70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033.exe
Size

944KB
MD5

0bdc5f31eca0f46e5a627dcb359d7b2a
SHA1

10e670fed39cd816669f8f9270cf955b19c88946
SHA256

70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033
SHA512

e9d334d4d49f740ec53905a25b1dfd2cab4044350cec99a53c5d67ec6361e52d71ad90249c4b53fd370d84e01ba3bf49ff8e6d3e280717171d54811aadbfea79
SSDEEP

24576:oUhiHOeo8rin3thLcmaouGSPGM9ZQ8GYelhwOXGEDgm6:bhiHprothLcdPGM7nmoOl

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033.exe

Executes dropped EXE 22 IoCs

pid	Process
3000	alg.exe
396	DiagnosticsHub.StandardCollector.Service.exe
2608	fxssvc.exe
1556	elevation_service.exe
2944	maintenanceservice.exe
4120	OSE.EXE
4200	Reader_sl.exe
3216	msdtc.exe
1592	PerceptionSimulationService.exe
4168	perfhost.exe
4724	locator.exe
2888	SensorDataService.exe
2716	snmptrap.exe
1136	spectrum.exe
3744	ssh-agent.exe
4308	TieringEngineService.exe
2732	AgentService.exe
4996	vds.exe
3264	vssvc.exe
4128	wbengine.exe
1492	WmiApSrv.exe
3340	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033.exe
File opened for modification	C:\Windows\system32\dllhost.exe	70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\675b05e1d590e271.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Backup	AdobeARM.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000964f7ad81bb2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000381dc5d71bb2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f156dfd71bb2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb6f76d71bb2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7e48bd71bb2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a42ebd71bb2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bed178d71bb2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000087147fd81bb2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
400	70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033.exe
400	70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033.exe
400	70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033.exe
400	70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033.exe
400	70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033.exe
400	70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033.exe
400	70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033.exe
400	70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033.exe
400	70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033.exe
400	70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033.exe
396	DiagnosticsHub.StandardCollector.Service.exe
396	DiagnosticsHub.StandardCollector.Service.exe
396	DiagnosticsHub.StandardCollector.Service.exe
396	DiagnosticsHub.StandardCollector.Service.exe
396	DiagnosticsHub.StandardCollector.Service.exe
396	DiagnosticsHub.StandardCollector.Service.exe
1556	elevation_service.exe
1556	elevation_service.exe
1556	elevation_service.exe
1556	elevation_service.exe
1556	elevation_service.exe
1556	elevation_service.exe
1556	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	400	70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033.exe
Token: SeAuditPrivilege	2608	fxssvc.exe
Token: SeDebugPrivilege	396	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	1556	elevation_service.exe
Token: SeRestorePrivilege	4308	TieringEngineService.exe
Token: SeManageVolumePrivilege	4308	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2732	AgentService.exe
Token: SeBackupPrivilege	3264	vssvc.exe
Token: SeRestorePrivilege	3264	vssvc.exe
Token: SeAuditPrivilege	3264	vssvc.exe
Token: SeBackupPrivilege	4128	wbengine.exe
Token: SeRestorePrivilege	4128	wbengine.exe
Token: SeSecurityPrivilege	4128	wbengine.exe
Token: 33	3340	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeDebugPrivilege	1556	elevation_service.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4284	AdobeARM.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 4284	400	70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033.exe	85
PID 400 wrote to memory of 4284	400	70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033.exe	85
PID 400 wrote to memory of 4284	400	70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033.exe	85
PID 4284 wrote to memory of 4200	4284	AdobeARM.exe	97
PID 4284 wrote to memory of 4200	4284	AdobeARM.exe	97
PID 4284 wrote to memory of 4200	4284	AdobeARM.exe	97
PID 3340 wrote to memory of 2968	3340	SearchIndexer.exe	117
PID 3340 wrote to memory of 2968	3340	SearchIndexer.exe	117
PID 3340 wrote to memory of 2720	3340	SearchIndexer.exe	118
PID 3340 wrote to memory of 2720	3340	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033.exe
"C:\Users\Admin\AppData\Local\Temp\70bc5dad07e98860a8970780e59d89f8449ba548f0eb72a77841e55499bb7033.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400
- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
  "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
    3⤵
    - Executes dropped EXE
    PID:4200

