36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60.exe
Size

944KB
MD5

f0c336b851b693265218ab7bce67572e
SHA1

46e3e62128fc1de9241b8a0585f761dc0ace04bc
SHA256

36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60
SHA512

252030c18b0e3570f3ae334220ada5cae220142e73d65e51e95ffd43afe2fd5e036e6ba774942587fc30a67cda7b0586422b4d75248de20f4162e4ac229e5bd0
SSDEEP

24576:+UhiHOeo8rin3thLO3r2p2gV8ng2P2OaXbQYxj:thiHprothLO3aCg2PraXbQ

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60.exe

Executes dropped EXE 22 IoCs

pid	Process
3656	alg.exe
1172	DiagnosticsHub.StandardCollector.Service.exe
1888	fxssvc.exe
4856	elevation_service.exe
2576	maintenanceservice.exe
3468	OSE.EXE
5068	Reader_sl.exe
1820	msdtc.exe
892	PerceptionSimulationService.exe
1888	perfhost.exe
2732	locator.exe
512	SensorDataService.exe
3372	snmptrap.exe
1988	spectrum.exe
4828	ssh-agent.exe
4260	TieringEngineService.exe
4384	AgentService.exe
3796	vds.exe
2560	vssvc.exe
4500	wbengine.exe
4808	WmiApSrv.exe
2416	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bf9ebd518beeeac9.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6d6f11479b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089d8d21479b0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000859dd71479b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e05d391579b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024601a1579b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073c11c1579b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d5d581579b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007960fb1479b0da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2804	36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60.exe
2804	36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60.exe
2804	36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60.exe
2804	36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60.exe
2804	36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60.exe
2804	36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60.exe
2804	36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60.exe
2804	36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60.exe
2804	36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60.exe
2804	36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60.exe
1172	DiagnosticsHub.StandardCollector.Service.exe
1172	DiagnosticsHub.StandardCollector.Service.exe
1172	DiagnosticsHub.StandardCollector.Service.exe
1172	DiagnosticsHub.StandardCollector.Service.exe
1172	DiagnosticsHub.StandardCollector.Service.exe
1172	DiagnosticsHub.StandardCollector.Service.exe
1172	DiagnosticsHub.StandardCollector.Service.exe
4856	elevation_service.exe
4856	elevation_service.exe
4856	elevation_service.exe
4856	elevation_service.exe
4856	elevation_service.exe
4856	elevation_service.exe
4856	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2804	36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60.exe
Token: SeAuditPrivilege	1888	fxssvc.exe
Token: SeDebugPrivilege	1172	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4856	elevation_service.exe
Token: SeRestorePrivilege	4260	TieringEngineService.exe
Token: SeManageVolumePrivilege	4260	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4384	AgentService.exe
Token: SeBackupPrivilege	2560	vssvc.exe
Token: SeRestorePrivilege	2560	vssvc.exe
Token: SeAuditPrivilege	2560	vssvc.exe
Token: SeBackupPrivilege	4500	wbengine.exe
Token: SeRestorePrivilege	4500	wbengine.exe
Token: SeSecurityPrivilege	4500	wbengine.exe
Token: 33	2416	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2416	SearchIndexer.exe
Token: SeDebugPrivilege	4856	elevation_service.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2120	AdobeARM.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2120	2804	36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60.exe	88
PID 2804 wrote to memory of 2120	2804	36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60.exe	88
PID 2804 wrote to memory of 2120	2804	36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60.exe	88
PID 2120 wrote to memory of 5068	2120	AdobeARM.exe	101
PID 2120 wrote to memory of 5068	2120	AdobeARM.exe	101
PID 2120 wrote to memory of 5068	2120	AdobeARM.exe	101
PID 2416 wrote to memory of 2136	2416	SearchIndexer.exe	121
PID 2416 wrote to memory of 2136	2416	SearchIndexer.exe	121
PID 2416 wrote to memory of 4892	2416	SearchIndexer.exe	122
PID 2416 wrote to memory of 4892	2416	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60.exe
"C:\Users\Admin\AppData\Local\Temp\36e6d1ee194eed14caa00e3369de3f0f0b99124acf964ad9cf865d580c1edc60.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
  "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
    3⤵
    - Executes dropped EXE
    PID:5068

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3656

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2360

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2576

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3468

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1820

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:892

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1888

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2732

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:512

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3372

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1988

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2040

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3796

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4808

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2136
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Filesize
9.9MB

