77ebefccb9bcc2558903bc916a9c8c8ca8b54e32610109

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
878ee6973c7d338095aea916b7ba37d6

SHA1
adf3c7d27b47a4fcfbacd9802f494c0880860363

SHA256
ddfc96ca1bb779e29253fb5ca8c74fcb585ef0ae0f261d1291536d7e6c8ec763

SHA512
4e2e20338f62706b6b31bbb1d0710ca6979b9d520a5c858e2fb005b9110c7869dd56e317b551289fee589af3fd0ed31ece69516714dae12a24c246b3d372ac05

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
a54db340a14d1c0a6dc312e8c72b0dcb

SHA1
ae9987535acf500553c042654c19fd3d8dfa9fe8

SHA256
536fd8ae06ad2246b152bf2796b8da42ec5cab12fc145d89d7267ed9b0b05337

SHA512
a22de8eb7e18adf7973d5e8e293b565ec442122c95d1caea20427c9d55dd3d6243c8533207d581f7661463be45275b65f92d8ae67b6a951776c19fc51de8e835

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
9b250298cbafdc25f3aa5b644b3ea194

SHA1
c96f298e7fa2ac33aa54fea8fd2cbbb876179d16

SHA256
9b88b4b863e5920a8a5eda45b302ccb122d16877a69f300d4daaa738a92ab625

SHA512
b341426a3ccad2e6b820f5d9011c1e0f2d8108f9b842d9e03e1a5c012ab0fb60a18c9a3220c1c2d53af8f394f33495d03cff0e6c76de83864f5811faee07393c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
66b996c93a1d423a60e79a07fb5a8a26

SHA1
8d51b7ff0aac83feeffa8dfc30fe5776547ce2ef

SHA256
ee086095446bec9226f4f4702a172717d2081e05ab4b5406ad1ffbb4ad7a0b0e

SHA512
b3bd74865ff79ae5adc857b3176b59375b107ac75d12a73dc3d297c8c1530e1e41cc3b3fb13d8d15c78fbe3c3b9a54c32376da4804982fa00067cca4c12170db

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
8b70bf248a5cac0f8464b20bcd987c98

SHA1
77f66e227d9c42817e71243d1a6ab26a698c78ed

SHA256
348539bba8a13c706942f05abbe1b1485e0f8adb70aeec10b7b737e6b3399cd3

SHA512
02005d78f4acf692ebd94d00a5c40e512e684a0e8f3c41109400cd29e8e6cb922aa464df79816b9eaac220b7908779596eb47f408c0def4e53665e87b9706197

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
23cad68cdb0f72b875cfbab7ed78f605

SHA1
512598ea88640500e69621e76e3d88cb67b7ed54

SHA256
f4af2e4c300684b33d42ce4e5a76f05b38aedd9c6757d1a1d1ed204cf0b0f7b6

SHA512
db5a0a847c1f34957592ffec7ee8e147a5eec77e5dc1b78cd211dd17a76245fc22eaa2ede6d3943205bdd63184783ba1634414a4b9e377d575127aeed25e95fd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
277a3c24728eb7972f2e597172b9eb36

SHA1
b7ffedbd6091c191d6e604f5094bec46552ee716

SHA256
ef7f1c73db46c99d35ab2f3b679cd98c92f549635ef709f9d876fb4b85de5859

SHA512
299d6ffdd6cb569b128120d17e3ac02940097f5cb85a253a149f5f3619564406644d1aeba8c41a8b4a4c5d1584472c3bc4fedc7d5d5131274c3ed5163a52f98f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
5aed13db01a3820eebc3c2dc81b798ae

SHA1
a6c9effe836394ee8756da88c7c7975b55003c9d

SHA256
13fd2493af1e0b471facac138c391ce15f68e882c6251a83382e22654574bf32

SHA512
d07b92ef1ad6f3e645a7bb336294f6a4cf59656984650450a6577329f6f7703a7ac3d161c58d203822ce13c3927fd311bb2e42c9d34ed7cb399069a42f0c0f49

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
e71edbe3795a861aa2f3f07a084aab23