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3000

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3604

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2944

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4120

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3216

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1592

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4168

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4724

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2888

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2716

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1136

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3876

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4996

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1492

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2968
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Filesize
9.9MB

MD5
b84053a48e432d0d27ca0d510662d1e4

SHA1
1a05c986b2b3ff22b6a3d2175bd288a79b461502

SHA256
cc22dec4cd60af6733b6be5d3382b3f2babfe65652818729076b7492a2f0f68f

SHA512
35eb5043bbbec485e459283a489de6332aa59e2cec94265b2d3153cd71500a4127b6248d5f9950338972cf6451e01052fdfa2bac3dbaa3efedce3a6a4a2e7d80

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Filesize
3.0MB

MD5
b92df15be68dacbc3fdefbef1bd4d345

SHA1
896bdf1f89b98885fbcfedb0dc74049716b39f93

SHA256
211d2b3b87f14e13743ad5da245992ce828ba164526437a868f60ec0ee3b85e3

SHA512
b70f854336780cbf85cda3dfb8a4a9c45f6d4656d5e394b32f65f3a507a053b87ead6b938373c5e9a809595d326345cba5d4e603a0cff993875fc43e03e7f500

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe

Filesize
611KB

MD5
92d85f4f908c30162721b66b51d761c5

SHA1
d3e7170759fe007630b9de9c3149c64fcd699776

SHA256
98945bae8ef58344e29db0fd61b59d7e2d697b9d73eea47a116f2bdd9439c103

SHA512
03842c763df6f909500a83a121b661d4cc99e8299c5f74d1594a356479c6c2595734ffeee61bdd1aad293158670e78ddecbd27145b0a1a9e8b68d52706f0aab2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe

Filesize
662KB

MD5
0778dc3f3622c665a1d21e810ccd3b42

SHA1
ea1dac9f841fb42845c67bc003892df0777303de

SHA256
c40be977f1a3efbc2d98c9e31c741c3af62df674f712371819edb3751afeb0d3

SHA512
43e437e2c0e42aa63e32c60d3b662e4d62efeecdcc9ecc660074d8ceebe7435f5403808e25d7bf1c72c4abaaeaf381cfb7f405cc5571a9343a9dad481e79df72

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Filesize
973KB

MD5
7b34569fd85c1961f4bc15bb43591ef0

SHA1
fd8a79af6ba9a40cbed0933821099531c5d6d385

SHA256
499307878467a81bc575ba97322d8bff476166dcfba2d4f167aaa4fa49b07cee

SHA512
2c6ce5ebaf6debcb44925da6cada697824fee0374d9f29a251e6b73d7029f1b88147f0eefe1a38c99af212f66e8a81b82c252fba4498b417f7e0ec7f9c4066a1

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
836d12be703a0207e7257f4af424b07b

SHA1
12579cebf9599dde0ce25dd6f80b635f84942581

SHA256
1a8b4b3c3ee80b790d65f36be0355f03c85afa381a21087adf736f5a710e31eb

SHA512
531ab7e0a2bd2c28d5f96f70bcf06ff7e603b7a6a156138db0d4102b5b8a38a0b6b1cefe6b407bdbc9f7649f22dd2746027ef05210a9b7bce4f6f897e2636465

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
d05400e4e9c83518fdb111c43ac2d7f0

SHA1
082091f4b3d0aa90fd10780bd4b107ca2e072ca0

SHA256
c18668b71eb48edd9a85a8ff0b426f4f17f9143b214287bf76899bf786351e6a

SHA512
4a042939d1f937230771309ceafc55de457cb508c6b82cac86e3d48053bd09c9364c157d6f9f4699fd51f32b73ceaa5259afd2065e14c5471ea04b36ab5ca754

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
83ea75cd61120ed941966dfb5059ba02

SHA1
15c936d12508a75d1f7968df4010f7c5e5440ecb

SHA256
fd7b0e5d35184016b0dce4b3762406435e835411b820fddcbc19ab7d06f3b794

SHA512
a6de3af5ec7e1406b843ef5f8f4801aaa6d4f018760af68ecad48cb2272e93a2046604166f2d311e8eb602732230101d8dbfd47fa8b227fc0d73f5520508b825