MD5
94133252eaab8770ca21166703a4dcdc

SHA1
3aa640554e0158f34962f944749f70bf8e863ff2

SHA256
4a00a63bc5ed557cd1e0d966a5b299edda5533e308072e050aa57bd64345d80f

SHA512
35ebbac436119c863e74299effb6b85230aca240f5ff375d10972cfa93ae7fb43a03b70322b29bbdc37f4813057336bac1c2ed668e325e9ad6f57e8a2be389d6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Filesize
3.0MB

MD5
6e0f53c7d738261a1bc83e3493b5047b

SHA1
a79f536cd1a43c6563b215691b1b0227f95db2cd

SHA256
111321835ff30360aeacce95f4639b39dd256c41bb0c3431e8d282b4cb796eb3

SHA512
2929775eb2a6b24e8c2deacd8ee6219a67b3cb2ea3fbacd9e208b7b354c0329d627c6a955ddbb519746bbb88422788fb73eadd41a08de008eacb5d51d8517ae9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe

Filesize
611KB

MD5
5215cfac95ee07f826338141d9605415

SHA1
661a3474327e9b74adfb8b541455a3fc0b87a618

SHA256
b975a1d7fbf69b427865bd104d152363d4aab98408bcf991af9dddab11420284

SHA512
077938cb4d80a8d55cd98f120270d2babafa52abe03c0026a0ceb879cf35a40a0b3342ffc1f4e9c428dc652093f5b10a4d65c37cd5576e10be4ae8a1d1191915

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe

Filesize
662KB

MD5
035811e9a87b96366c5a8d69e246380e

SHA1
044a62506d0195076f311dbd615a87a3796aaccb

SHA256
c407ae2a979336ad98117855e6ad1ec87db4867c6c9180e24bf0846def524ace

SHA512
2207b970826cd65ee907e001579303742e9d51676903990ceb41f18f62120a999c2d4cfe9cd9bba2f5ddc8d99f7fd7a3cf6b6e2b5c998a2532699b3f7b70e484

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Filesize
973KB

MD5
72babc1b2af6bb4260c7057ebaf4282a

SHA1
10790850c334c5c3db780166bc25ae75855b5686

SHA256
6237ffbd14b8fb1e1f9030dca48d91cfff68974168be8cc26a220d73c9b4fa88

SHA512
eaf20bcc31ee83311c8f15bf03e6c8ffcbaf651b2b8f17509de99f6acd9739a5aeae718bb178fba2fd5dbd942829999f4a0ffc565b7e1b7159fe6f2e42f6cc4f

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
aca5cb1a59401bb60ead29c1e87b78e6

SHA1
4894d24fcbb45c8d128d878d23f8092eff27fece

SHA256
46fb3e57be04ee7eabde1e7577b71eac24cc19b2d7f879afd6541a9213b8040f

SHA512
64a411dce7a4bddfe50afabd0317f31ef8e0b215aeda219b8859a0427c403c95d55a6a51cc90f3ca12cd6f6c1d7f5a2e8123671b82d00b8021759006b01501b9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
5a9976af94415d0e9d00512cf71877ff

SHA1
466a4c1431b8efe26c79048c41b0fb65c6a68c35

SHA256
c01791cf68feeb6cccd1e527de7cb103072ac59f4de4341117204a4f7ad85762

SHA512
38987259e102d8d4b07eb80af7d260a3f9fe1cf62b4bf1a70ea22a6f7f8431c094ad1f625b5f7a58aa82fee7b130329add551c9810a5710410a9efd20dbda428

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
f99606491c0e9563c5448076fb53f293

SHA1
dbc6ba59d25a306c457c89377b10e47575b0d7c0

SHA256
51176be2d046bb5503c595fc66faf57f255cf0ce8115b53e254e89630bfd47d4

SHA512
39dde815abc25b0baa8cd12e97c1e5e36dbacd0d14a32a9d42eee08d3c337802de4ce0ad458fd69b9436ec0a4e0ff5322cfcf31cceb509b20244507d37d9a707

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
20475a81eaefc560b7e072deb17586ce

SHA1
f11858a3e187a8ba5cd5e2411649afaf8d14ee97

SHA256
75f5efede8eafdd703f79a856d8bac6955ce6035d77f78bfbdcd471e358c53d9

SHA512
43d25f9647e099bebe835c166c7d4d2d426ee973851a6a708ad18be3c8eb987fe11ee490ac14ffe65e848ebef0c3bba8105f7ca460aa7ee72c5735ca032a6eb1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ef04ca56e0427c1fb4c5d3627d616ff3

SHA1
5d163367fb5efa9ff21809be47bbdfbd2dc52a7e

SHA256
992e52b67444599ace275654c94e76930c94bc9814659b527a63d1ff52e90e9e

SHA512
065841f9306f38ae4875f47d665edcc60f3b824a330d127334ce41e02769f3df8a3db6fb9a7ef03002c7879c193f0d4cde92a917404006ee36362f1914a14dfa