SHA1
e1e5bcf42cb08ca4e11bf6f50576ed626f385806

SHA256
31ddaaef809fa10a1889b502e820d3f7bb92b72b12e451537376d8b58176beda

SHA512
0fcefe2265baa7b4d51e21c960eef529d5ebf45ca4b5bca18bc8bf0aa1ef3b69ed4c70db6fcf9016fb3e1673dec1d271389b03fc4ab06240ab341b873236de6e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
5e951d7c7a367655925a92c2d93b35f7

SHA1
92c523aa0b4da5da746dafa19f6efea129758646

SHA256
de1b419832a4dda8f7a7a7ecb84e752712b275f23f7f51f18b28cea590b0fa33

SHA512
2572f5f759e8e1a49e4714ba9f68dcf67823e8e2605f1bd353828f5c0758501e0814109dda410c244b2db8242a90c710801b807373ae542c38c4e61f88fe6ff5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
38b9d87a93b3d5b53fa2f46400968851

SHA1
a64f45026690889ffe65de9b13a3cce566107643

SHA256
ce7d57f9d1579a098657bed673ec42a4c6fbc6e1c439a2129b125e4e9618077a

SHA512
a428170d4e43d6984c97fce764ac997ded11d340ecafe3e1f4fbb866c1bf966c6598e4a738297e43faca7207a4f66b1ea9fb4bc1266d3a20f35ee618d98dbd93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
90a595b2ef8a3e4e1633631819406c37

SHA1
28eaa75250db0786afb815370598e1bf3cfdf2a8

SHA256
92d910bb629d6e91556e8f49f49447f0dd4eb56215fdf93124d2601dccf62296

SHA512
f2f3fef879466b30a98ceab082438df89abc108eef78b6b05679605ff1977c7c9ad619d48235962d6d8411309765c602cb46295be937f889cc231dfcbaaef001

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
c26fb81ee916f95c30a04f41a7356f15

SHA1
907e2253705943e886d76eb6e2b7c98a78188089

SHA256
8bff9d271823a275f09107bb6100772293e5aae75c54fd8fb313161d4add435e

SHA512
c4639ab1d5f63de760cc588d7493f520d809bdb4e129e69504974a9076aa40f11dcce75db5fb5177187038571511b8968a6d0e1091c935c74bd6b52eb4eb9fcc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
322971f0bc5c0574faff88ddd56f7dfa

SHA1
62a03142f9d4765581e2bcfb26d43996113dafb1

SHA256
041439b918d2670ea72c517c25808c15a75a801ef5887513d206aad28549bd19

SHA512
079dd16cf5079d3415458cc42ca877883d4a5bb7ba8fb3a7aa444a3acc0d53546c44f909f0d6df8b86b0240e286befd59d342c12c32c78988877e4aecd7a3b9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
b1e037b7e87267a6cfcef9dafe34f7fe

SHA1
ff8c6e9d560c22c5687fd976d7562ab7653ff6e2

SHA256
0d46da38cfc4025ff8141ebbcf5dcf993c3addfb31a040981ea9694774c27f25

SHA512
fef0fd6748a6b83b3921d990cd1b2bb7dee180c1280b35001508ab78fee6da82512d735bfbf4237251672eb472d4d8ebe9dd26add2a0b3964489c24d2a973041

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
1f986cad8ad865c043f004ed0e2ad882

SHA1
6d7c8faa7caa5be98e358d89b26c5c5f99603f51

SHA256
41c1a10c7f3d2059b6b5ca6e44782efc056a845475509a0c9650eda2f457fa4f

SHA512
d83f17445fe905cdeca3b88bbdc0116ecf04660a4a57bc338965176c0a5950da5d540d1f3db0cbe40809e59d79eed6203831a95abf1ebf673fc240fc5b46cbbb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
7477e9225097a89a691f92a190db30d1

SHA1
9e966ec1df3bdc9350abe859470776bd2716b18a

SHA256
ea69997428a0a7a144ccd657afa825b209f635a3fa1fce297865f73571268f4c

SHA512
2433eae5b7fb6e5e3876281c03ce97ea6fe21454b90bd3dd7fcd20656d514c849a62144e311c370500896c75cc1c1c7d2666ed554e311ed444c6462edcc3a0bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
c2b49c291d379970c62a3be09c119c24