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
98842e33a2955547c7fa483037ebd184

SHA1
06426d5c0b5d3c828bcd5550d8dfae37ed53754f

SHA256
fefc0ab57982ba976537563ac3461b6668d504f720ff1f9c1f96f0e1a037dd49

SHA512
cd373e1d293efb9722e17608bc2ef7428e18cf4726a73e8a4baee76bb11828bf997ddb17b55900acd7cdbade099360103f258f02be385482460f7508eb0e9c4d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
87ce05532c4b80ca0054e78a9e2e9016

SHA1
350cc6f1c1ede11ac6d90e66871bd8e82d680bd9

SHA256
31e4ce4c103dfede4e88d89d86f8218904da0e2c7bd798629c1701db96f92f48

SHA512
30eb99c20f947404dafafc7c933aae7263683efb7d6357f0f1d804822a1e52f039f94962e52ca01167495ba0f93bd562d08b508a36c15bb6404b24d73bf69085

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
7cb9e5d6d84fd59d751e2a047eb815a4

SHA1
72d61dec48b456c4b0a333d7295089bf2fec8ec4

SHA256
a93676e4d48d41db47716cce2f7aaf19660a6f10ab31a0df5430b06e16e112ef

SHA512
c9eebc3e46e223e6a29f1fa2042468822b1f63cf3432adac054d16425e95a8ce77d756af22e71fb15d671d8dc83f69900d6f3ef32a5da642f8fe1e7831a1a584

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
d679e18314fe36b0274f4e84e39096c0

SHA1
61b216211a05e46563dc23226bd0ebd2406dc91c

SHA256
e6cb3c62924e9e0b442e499be813099efa19174f1c21f63eee96487e87eeeeec

SHA512
49aeecff42b9bfe1c2b1b1f823ea836baf7c614e0d5b4e4809729216d522e7a804fbc63a5fcfc739e01bd2c3c998b623379c838ce93e628ecb9d14b8071fcd4f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
864bd701056391bdbdcae57c4838690f

SHA1
8d9ea7e87de124719bcb3c611dd2ef7979624108

SHA256
58f87f9f48e7a212f217620e395eec9e2f963852a638ab4b178404d9c3000fb5

SHA512
1f51c9bd50611d7fc7f61396b638c7b9882a7f87d39a4aa1a99b64cc375b883a030085373bc70a468682da6b5ce83ac03dafd3563e26fa2825873ccb8b712628

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
80a2e1ecf6cba363788421cd91d73203

SHA1
d329f61f1659ec6612f3b9ec63ed5e2a3ca0f8f9

SHA256
73d112cfbfc363746bacae7883a6dc9a519ce835e28b8798418b511fc8974292

SHA512
1947ed4a8b366a870f5cc71981d62a760ec5ba925767029851c0261eb0964be38c7499792ff1117914cc1f5f6ba5d0b7636e7e255f9a6e5cf3ac800f65bf5c6a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a0ebc362b9217aaecfc725b8d2d76e24

SHA1
fa4e4e9a3e3f38164ef7b255299ff122e2710162

SHA256
24b8093db6843195111f75bf4d27bf5306d73d14945ad362fb6aca376ac373ed

SHA512
f6e4707aea5b71a414e9524da44ca9275c1f774530a612c52bdefcf1c186a5bf5ff96fe7fc96de418be0a1541f012e81f8896fb929d92e244a8a789a65292e80

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a4e7dc1e634d5cf602ac271c73cf844a

SHA1
acc84213b6ad3ce054d56ae58d9f48be58edb0fc

SHA256
4a203b838b803145503223dcd0df03e6abb5ef758b4b7ea5bd3cc4108a8357fb

SHA512
1f074e096d18121c15d3ca2173a64b05ac489afbfc5803c341141fcc21050474a08077d710139c1153b07214f0b078d7682faa5b9e188922ca866adb66e3fa4c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2ae0df875f74f5534db24a44a3c06d89

SHA1
173d39b946f9f174407b5c8d5cbe45143cfe51c3

SHA256
46d495ee02575a416ecf66256ab663b66068c7d1a15092e4835f9afb5b9df7c8

SHA512
1e367c4f2136bab5cdd2fdf2e0e3de6549927d826e3cb8b1e9aa8e51a6c50f0553db249e1899c0771e2d1ff78985f5cbb0aecc76dc4a6b0cba29573f1661c718