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
5a75a243c40b409e80a4b9f9c31f8480

SHA1
d0e04181abe00bd0f49502521d3c4f5a4e95ccb0

SHA256
426ce14950aad0defe97cd1d1e604d5cfe83a19c614fb1131c65075ddfba494f

SHA512
014d6d6dc2cdca629682201419344fbf7ad660d842f71f4fe2cb44898168859f288d046d9df16e05e004f3b7abe8f621aed124f4838495e200524967a29637b8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
ce1d8f165aee2c3525c73c14d0b0315b

SHA1
bbc87cb6eb0c10b6af122a541a1eac5705b9406b

SHA256
9ebdc1e108081bc29ff3f95d194eccf4a05d7db173c436cd8983d60addca0163

SHA512
bef146edf7a4bcc7c8c43aca8da2594ca8e220e7daabaa23c91cc1f315879efbbdf8eea77b6ebf5d4f3253589ac555e09bb9a36f5dda9f2537d1256f0cc48f0b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5a62c0e24b532073fe6c4f72b069b9d8

SHA1
952011f3e6e52dba6dca92f2ab417ccd660780c2

SHA256
a15c9538183d5c0e86d579a1a5c4b82a1bb1aff842139b0d0a7859af0403bcd2

SHA512
cf762b5a7ae14ed976166c87319210fc991dc36a38eff34a61ef15691bc56c726df93c6e0d4b08fa7a3b6358e3ee9650c161855bb4b44ac6964d206f769c22de

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
d714e46fe3420bf85e1a9c6c5a42cc4e

SHA1
e1d0e6147ee8244586699fb7712aa1edf6bc7822

SHA256
08f388435c896d386c3f63689ae809739289774f8d73584c0dfc652a68cb0a2f

SHA512
a775bd0c381c2b7f4aa574344e198344ef1d151ac7710c4160deee2a8f641b603766328973a9e112ba8234fa618c84ed965e40ec4d4bfc9cad43866c4bf2d536

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8aa4b13759f7d598213b2b9acb4e90c6

SHA1
28d1ee877d8293c95033062c5b1a6e1093e2795a

SHA256
404e1b6dec7e5338be7b32e12936aaf402df1677c627a2ed572b1ff8c6a098ce

SHA512
bf28f54a3dfb3b3a5b3412d6e436e8c09692abf761bb4da486f8dd04557fb838b062d281909972eea538af3aeb962568f0bf6b4958c127509137320a476f6ec6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c3b0767af4601108c7c76dc1d718c0d5

SHA1
01354451d528524fd7167d672e33e7a70d546427

SHA256
0e508d708988051f83c3ca292df06435bd6a3a2372a44edea4d55e17953068cc

SHA512
1f396b63f3a5d82251c4168b52cf6d5649f10e80f04a95c1a4c0570da19a0642cf100b7c310f63d5261a20308c89f2bb83aa7bbc07904cab0ad23d14390a2bdc

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6f382b02cf728b83cc7b6c6e33697c01

SHA1
19f98044a49294a9d3a544ba30f56185b5f1da6b

SHA256
f0886f55f69a04b523549c7340d2f9d1bfbb7c690dc0b66f7124f9766481202a

SHA512
deca14281221d930edf3c79f49ad839424372b2400edf86c76907826fe64589f351eb83d74f4c528c5f3e50e188ce1129f7abbe028f4773eb1919ee122d4dd39

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
77fa42539e202297d1c690f5a9f3f923

SHA1
914e322b397fbe9f9ca1410560a04446d26cb3b8

SHA256
89ae373aee1916b2ff9be52a47f14c60618295b54fadd022f820b7c2d574308a

SHA512
25128a5727072771a92d99d59452e97d9889d0016e0cd426ac5ea3933ab26f0535f786e46109a33bf3579eceaa511010011fab6823ec9b8640dd96046f8962a4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
eb414eb0958ea521b6976b8d729fda40

SHA1
64673f2015cce8d790f5203ad66f07b836d351bf

SHA256
ee655cae6140a380d766b06255ce83482d89d18c109f1ac82efdfd15606556d5

SHA512
db61a961977b1f885ac091c48f231054a4d89a61b25d046b4dda5ba5351a22265cf967fa0bc486502a51771e8ab736366eb7e89073f7a313483dfa14218f9aad

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c30b94fab7f248c540788a165724bd67