SHA1
83d007c79f5677197be191287ba0440995d99f6b

SHA256
0f1558f3aa9fb46cca65070e646a71ff6551a3bb0392e3bf977a80ef6b8eeebf

SHA512
b7399ff51557dd53dcdd31dd7a46823014fcac5735d8d00d06d0cac2fd8da6e0d97d28796a3b45eab1235694aea43098c983d56b5e49ecb3de994023261f988d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
d1e15e4c80d7d1497295c9d7aea6a37c

SHA1
1cf34a4cff3d0bb2f657ce19105d2e807e3b4d76

SHA256
d0ad0207327e6baee23d5e131e262edb9cec02c05f8deccb6a9c759e4454d6be

SHA512
d36feeaa3d896e3c5b33d0e5a282625ac3f42f4e499407b74a970b689e72b2785ce61878d74d9cf0a45b0d8bfdebe639e308d3f5f9d9762d6adf71ab0f5c7949

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
60d3788eb10e4afa3b3327d362d0714d

SHA1
3260d5eb351a9281d4e49b11c504066edba255ba

SHA256
94b5003851542aebcb5f445d3b7d64dbd5335f269b60c4fa56b1ece49fbc64cc

SHA512
7f5e7f9845caea0fbe0bd12206dabf8b023f5e096c3e60784e61b377e72af0b1e061ae96cedc0572b55f084d15dc2932b0db9e8eae516cc1add0d8300de954a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
ddb0bb8f310c08ff6d3ef976396c0a7d

SHA1
711b25285a3225212c0ccd59085370a601cefca2

SHA256
9eb12619f8e3bf97312f50699fc62ba25de9b5b9c9e3285b50d2e8747d309abb

SHA512
b7d97bbc6a7d6a253fd1bb5eeab9632e65a2ec4a51078939f84d71222fa7ddb33b437193893648d947bc0167a89084f8fd2bf480a3073bbe8836b16716441678

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
b339e8fd39e55536a95fb09990e7b2ab

SHA1
95f2b0c9efcd7983180e6042dc22e7eec96f2f69

SHA256
8e2a93f2d2c3afb4a72b849e845f7e7e0c6d9f88c21e98af2e10e5dcd9288720

SHA512
464940cdcbc145a50d6ad3d584a024a706b13523192e5be88fdbfd9748b9b8532acf35404bbdcd2a1139dae1aee5a7ef48a511478d6d336afe1b0b0534cfed0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
0ea43b19b4b8c66de101de77a3112311

SHA1
e7f5c5fa6349eace05fbf75956a92292ea7a38b9

SHA256
7d6f32acde6a3253cfc64bb34da6f61393649755e26cd95c0414dfe68255bb11

SHA512
a5ace3a7e52f8b33c9d6f7c5006f44a8774cfd70928db6444311a304c9a381dc4ccbdd4d551826f95103ae314225cdc4c03338a34342f3d24193925a3d153fb4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
ea0cde880c4bf035de44905d35846f66

SHA1
b4ed0e34ee0076da916bda6e90b2d714d24826be

SHA256
a2ccaeb854c7fb9d2aad52ebb7b321b707281595e8bd69d6fc3c558dc9680b23

SHA512
c7592da86b63feafc7ca72aec2dda9049d668764da5d10f62b24dba6a73f2cd93d6377943b00f655960f45b4818a2d6a758e649d2abe7a389a8723dd5bb60e88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
011c6b8abaa255f9cb3952c17a96d9db

SHA1
02ea535cb02ffc1d2e2e1a4dc9fc424c7798c2d4

SHA256
8debf8a7ba005773e4d1584e898998cfd3d27f0726b5283949785f7014ce79d3

SHA512
cef156ab2b9f4393878ba2abcde715f33e858b029236a1dce844fac0857f4046b07a1fa98bf06d2965f4b208ea2cce7c3472904b6a166c8d6312e098ff4d9fa3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
2bbe6cf6577760609f247eb188525244

SHA1
34d6e65ec6f9d93aeabdff0150fa942d7d1142f2

SHA256
ba757b2a2d53bf60b53d2d6f302e5acaf998d1972966cd315a6fcb75d74cc748

SHA512
7df3d5cfa382bab2b3381af29e8fb9ec5db5db6abcfcdca395a7ce0e80743879d93a9f84c613f140ccc92df38dba8bca4603aa9c92ccda09453cb694db957438

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
24713c21482cc019f48cf7f1e0e5aa7b