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
35b1f22731f64f0b0fe2ed0fdbfb044e

SHA1
bf6c609ddc1ebcaaff2f1c2903dabbf04eae80d2

SHA256
161c50cad78f81fafe995c3bd969dd5bf775c33ed57c481dc71bd5ecd70998d6

SHA512
929ce1925e88576955bdf3a9243ffefb845fa59180df9e9c4d519c597de0fc8787d5364c8458adde05010c45774b211beac2a0226b0698869381340ad11221a2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
7b64b60338baf63b59c7f46e0fc1d038

SHA1
dcabc00be4177030746656502d09dc7e79f66628

SHA256
f92a0137507c340e81c70456541474fd1bdb61b929eeb6703989a515752a34e3

SHA512
953216cbba71d7d7e5c2450ad7a5eb76b26dd97086e16908ec20c486905d4cda19d8818645379d66081782beb41110d8d82b532d64d4c470cfb3b8bf9f052956

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a06d8f3101e9e0aaeb2c31468dcaaf51

SHA1
65c7e558112f17bdf27402c8be0b377ce245fd3a

SHA256
9d5c83109e2afa5535a5cb3e519fa61c57f6129de66c6d5c30a96e64cfd5f4dd

SHA512
a49683f5eb05a1ca90f960d727d1a932613e6b3f542f811fb1af4d11d2e789e135ddcca6fab36ee6b7b2186d34c2c3ccdcb7008050771db05a181bef53fba710

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
6abd26faccb1e22071279d8fe6de98db

SHA1
463d9cc4ba758a5f0695c7241384f3eef50b8268

SHA256
4b492c9d667709a30102b9e10731136ac3327f81f6be2452e3041836b181fa4c

SHA512
984b3130df7672760f9f356a8678ac004ef9897ebcd51b303f2ee7f5235f6d56baca166924435487350b096d07592be370105200871cbcb47aced94d47224ce6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
73acf4e536ce4b0612b742ba8d47cfa4

SHA1
c6824090319f64019457b6017b778ae020dfb881

SHA256
f12d62ad26ba4e36a0486c493a34ad6fc54682c63580b2f76c3b95e84fd9d1e8

SHA512
077dc32bf0a64189d940d1fc8ac14d078ee78770ea84c8e993af2d59f767bf227e21012272040e64fa265289a963a4548d48d4df0e21d6ae120f797e2dd6cbea

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
980b2e53c602cbcc8adc2735ce6b8c4a

SHA1
92bf9e12f670d5db13458b2b0566b6df254616b4

SHA256
a48056012a3c2004a694e70aa9ad547bb3209d58ca9e1a8048fc5ca0b7496679

SHA512
ea6e6a773dac5e43719faba96e541ff9da60bd88b83a7bebb72de006a0c2e433f458d489585f4c199e4e2d59ac141117102c71bf0b17b12623dfed463c3144ae

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
c2d8e696d3a61460a1c7fe8f43cc0f30

SHA1
1e68b7b2171ee13ed301a79870a8c27b968e67c8

SHA256
1b7e873b550adc7b7cb68a86947f458ca24bf619b7dd573f1a5b1a48cb8ca230

SHA512
a3c80e08a90b88ed3957b31d4c60d2480ebbcf9e0f2f0a4658d5b6e7102b0493c699f66adcdb89abb6a6288dc78032b2991253c7ad2bd5eb63008d654af9fca5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
0f9ec74b9581a6ce6193c24aeb5eabeb

SHA1
33a1f255b8a967b67e3044209f14f961359c4861

SHA256
037f6e8e02efc250c27671f2164bb0d5e4e2d11a86b23bb23a0ac8c096ad72ca

SHA512
d17f5f2e45dbae0d05db0418ce06978985e4edcae51716d5d532f108950115fef7ccb66fca428beb794522647bc820c0a6126bf5b38f0c24e5483db12869722b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
812457275a80e61da1ca30453d08034e