SHA1
8cc7c859fba5ce5aaaca04497a967dfae40032b7

SHA256
6973cb09a64fc65efa584beb56a68541e645d3a58126b3631d900b1649ddbc66

SHA512
c24b79d9bb7f717b635a4e57ed9cecd048884023c7c8227dcf1c295c50f6a0bba247704646880ed99e9e879f76007a1cacee481c0b165612234906ba38ba5ee6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
5c0d17623bacc3414dc75ad2acdf811c

SHA1
41a3f6ad4e5c6c15182f8e8e699a057782577ec5

SHA256
053765101e9c6cb9a7bf67e0cc80cae9da0280e3bfccd883e78b05c0605690c4

SHA512
e9bbff109771e814dcd69c71cf0cafed5b487bfce46eb55aae1450541137846087f2feacfce0ef31eb615944df43a6daf6d2d29e66c0d7b3e7e0bfd41761b621

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
fe7951cb2cfb329a5fe31e1202887e21

SHA1
eee9446523d1cf0b0a4f0115de34de860718ffff

SHA256
1044d2274605d790a2618d1d7cd69ae27e7b59c998ddca6759286757fcb99517

SHA512
8cad6117f5855c35ca84d3332a757a9a6a4e9faec946b899dcaf38ccf3c830d874900d00f41fb6cb970d34974e74e491285d601c1962534b8106c7e54313b4c3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9146561abedb42ac0c849014b5631b9e

SHA1
ee15c6d819a41c6d19d30053262d4ba6299310a6

SHA256
bbd5e5b6bd9284bac7120b8a3dac40c3c169b3e94570e892500afc05293dcc97

SHA512
2115bbe0d9e354b7aa3e4ae3064f500a9bec6e3c53be574e5a8c0d52d373a542ff084369fbca0f647895ac31b3237cf85f111696a3f0dec1a65f592dbd8db729

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
b90099ebe6b106fe8e54f16b9aa43a95

SHA1
35820429bc3e7ddacdfd287099eac7fc2de67d89

SHA256
39d6f86e4fec8159b8d4c40598a62a8232fab2e66402744c51c8d1d793cd9a18

SHA512
dfea6426d2908e03c50db9962e837d1cbc0ef6f4c2b2cad3162b7ef0626d21d642a2b70909a313ebb3763f2657e0800ce94f57da5d941bb1953ad13665a051e7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
4598e54dbb229110508b7fdf9ec671df

SHA1
a98747f7165584dba77ea786972af383a0a7b063

SHA256
26cfc846774196c5c6903d69dc825949d7362210292b5fc3e2c3cf818ed4a569

SHA512
7c6e9ebe39465e1ce2f754084877c49256105ab303818ec5c50309c8ded4d2f2676d1391460846c6e000e6ae9ea90c73c6da6542f2d6caf3564e1709dcf242f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
6b8b5307172f769cddbf1f312eea087d

SHA1
cfb8c99ee46b770834156bd822506c7cddaca20b

SHA256
2e02be7cf0d5df23741bc0e3d8db185c59a1f62ab045cf73aa7978bc9a760a45

SHA512
3469ca1d72e179489357445b04baa1ff01829ec2994cb37ce063f6f2fd4a7b0d6110049888177e0b60c7411335195de2369b0002c5b7f3a3af474e72afef7c01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
f78320e953a7e21280a61bb764b49865

SHA1
ad2d24cc14607e1da975b15841415fafbab7eac6

SHA256
ec3ebd24403896fa1db39150e758b88f5336cd95abed5476bd118f04b41a983c

SHA512
dbeffeea68ab0b04d6fd44032cdfea043885e95207982f4ca97c4700175d845c24d48ee3c42d95377e1acdd39c0a15302d71072596f19650da5e8d131796091a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
5a691aa67937ac879514d01ff5d9372b

SHA1
92c86343706ef979dadb050c378b08fd0b331825

SHA256
dd7a0f69a66f4416772bac00e0838cc6fe0127974d4b7530965c7015139f6970

SHA512
fb680113d7a28f336b9189afe25174ab5078149111b928bd830aed436de8396cb55b09b7f645a4609b146627a190efbe2fc622296858dfdc9e263ae5e482278c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
156a0bdd5e650d6c759642e8cc35e786

SHA1
1773f92e564945bc69277ea368098dd789e2411e

SHA256
9f2c40d3c1a0e64743f676d4dcda7a731b8dee11531ebb003937a79d1b848a7d

SHA512
8f40634fefd9a6db47444aa862550b5701334b909bf8acc121c7c5933cf1d038708d760266997730c95bcd787f035e8949da7636762eb0a3981ea785e06bed50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
7b894ad4fadcf2d01d0719bd4a6a17d2