SHA1
993582c67c166e24440eeadda48356ef4f65dc6b

SHA256
b0666300381e7bfc9c2bb7abc31dddd41c576814e003e1920876156ce4239295

SHA512
c8250a9237bfac8d9bd29f0aa210877c3faaaa23a06f6fbe23b3f92ba26d2eaea36f5b3e14572538ca9a7c8aadc4b6c0a0207232ba6104403997ad56add37e0a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
075a6334e53e47109c8afa4a6904cd27

SHA1
432cc6aac518c006cddfbaad52a4fcc34d6cb1eb

SHA256
6d02812fcfdfebbc02c97b4010a4c16c13fcaece9c57d192273d1ea73e3f99d1

SHA512
3512df9f77f2c101925e3959afea94cd18fff31fbe0808dae77dbbc2aa6d62d61cbb3d28503d16935ce2f9609b01e1421dbb5cbc341babbc6c3385c2487eb5bf

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
e16b986a29bafe76c332759ea40c305d

SHA1
fa4bccfa646c8ccdd9567df2d82f6e0ca0b2f798

SHA256
e1491f7f3c163b5ce4368f261a84ab27967f7f0f2fc0cb11fbb8ff2b9eed0669

SHA512
fa02ff382d095cda6564f2ae40fee2bff5e85890b95120ffe6cf0da8cb7363ca5aaca670d6a5c244afdcfc69894f8ecb6076ba3003df742fe4c2f3f5ffeae8df

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
f6eec53812a96f2947ca3c7aa3df4ac9

SHA1
e316f8903bf058961f8ff883aa024f913070ce15

SHA256
3d256a5c7ce5865eb95d1c2bf05633198dba36c8baa4c97da63a676e37ea2b23

SHA512
f7672767de9245c2bcac601156e37d0f64d9d553ef0ef8fa764feac8b60073af2746b10529c4df3bfdf8fa2bed0004ba3951c0903aafb3a7ca48f293008c5f75

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
ca5942368dafbe9d5ff39bb1daedda32

SHA1
74850a57a3fd7e358f3fcc705b701417410ac352

SHA256
4f2f081428f375561dbd2bc70073d5716b3cfcaa5e1e7c3d21d91a0e335eb541

SHA512
24c920626cfd69ccbfec0242b3559e3ff2fa9738031faa1364d8e246e33bd3a231c2e46597eaa60ab96efbffee1fdde0b1b7a0001e326af8b0105a0151d803dc

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
e99b86a132d9cd80010c1853719b8a3f

SHA1
ade5b9184bbdef6918bc26306e174a816035d826

SHA256
ab54a4ff0119424eee20a2bdc53e8e15dc1e10493857bc26f2e7dc64e5104092

SHA512
42017276c34c80d1ec114f37a3aa50d36e566800093a6262c1f84e3015ee3f542ae1c01c0bbf9e8145124f69f27d92c88f07df02bef812ef1e1fd36e6783d32c

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
a1d83bf35985e214c98e0bac772f901b

SHA1
cb1d8e032f8a2e8f37f95288f748e7eda6edb58d

SHA256
adc0241f09076b5671a15f8ff47c1dc98203329f4771226a3146a71533ac8101

SHA512
3bca22dbb719eebe164c6b7548816a5e3fa81a04a875ab5fbb2cd545c939d3a4724063d7ad3df55c0215997aab970a859b042a10115588777d328de9451638d6

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
126f8d6da29c8a953d13c495f430deff

SHA1
2e0203f03938e066bf20bc202cf08b942e4b6f91

SHA256
ad3a08cbbae784b789035bc442c7bc052a24b37b9549d6fbfbf98289e2ba6d7f

SHA512
f9647e21f403ef7d75ce7abb83fe9acfadf0ad21062f56013536d2b629b1a4e89a3ed57e8e286dd261c76c9fd5216b378c95a5029b43616251220c2e93759db7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
0a574fe837f2318ce9a042c3bea12e96

SHA1
260856b4491153db7096f6a376ca146e7bcce98d

SHA256
c15ccf990b4b6d2c56fe88dfd196c6986135b9cfae15a746076624d5ad87f09b

SHA512
84223867964f3700fdf4ba585f1edfe37c8789676ce73e9ced83eec59ad0b04dae5f7c2d9c748fa93f890661900fbfe60ede21f5670633f1fd10def1f39eeb72