SHA1
caa5626059bd57f864241fb819954217a5772009

SHA256
5d2bc235ccab4d740c1481b8f41108ee8cb31fdf506aca5f6c4387ed49ff09d3

SHA512
f8ce16e8064ea37624baca94dc2287283db44b8c9ac635ec831bcd1e9f073098df325d890fa0b1c89e1e60c90c226c7742bce2542b1c6df9418bd83890e3a32c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
34759757643da781fe35c807069aebfc

SHA1
22b92d29bf01a6b857b7677c6b95a9d28930a208

SHA256
6058171177367f625ffe22d1696ce8ad5f1607e687a53394dddf59791da0eb09

SHA512
fd836382f11752a58a706ca96d96c4443cab2f4a3959f6847a9d225f2f8dcc97471c4c1177ce86934abd97b5981ce80aecee1d1521e409bf3c0d3285574e34e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
4cbe9a64bb8c178be56a3de0a0af514b

SHA1
45baca56c04021208f2b3d55358175430df0fe41

SHA256
53265f8c97fcb4f11ebe789a0dca1ab0e7ec853638de4fcdb3242733c150ade1

SHA512
af9305c0242171f7d6dc617cae99df0e89f9950eaca3d595e6b84ee5166497f0cda9d55a6d4bec72278adcd87c9a1cf04eedb212e220c507ecfa8ac0b65b5dde

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
f2e6f4362a4dc0fe7c541969e1f0f211

SHA1
6b699db0bfd71f79b246748b99b3f6006d6c617e

SHA256
366b8b4dd4f0eaa48e586be1a8267cb8c556280108f9bd0dc98c58037c557059

SHA512
218927a7eac044fbfb44890cc896d4b01bbae6b3c861b9ab279da8aff4ad45bd3539d1963e1c07cc36b9e7635ecfa01b5cc57270c4ac0ce7dd07ed72613b4a36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
800c6cd20790c67f6a98c9b88014baec

SHA1
d0df5e382bb06688aaf97a5eceb19a08e14c35f7

SHA256
fd59de266ef476d77cf406a4804af7bf5654c0b5a4c60f059a9adeeb24c0ce0d

SHA512
d19b0aad4fea96ec8a51f94c6248f76500372b3cedc027d649c35f9e7db99159d633d2a635ca7b91a52ddf257eb7e1070a55c47bcff558d40ca2e25690e54da8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
9d2ab7f39b78224f4abb99aade70e760

SHA1
0d39ba72c5c2f11e6c2a6b65bb47525f45c97bf4

SHA256
657dfcfb29b2b805cf21695031c9c7e4efe35ec92064052935c6f4d4d261269b

SHA512
40000c600eafc252efe7f6f3a2ca6023333a61f671c84d13160d8ef027d034f207803fa45bf59cdc68eb7e551d57fa71be1ccfe61fb53b5febcf62376102a347

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
05c5c3174df0d46e17bed8f4f0f73384

SHA1
381d5b827e3cd45e77e35d4d30a56bdd09871284

SHA256
d8a5a8e4c07e594c625f71bac891188531e4657a0727681f2b00d815167e7e3b

SHA512
affd963d61de91c3689eecb02263c5848ae8fedee04f99ebbb6427c1ca14f3cf6b8343e56d1bdc1003d9dc601c3309e48d6b86044b6b0dfdda0839c81060a63a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
2a2a7c1219271284c5f449cf8a2b372d

SHA1
fdb564e338bcb3694de16439b8f3190bdb799b6c

SHA256
16cbd5db2f1ce1416d83cc3b7f7d49488f51c20661072c3d9a0288d50b626c24

SHA512
09ff91a7ed5407439b29bb46c63a41484b9a8558710e8991627a258abd2cb77f63953a660988ba5bb3748b6a05eceb29bda9b62d3464c7e9968cf63405319c26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
be8419789bc2f81bbb07daab6acfe0ea

SHA1
89b35637fe60009feae97bbff678ab350a7f6115

SHA256
252147dae2b0981097c3730521ccefcd91392ed35deebe93ac35a1e4bb772117

SHA512
3629303042613ec612d7ded7fb45fbdc3991fc781c88cdf29132bdd7c3bf8bc8dc2afe58caa99ae9bb65b18598a10aaa0a65c703c3fee0f89c8fe2acbd36f130