SHA1
0bbf8e92d5a8d5e5fdbe8a7b2eb210edc2d6ec9e

SHA256
835a2d71b350449ebab65ec2ab7468e39e26533cda93c22856a7e61ff372e242

SHA512
e9b55e5b86ff805ba65139cf1ac840e3678afd302c30979250e75769a48c987b5bb12cf7a702288e9acfa76586b738ef93f43ebf6272314f5382d04526c764e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
ff8883da30274f17aa85a862935fdb7a

SHA1
a336397b31d65ee8ba141b615c55be87962ecd53

SHA256
e8f66845b5bdf2e7d12fde4fff04b01e8baf01dbb046b9baf99b47c36b64dad3

SHA512
ca0b8aceab0968a97d06fd9f44c7d4189d8ab09ae4f60c4fd2b11f025f4d0542f6c01b07c37f8a4dc4f04b2848db7b16b4c26254db3d9cfe93b9830d67392f26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
a0a7c77e3e31eca4a1687ff39b7429dd

SHA1
b1002e04aff783f3365b1c8585ec2a75cdb4a59c

SHA256
9f5ae87227c4074bfc706bed5a80a699ce97d7aaebb15e2ecfca13abc60f1453

SHA512
866eca4297728d56db506f79e9cb2e78a0fd7f9e1f43010fcc2ae310c2e2942a8702388f384a40d5f2161c4f63cad56ca379537b2046a1b12707f3b4605c98f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
b94be47abde7b4cfb2ccf366e865bec7

SHA1
0d8ac4c1e6ef14ad3e61299a71e03023aacdc487

SHA256
bf6bf5664f8577c5d063c309bea8b1c36f6dff1d4980850f61fdc896bab0ed57

SHA512
313bc6651713b9d66eac766d0f5775b1522f305242e365a9d4a53516431aa39ca035aceb0b6f13accf6b27f170f01893dffc8b1c5bbbdc7fe499174ecd6d2f7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
068fb2cde04025d46f03a1f58046f782

SHA1
4b31dea3bdace919314b9df0f075fd86a915a07a

SHA256
095220efb4a72cc3bc6b9a9f10c4123d89f59cd3514a5906b21c97892a697b8f

SHA512
0dbc1936693bfb49cc5047a6c7bc40b4c5f83d0469234d74c01c4faf44663cf6864f8043437d5858cc00f1f6363388fcf052b1c8c8a5c92d4f689b749e6364f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
3d4a575e5ff33707eb0010d234cf3f68

SHA1
9e24eba63be5a7e07db38cbd9d6f73917dfed646

SHA256
5a477301111740b8f0fa8bbe83065d833863d1a711f93128ef41eb2acd51fe49

SHA512
8cac9cd18e8d6d5af7fcdcaf97eeca3c7fa5d3f5f253ae6bddc4295614e3722ef6736c486d62991daf01220de8b6269524109f59f5eed1e2e36879f94954a755

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
533b9e844976734d5b966831367b506d

SHA1
19b95a7495439647134a6f16df1d0dcc40c2e29c

SHA256
ff66d27f3892d276eb6072ec74fbc9b77c2be3dbdd0cb8232b52462776133274

SHA512
7995b8d8078709c8c2d516e4c29eaca46c725d1e377ed0ca1a7124b0dda843d8d028c6ff5ba90943242d3ebc0deee051e115d09b8c81074a10415acdedcc2685

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
e4ab9d6638207799aa1699f3e220720d

SHA1
a9105b508efb588be5e094cb005de45fcd772926

SHA256
053fe630e67ceaec658fcb744244e7910da8d0383076f4d87773a11be0fd0406

SHA512
695c18a0ec86d8886b7738a243f0cb664d35ef6b142a5e6920733af38e95bacb1c97e34791b643f1ed0da0253b420872c9d74837af95caeda7c221f361444258

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
390b347dd82767136958136bb954e493

SHA1
86b4a299e5c73d7409c41e94bdb5a03644b6acf7

SHA256
952bdbc86c9fe9e6295899ec5bc8998fb5e13ab6a36862265c6d90db725937cc

SHA512
bf4aaad1d2bac8e6ac7e380cc11856c977034a5486a15c9bbaa5944d045868e35da56a6508f6b4dc98112a3b910ffed0144de6621167898ca5e5afb4f4261148