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
f7454b70a4b541818f77ad0e17e696be

SHA1
3886dc59405720f021787caffbfc84d8a592f652

SHA256
f8608ba933187929530ad40fca8a783b579ebb5569abfb186e710f841a19667c

SHA512
5a8457b69c3af31206bba02c6c8608929e3cc525c988f1db1c0efdbb64b900073fddfd9ce6d6bd67e9a2ff9fc6ddaaa85116a9c44e7206473660ffe2b90654e7

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
4675c8dfa84b126f1f2ef09a9e5085c9

SHA1
803b4bf576cef1a913c3fce8639150701a996518

SHA256
e5ea8fad32a8a5ea32653fc4510ce43a5c58610a8478da4172fe5255ffd063f0

SHA512
ed75db99a29586ecad853c54aa885b37b76a59ad1e0982fa2b36178481bc7549dda12ee9a3bcf2083e7cc9f51194ebeb59ad40ad73d811df9b06af6e379f90e1

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
a0cfb8c3bad77364bb450878e7d6057e

SHA1
82507717e23301bc546f19dd5a346ac6224a3e29

SHA256
56f959bf3357b6320c3b6b7ce3e9bd6c8c42ca1011ae528d0995d744c8a44743

SHA512
3b341296d1f3cffb63b417be4dfedcf4accd09ea6c7c976220528c703005ed0b943dd786ddfabef7d54eda604aed6953247bb0e48c9f88c3f108b72c259bedd4

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
4bf4c51dde204da86985a0b460b9bad1

SHA1
88f89e3d219ad7f4c057b719a35b6656710e5e8f

SHA256
57dd5f9a7b299b3c92d5350c47347044c86ffd2382d0bde4175a3bb74e433c07

SHA512
fde8f58fbd7000c51e4dddbdd27d6ea0e45b5ff5e51a6151fd41c48d5468f05fe41f48592178a6754a9c1477d80f09597a383647274f99420b82941767989e4f

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
4162839fa7244d23b002ef62a9a66808

SHA1
a04566655480e5ab7b0307be50fca8176d30db46

SHA256
504f23e738f70f8f8be6020eebc449a5bc96268a5b1d6b03bb18d5acd938b387

SHA512
e80ba96785e1206adfe2b6f51f5ea2f8c30f4c94987fc0d6cf40f0f01ea238aca861457cd5796f4e9a426e312486fae0567e74e026fc723e66d156a606b5e2e8

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
101ac825daba5ab5541267093960ef54

SHA1
0ac4652b5c6dddbcff50d830db9b53fda0706ea4

SHA256
e18338c7b8717a7e735ebbfe3636e618f31d078f5b522b32f30bca12d4cee3c1

SHA512
ed7ab3fe9e92f8b22d92ab4f2cecae45238a2a02c3d8939004bb01cfae7902b1fb5cfff99c021adaeb102a5a2a9fdd7de14d0174287932c296b0a7886d3a120b

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
97def6da0ddb40dbc3f34acf3440f135

SHA1
92be2afc6555357e751ea390567ab0b3a8aa4807

SHA256
cc9b5a4d0c1a52dc01fb6b2fd7e5fc25128adfd8aee12a804034fb67e0962000

SHA512
4d4f882ebf2784a57bcd03929fe1e23556b5d4c1eae7450a004e466722b2b57cdf464744ff36f4f22ffc8026b48f8ed6d78b33d5595a55e3fe7a4e3889708826

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
4b275b4f369a4242aae3dd838348beb0

SHA1
df5de003f82e6b07979735249f8af125694f5d98

SHA256
1355d884c1e83f2b2b6015df9c2c29a1c9a9730114bf279cdc30926487599186

SHA512
7e29bf3b39bfa4f24101fb93948ef709c50e3cd1ab19f0bdc243ef2cab84cd672f1ec595c096d539eeb7b134782c8b823f35fabcb2303356d5a58fa28e294610

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
73fa892c12ac521bc857e78d32b89a34

SHA1
4d2dfbe9c2d3efc92ba78ac88f663b0819059285

SHA256
17acaa723a80e393c465bb712d5d8dc457c5ea4046122f23d27dbb66a91d9108

SHA512
578d0409a6c55527055b8f692b3dcd0179211574022924b233dc6c7c5285edea300a2f30b384ae39ba105c35eb4d2fc5999e04a420637ff8cf75693f5996e428