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
f389f64f45eabe0c8a701f0bb840207d

SHA1
d7533c7f448de0964222948388f6f428c1caf981

SHA256
5f17864142a55a7dbe38861781e0f54b4b3a5200bc5027dcd798ac0e9985e0f5

SHA512
c3d0a37ce9e2888c64d45ae7986397d8bf5e3ae33029c6946949e87183d55e1bc2012baa9af3193f12c53c5df7a26f7bf42c9e7549926326169e4042034caf25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
ddcadb82199a0b6dd765afcba11793b5

SHA1
676f5b04325f3bca73d5dbd914e27cd6deffec8d

SHA256
3e6e1463d5c871f137a71908cb67e06c94dab7eeb6e09f660ee9d454cf3139b8

SHA512
165906169b01e68ec7511a8a7c462b6e5f9d35a9298919a276db75d7aa88484b475bc7948bef29f37ef27491f5677c999fe32c6c5b3d1170f89ad0ab4ea212af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
75c702b6207fa0894a990bd86d6d3764

SHA1
483a4f53e0a236653a9cfa29411dabdbdc04308c

SHA256
982eb991ec823f9dfcbd991770d4b9b0b5214a80355d91f775170bac7957f8ef

SHA512
92e2dd68301109e68fdc32c28a7b4f49d44f7dd899b0be31dba26fb001ce951f04b01f5331558a498ed5abc1f6b24a98c5e882467471343d7f862f843920cd39

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
b8c3eab7a7592bca5dc6ed7f3efa1133

SHA1
c248a908eb17c1c5814f13bd07fbaedab5951bbd

SHA256
81aa3fc8f53c73bf0c14e83c62158991bee05b79d6fcafc7b43fe63b341e3cea

SHA512
f94551cc08154a5436de0d60fac4a6262aedc5d392df7dc863e6a2ab97c91f754a969f7c1dfc3e7678f5c50317d0ac4e23a35e29f33b30580e61da9f594a6a97

Download Submit
C:\ProgramData\Adobe\ARM\ArmReport.ini

Filesize
634B

MD5
4600ea83e72c40d5b6d25248895c4d66

SHA1
666d119fa0398adce7093f434fc15437ca6913c5

SHA256
4f9b2f699943dc7a42321fde879d884202e9b3bd8391519cc69bd83d8d485aae

SHA512
08c1e1315bd3be50f47cce09a7b9c36aa38572495cdcbaa1053f6cc14af921437f3972c25d2d5c8df70a5b2e239a62d4cec6b3039de5b99e43b173eab4cb0bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeARM.log

Filesize
178B

MD5
e6746b1ed1454360c9d5a394d360bbb8

SHA1
b5b5fceee119dfb29d69e8ee149f885d140c1eed

SHA256
2fcd5360c85bc5f10eae2ac28dd2f0cb05ecce1283956f1d69c07379199eb46d

SHA512
eba6241c55fa3389328813103271a5478916f5bb94ea555c6387894992ddde3bdbdae66fb8028591671eabf9ba38681f574437328335448ec349c19bbf3e15cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ArmUI.ini

Filesize
251KB

MD5
864c22fb9a1c0670edf01c6ed3e4fbe4

SHA1
bf636f8baed998a1eb4531af9e833e6d3d8df129

SHA256
b4d4dcd9594d372d7c0c975d80ef5802c88502895ed4b8a26ca62e225f2f18b0

SHA512
ff23616ee67d51daa2640ae638f59a8d331930a29b98c2d1bd3b236d2f651f243f9bae38d58515714886cfbb13b9be721d490aad4f2d10cbba74d7701ab34e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp6E89.tmp

Filesize
3KB

MD5
bbb796dd2b53f7fb7ce855bb39535e2f

SHA1
dfb022a179775c82893fe8c4f59df8f6d19bd2fd

SHA256
ff9b4cf04e3202f150f19c1711767361343935da7841c98b876c42fd2cabce9b

SHA512
0d122f454fcbf4524c2756692f0f33dc98f5bd2426839c6f03cd5c5f4fd507a8a15cf489d7a7ceadd1b95cf31b506c04bf03d613a9ba7d76add92766b1dc5c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp8DBB.tmp