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeARM.log

Filesize
178B

MD5
eb8299c5ed50abfff2cc8534e9b51028

SHA1
c4e2d5fa0b25de174f2eb0abef5a573b2f654df7

SHA256
ae1eeed70999beab8ee10a67c7a7174bd2b96f78fd81bec5e5d3a165ac50cc43

SHA512
b1ec774c23f5b5b35f03501f70cbb6360b5063b3232330b52d29c98c7bbfce901e64149718c85dfc424fd56828391478947de5a5eaa66b46e679de3c33acad48

Download Submit
C:\Users\Admin\AppData\Local\Temp\ArmUI.ini

Filesize
251KB

MD5
864c22fb9a1c0670edf01c6ed3e4fbe4

SHA1
bf636f8baed998a1eb4531af9e833e6d3d8df129

SHA256
b4d4dcd9594d372d7c0c975d80ef5802c88502895ed4b8a26ca62e225f2f18b0

SHA512
ff23616ee67d51daa2640ae638f59a8d331930a29b98c2d1bd3b236d2f651f243f9bae38d58515714886cfbb13b9be721d490aad4f2d10cbba74d7701ab34e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp689D.tmp

Filesize
3KB

MD5
bbb796dd2b53f7fb7ce855bb39535e2f

SHA1
dfb022a179775c82893fe8c4f59df8f6d19bd2fd

SHA256
ff9b4cf04e3202f150f19c1711767361343935da7841c98b876c42fd2cabce9b

SHA512
0d122f454fcbf4524c2756692f0f33dc98f5bd2426839c6f03cd5c5f4fd507a8a15cf489d7a7ceadd1b95cf31b506c04bf03d613a9ba7d76add92766b1dc5c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp8C54.tmp

Filesize
3KB

MD5
ec946860cff4f4a6d325a8de7d6254d2

SHA1
7c909f646d9b2d23c58f73ec2bb603cd59dc11fd

SHA256
19fe53c801ad7edc635f61e9e28d07da31780c2480e6f37ecfc63fffe1b250fe

SHA512
38a98b18dbae063bc533a1ff25a3467a7de197651e07e77a1b22cf8ce251282ab31f61dcff5c51ef186cfd115dc506181d480eabffbe92af01dee6282cbee13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp8E58.tmp

Filesize
3KB

MD5
a58599260c64cb41ed7d156db8ac13ef

SHA1
fb9396eb1270e9331456a646ebf1419fc283dc06

SHA256
aabf92089e16fdb28706356dbc4efb5a81f5277946f2e67695b31676616ed2d2

SHA512
6970cbc42e7ec64ccdb8e5633b7017b1e9ec0d4ad094869e221e9275b814b1442b84827996190159543bdb5e86df6885c45197c533d657db4660fca8ad761a71

Download Submit
C:\Users\Admin\AppData\Roaming\bf9ebd518beeeac9.bin

Filesize
12KB

MD5
ee2cce721e160bbac87f42a49a97ec0c

SHA1
d0977f554be76eab7d2435d3a8c89ac8d7ddf4ef

SHA256
6bac110eeb97337defb758a8bf72ac043497564c7fbc5a4d6ba4adf49988d4eb

SHA512
4cafa9919e27c627050f1fdf59571afd84d53f15680e8c8b5fa264e0b983e8928798c6bf77d59b274a5b88cb335ca20ab57f751ebf7ae36fbefbbb9c9b6a3a11

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
59b5c7f62d23745a8249181e13721d87

SHA1
d8bb38966b817381b7088e20c49bcba256521b3a

SHA256
384f37523871b0bedb708f2fc9796b161a95d2e687b7c287448aed1a6b52b151

SHA512
59b98f4d1eee5753c087ff97277412c4ec5164544a1066075800a7084d01c91d0295a150f4a9699062857ef60eaa9a4bee2dc646e9669c3d6011ffdaee03a9a4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
202c00e498acde2796c1a87075edc1c3

SHA1
abe11915b39bcecbacf78a7ba17662c66835cb08

SHA256
d12204108d2428b22286ca509aecf383b968ed2b2933da0f387fc5372583cf70

SHA512
49f4a4165daa58e2a524acb1ee0ae1f7b3ab5eac65bc2b88ba78b8b35af951ca5fbb9f7082b452e13d4ed9390c4b5dc3cbfc10b12251d9d5196fb41513645830

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
547a3c7c928c7ebbda0b4cf8de88ab35

SHA1
2290c86e5a7ade46bd40dc1dfa15204d3ae87fe5

SHA256
eb0a941403610c155c3ace7bd55c0e73a720af1e5e08cf673ed407df5b2f4880

SHA512
309a8157c94f67feac7e3d99c7031ae027d1eeac170f7a35a9b0c6dcdeac09068ef22e25bd82116ca8d99735f6566a7af0a4e80813bbf3c6760c9230ea1bf9e2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
00e28642ac63dcaec564bb22c03fda3a