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
ff7a7a7323c7b4f999256d1a7f149703

SHA1
d7b1b7d2e49f665d40d341da8c3bc52e1b7aff2b

SHA256
9568d4006888a3df79292a64bc422a5fdda00f62aebb7310fbbd2a830747821b

SHA512
3b3dc542ce4a0abbc1761639023a31dc43803a8cc5a1e1b85f6b87fbc806e2f1122f118f7f030d775776335329ad91917032fa999ea57ae54270f27710ee0699

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
5fc71caa64b6dc651a489973d15d16a6

SHA1
22d79070bdf00cdd26491371106e094898531c96

SHA256
533f1c26bef5f48881419f114db6e82ec1845cfefa28bfd560b646a0a708823d

SHA512
bc2f53ed31e0fb2548901028fc15271f4f7339ceebd7c586a9661df2768966eaabf2e997df127e2ace1a51ad22d2dacbf878ee4be2470ff385bf3b5bb0063cfc

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
5f6b83fbf99753f3365327bdf8fe48fe

SHA1
b54c46a03a67e09a88026cc40859b32987b77a6a

SHA256
949b7e350ade8cefcdea9d617bed6d39b3a8b393314a9b36431ff1a5dae7a53c

SHA512
e9b818ab0b0449bebf05626c0d8bec6a77ca3eee500318eec2a5457bebf071b3f0926508bb157aaedbbf0a2a479cc815c03f54d5649aa9cfa2397ce9cfe55d00

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
8134ec02b5182ceb870351f849789689

SHA1
6149b0bf3a405e99e30d1b4ab306ad3184989afc

SHA256
0e8199dab8ecfabc250ed4dd8ae6d7f1aaa15209df2895bca5db8280befebf23

SHA512
c6afe71a0253b79822d4401ad56c49f6a1bc28077b98d3e12229a7f217bb0653064e036f39d849283a4590f934f19e9f3bfa1029171c3d42223de65ffdd5973b

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
50fa2f5b91bbc6409cad390651d31d39

SHA1
b8995f6366bc8595527f70b70d6dc35e53f921fa

SHA256
6c187231afc8bff9db22e9f620f94500a4492d425e620fe684413c4931da858a

SHA512
5f6ddf0ea9b2c9297a7ac2c65b78e5576b59cc615ac2b6b92e94fd84163e7143f0023b246773008f28f470880fedb774262a5e1779f9c96cf2ae77d02a4102db

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
58200731433e829edeba21c2493ca492

SHA1
2548c4fb7fcfae5177dc827f1c26bb75376fb242

SHA256
cf3cae463834001877046b1f12e692c6bda39059bb9f53836baa2d72ab25812e

SHA512
6b8f6ef9501c72e7c18640e67030eac8f69ea2784bacaed916d56f0844428f4446538bd1f8d6d52fcce2b0ea2a8504b4b4232542c1cf99c1cd8fa746e771f782

Download Submit
memory/380-167-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/380-155-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/872-702-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/872-264-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1304-301-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1304-188-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1348-708-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1348-314-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1572-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1572-626-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1572-166-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1572-7-0x0000000000690000-0x00000000006F7000-memory.dmp

Filesize
412KB

Download
memory/1572-1-0x0000000000690000-0x00000000006F7000-memory.dmp

Filesize
412KB

Download
memory/2040-153-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2040-150-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/2040-140-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2040-147-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/2040-142-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/2136-65-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2136-90-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2136-210-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2136-91-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2136-100-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2140-290-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2140-704-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2148-237-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2148-531-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2252-711-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2252-345-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2636-18-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2636-187-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2636-12-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2636-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3336-302-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3336-705-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3908-313-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3908-201-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3936-275-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3936-287-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4092-325-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4092-213-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4176-137-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4176-129-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4176-135-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4176-252-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4540-239-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4540-118-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4540-124-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4540-126-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4600-701-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4600-338-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4600-224-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4676-248-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4676-663-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4716-710-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4716-332-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4844-105-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4844-116-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4844-111-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4844-113-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4844-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4936-698-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4936-261-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4964-168-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4964-289-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download