Filesize
3KB

MD5
ec946860cff4f4a6d325a8de7d6254d2

SHA1
7c909f646d9b2d23c58f73ec2bb603cd59dc11fd

SHA256
19fe53c801ad7edc635f61e9e28d07da31780c2480e6f37ecfc63fffe1b250fe

SHA512
38a98b18dbae063bc533a1ff25a3467a7de197651e07e77a1b22cf8ce251282ab31f61dcff5c51ef186cfd115dc506181d480eabffbe92af01dee6282cbee13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp8FEF.tmp

Filesize
3KB

MD5
a58599260c64cb41ed7d156db8ac13ef

SHA1
fb9396eb1270e9331456a646ebf1419fc283dc06

SHA256
aabf92089e16fdb28706356dbc4efb5a81f5277946f2e67695b31676616ed2d2

SHA512
6970cbc42e7ec64ccdb8e5633b7017b1e9ec0d4ad094869e221e9275b814b1442b84827996190159543bdb5e86df6885c45197c533d657db4660fca8ad761a71

Download Submit
C:\Users\Admin\AppData\Roaming\675b05e1d590e271.bin

Filesize
12KB

MD5
51401eb50078a034cc8215215847569d

SHA1
08a7e16771361a35543efff032ec2ee740f6d502

SHA256
0a0b9a1073654ad58cdbf409bcad4ac25f82e1da1492ebce34ee6a5edb7c65e1

SHA512
fe62b2f2a17ad8b5fbbf17b79269bc63fd9c85d6ba82b850029c2a5cbfc9e68f2e32d29acbd3a68483bb60e31012751e3178f9aadf36bd11f8868c25e085f49b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
49c72c6f7a49260ae823caf5f8889455

SHA1
63a12a43ad9983a4c6b786c444e388d8e73a5196

SHA256
177be874680c0fff414374e69b1747a03a1e479775e6615acbadcbe436dbed38

SHA512
8bc0d63e79b58ca42c05e8cd0fb82a9dd7af908bd34e0cae3a51d8fa58ef1e1827f192a525b90bedde4115cbbe1ce9a3436fee3ff4d818e3812c2739650bfc29

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c293a245d4abc8ba486372bac65e9844

SHA1
6306f88d72ded1dd8142fb9aecc02cbd7a2d6277

SHA256
07071cec919d8c4dc71956db3cfae2dc188ff8eba58d90daa43641c11d717bdf

SHA512
7fae75879a9a95193acd04c3f196f98a482ab48cd9594a57cf04f856f7273d28e3d0cd4609775c7fbed9dbdcf3404860d541d388429d20aeb10e6b39819ac79b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
260da601ad3470c136b3ae759ca4aac5

SHA1
86b37817fa8ae44acda340ac227a397bc4992573

SHA256
c83db726247bdce623c50e2832d7259d176a9d481e9cdfa0eedae0585a7fe368

SHA512
d91b0f3d9a8083084961f8db5c6c8c873a221749cbdf7c4e7dfc62e4b8b9aaff126994de378f66ab75988e60ebe1b13d5c0a2d92bfa4dfff3040f9a3b719b2f7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
548b6406e7b98a64a2d54c6a509037fd

SHA1
7de68c0d4bfe1f37f3d341e22082758b560aa95d

SHA256
cc4be1a20380e14d0f04096cec35a96aa7e3739cf5cd5a1075ed0cc832eda3be

SHA512
ad13d22fffa39d82395322c5f6bb7421cfc8fae4933791cb84ff65e6de1ad448bf9da85d03103801859214e5569308a6dbe7d0426fddb0c61d13dbdd90396e10

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
009b85e268b2afc596bd1d1ccb4b1317

SHA1
439610f60caaec831924008078f0195829025cbe

SHA256
80fac9ba1e31db784166d8ef1240b4b8ebfebadd5f4add079382838d992e81be

SHA512
bbb8c9e464f49fb562f7a9920dad2a36ee551f9efb307998a13a13ddff6ad5f50d3ca4bb91b4f770c6346c8daa08b78f399231f04ee76ac2ea340d3072ad6682

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
d1d72d8a0d9de6602ff4ea2325d2b690