SHA1
5eb8be939ab8713de36cd88937a30b4356a0e349

SHA256
4a818d1bcc8d20be8c1616b30f5db060039e716e0053428690b95741271185d5

SHA512
a3f27762cc7deb839b143ac94b6996fdc7a6b23a133c10ffd6f6844c9483c6c60a7c4d2569347d9341d2ec33a2df9bfbcb574029712a641f89ab71ca4d9d7c4e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
3484c9471bb9b1caba8b238ad7576461

SHA1
ebb56af1ff67261b6a362c18f518bef6b842e446

SHA256
63b868aabc4439fc293b069f65185cf05ed0593be05750246e433c541a6c549b

SHA512
135dd133662f037998b81eb10f7eb995b14ff9daee857873e186acabeea86cd345ca6fe4d9f043eef857eba3f4d2223571875163e1b079e7c2e7d6aec45c8838

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
c4bbb2c19eb8818eeb89dad96c8e59d0

SHA1
39bae0156d854bf36612ed7a82b8ef3751a9e437

SHA256
2a6cc4ebd94ce7a662968d486b2678d13e016027d9b4ce7980aad89bbc442840

SHA512
0171b78d6e8b7a8e5e4594b4d90e4d304ae583c38fdade212364fdfcc1750238d19c7a83e57f643cfd764d2d3baef10564658bf31179746b29836376500029e5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
305096534f1ccc96d15e3a12a9fb1b9e

SHA1
c57d113801618bb0502490e72ff6a4b31ef39fa4

SHA256
daafb9f56a6f988f23548e05986ee90a338ab3cbcb5b72d884664be9038d9b0a

SHA512
8139ca35fd3172f31c30e0b2ee0c89e4dc1e85a3c7bb6fa5807ff5bfea39f81481f1dca123d37003b91a603c5427ebf5bb597f296457e46da9d488a31141a7e6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
735b78c6645a1efadfbbc15255b06fe9

SHA1
72bc8291837afff69b8849df1a5708394c63129c

SHA256
c56e68faf1d0219d7714534b444abe7d5e5e5451b9e95f1d01c7a0ce087c7717

SHA512
4b5b1b4b1dfec374900e51879a922add8c8cf5ff3f8f42a5ef4778f77ba9f6d2a5775e6100dd04a95e277160cc4e745dcccedf4bcde65dd2e63a439efdd5a8d3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c1d187874105a39ae12f5c7d565543e1

SHA1
d53bf5e4e73f2e734effe4a50e6de2ef9a7b25ee

SHA256
666814662ea450f2b746c7fc14783e4550a157ebc9da21578ce58c9803c3052c

SHA512
a310102ac57532d54568052ef0f6095675a8428bbd34599c6ef0b5bfcde52104bc4f895cef97816a583788790756803e87d995672c5933c3a52ab293f2ac1805

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
73c358dedd0129aa9c5827dac4bdc0df

SHA1
822f632cdd849d800a6ec0e75b92ad2df51331e7

SHA256
a261e406e446292dee14542d68ef1e5feded1c16202819a29454da3f6cdd5135

SHA512
dbfb9ef64655fb4d783492a4e125681c7a6e0adbc4bdc170f0d88a52417cb4775b85dc6e15ec9250df647c7d38141ca565a3ab09f947a1c0ac6eb1acaf242f83

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
6cfa84c72581ac5d1bc4ce367938b087

SHA1
50311539d89a432cdf62e54b17aaa9047f69cdf2

SHA256
4cbd4363ac67570d9b564eba015e5ec9650c94e862d0bcdd4450c109a7f81a46

SHA512
88c39ade987136ed6294928243b021b066a1e6a2d73603757061cb1b783fe7b558557e49907dc79006084fd756d1fa38eb116a3de34703c7177a77375ecf8bb7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
171ddd83f502378fc8f651cbe0d6090c

SHA1
c5240355a6158eb11205ed8924c1b2218cb1b135

SHA256
7e6644c1a260ed8c6b49f125b6d7127e80188d1fd933989656c7280068cc0925

SHA512
54781fcfcc2518d4d59406c21ce6b40cd3b31034278605f2f5730d4821cef687f4ea7266fa298e367bae5e1a247767f1971e88d731cc4cf49329da4af12a8021

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
57363492d9d5cf8184d012d03241675e

SHA1
520e0605e7fea0b0039d2dd9790fdcbeb641c7d2

SHA256
bb9f801c9a3d8803ea52013e2f1f15d8232b3dfb53b6546b755158dd69ccf537

SHA512
a14fdeafb507f47cd98b4a69387f6bd4836b65da0b688f899ded8eb2a041ebaa45b238cccb194c367cf632daae702e7f6e16201749f3aaed818130b45ebb41d4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
25c615eb8af04455e6f1199cb2479c5f

SHA1
534fbe3c142989bb0d841dcc6434ddbb71353346

SHA256
2c4d440972f8f0c61dd67af67e50e5e9184360943a730e46887d39d90e48d23e

SHA512
127e3a96397e1a9274fb0c9754fef228d4ec340e68fee7157e1fd27a9d00bcf6adb3866bdead92f8dc51c278c8b760fb7e4fc10fb69e0191c09e265a785e1fc1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
57f2f6c2c6831031f5cc29fb5f3a6637

SHA1
4c3928855519e49e8485220ea38edd09e2f1e084

SHA256
d58f43f8cf0b360ef3386473fb6e654ab08be58b393ff51ba3941c0791107a89

SHA512
a8a79bce5da45b450d97bfb9d349849ce20b6e477d5fde73e8baa102717c8b3343a3758d82fafe72d4c6908c4340494730b313373e6a3e072d9ed6102d922f87

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
46278f9ebe844a8150931ac76bfb362f

SHA1
feedc7ba3e4df2c882e21a04e437a9af97d0516e

SHA256
732dc5e08427e131ace4c1092e36862f0562b7ae651c471106c7539f2841951e

SHA512
e2d2be9e12f21368dc75fdc1fda15b7b22a7c5b15896c1e145b4c7eb464be5113629f1ed5f6143ca7cb48e5f7b6a28142d22f9ad779c96c9c43e9c5a30511689

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
e42d4bbe77f5d6a83b84346ad5b644d9

SHA1
51ce4d91e5c32c390c3f5ddcead7766e81cc4214

SHA256
41a76cf60fed0761d93504885eeb5791cc5cc3603ea0a3e0987aa868fd35e6d8

SHA512
4a2b57b25777b0127494be9334f97840ac326d5c9b53a2daecdf5d66efa6ddcfccae69a16048ae5b88a5e7d781002863c807df40f68f001f0135335a29119e6e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
623fdb57dffb4c8e14ea33f9adf02e32

SHA1
39376eb311dc876b4c5b5aaaf4afd4c6ce521dfc

SHA256
6aba5d3ae4689171b2a207ef64c1b01aa11c954d53219d210af4110a4dbf4571

SHA512
d6fbdcd0ec394e1b6d1744a49f4ba85643433a3744195f1ff07aa00acf72ab0ff8908342612e51dd940b338a84bdd14c571a369f855105a2c6c168308ca75280

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
baae57b547ba6f90399bb0ef26446289

SHA1
6b6e5d7ef39064ca43ed4cf83e7c2a023b26ef2a

SHA256
2f3950c6b8cbd683f10ed9b879a81c6856b6ce7837625ebb3e7810eb048feb71

SHA512
5309fad6001d5abe975ba154cb4fcb0a6fb84b1bec164d72c9e6a96315f489a024b0ef3aca296c99c934fea0f8c99daff07b2d64013900e7287056acbb4a5fcb

Download Submit
memory/512-547-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/512-599-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/512-815-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/892-586-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/892-519-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/892-526-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/892-520-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/1172-15-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1172-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1172-317-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1172-22-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1820-515-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1820-582-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1888-590-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1888-534-0x00000000007F0000-0x0000000000856000-memory.dmp

Filesize
408KB

Download
memory/1888-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1888-27-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1888-533-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1988-813-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1988-561-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2416-601-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2416-824-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2560-587-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2560-821-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2576-98-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2576-93-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2576-150-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2576-147-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2576-81-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2732-543-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2732-594-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2804-47-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2804-0-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2804-6-0x00000000023D0000-0x0000000002436000-memory.dmp

Filesize
408KB

Download
memory/2804-1-0x00000000023D0000-0x0000000002436000-memory.dmp

Filesize
408KB

Download
memory/3372-550-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3468-149-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3468-455-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3468-151-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3468-157-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3656-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3656-316-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3796-583-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3796-820-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4260-816-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4260-576-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4384-580-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4384-817-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4500-822-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4500-591-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4808-823-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4808-596-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4828-814-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4828-565-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4856-354-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4856-31-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4856-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4856-37-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/5068-464-0x0000000002380000-0x00000000023E6000-memory.dmp

Filesize
408KB

Download
memory/5068-458-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/5068-505-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/5068-511-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/5068-459-0x0000000002380000-0x00000000023E6000-memory.dmp

Filesize
408KB

Download