SHA1
04679f47d4062165b0dd95602dc105685fb327d2

SHA256
f9c0752836af993b4a138c6e4b4a3f137a444707adb4fbd4751243de5e00bf4b

SHA512
3605bd448beb21e35ff4b0e6d5baed85ab3dff01102a21e1bcc22670830dc1439ee0c96d842f5e39df90ff8770e78205af98245aeb26859b82994f0416c2515e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
9e1e259bbb891d093ee406be118cda31

SHA1
626e359950c3c91f71e451259a9c2d68ce2bd249

SHA256
186d2e94bc590dd524fd06d05eecc6052f2f95c9bbc4ce1434bc5ae7cd2906dc

SHA512
1b44ba041045f50d9173d9dfd6cabb43d2fc4fd25d028c4d4e4207bed37c526547b894ea70563b6d632a6a16922dcc4b91a333f4070bb5319682f81dad036a5d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
06606ab3e325725191c8fad3f9502dfd

SHA1
abc9b8a8b87e994c617334a36ca5d55fa63b71af

SHA256
2a0b8fdf6f37916b8a713264bf3a22f1c879ef6be393cb90694b7ffac93daf39

SHA512
c1d7df24d8bc52f5187c0d9ee6715ca6256dc874b2c14bd0a034a01eb20e62234f589115191ab218446e8e42d78099ed7306ec1dc86f4495766c0f5505a95f8b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
aeaf7c06882b22d15d766bf0063c4662

SHA1
566d0d697562675d75f777b376c6922471dc657b

SHA256
4a631b34059e25dbb784050119e7a3d4e34406c8aaac8e242b78efba9daab34a

SHA512
a851e5516114e51807f7385f196f1b0e3972d081b4e8417029f12af973914843a84b57783d54d64b99fee806b6e8645dc4518a08fdba48e879ae2dad0413cc61

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4004e3a82d8794a8143358982ae2e2b2

SHA1
e545136b62f092813b44b5261e5a7d1458e63a68

SHA256
864d1f38038d345fa30023ad75047edac96f4940c1089c96b47e7940714b3b75

SHA512
317c3a28bfb461183a7254b2ddf58a5db2db7ae1c01140636de4fd3f67dde30a1c7d4046b350f2bab6a6f59a5aaed7a14755c28fe4257ef63d348e7e9b445b0f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
deaf35d90db201d6aadd71c8392c30bb

SHA1
e2262cedb866760826e6cfa10a8314f6340beed7

SHA256
e73ca908575dcd6f71ac874166644b870bbc8ab5b6e80bfc06e640b949a8813c

SHA512
04f1f79087214c3e2ab214b0efd0038da71f7d2b484564371a78579bc4a7c028eace2c1ebec26da41771ccac3734591bfc5971ad0fc7e8974d05ce77c42bc02c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
26cbac4d65e158fea97f0e5d165e28ed

SHA1
604f4eb92c4c78068feffcf9f6f3fc14ec41e0ab

SHA256
728e932034e08c63b32b887f44ceb5ea04ff1d753fd993e586ae88fccae366a2

SHA512
fd1927b7da1d81966c854bf3611efdeea3dcc0cafd9ef528e2602b8fef6e6c7d1a009dbe4583290c264b1b6d9566a1dbef592a18ddd5e4bfd8353da3ffd9e802

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
59f6595514c7cba6c799ae80f4b458a7

SHA1
0abe73ddb53e9727f71a533072a938099683ef73

SHA256
ea13bb0f0285497e8d0c2a689dff78ede16c25ffc7e422e08d94b35a7e8b9b75

SHA512
d989d0f70accf02f6d3b4d55e51df64d10de7aeb4eb87133b6d1930c47c9b5e3bf1d2fb52730cbae0f8e8f0006493d6f5bf8ab572b7bc9df55a17a1548b4cf76

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
72a364f7dedddded2b606e1f7aa9a2df

SHA1
07ae098747a5adce4e0665c20aca3b7d70de9cdb

SHA256
2f2b99d0958d61ea44164f280c5f1e06a20a08d5052873544a9b6abe4821c90c

SHA512
b7cbe7669ed9e67f4a7a71c2e3b54f49cdc1b3a115914587b15185c5ed835492f7e841b4b21a475b47beaa3d99feda7011025366395a2188c2f67ddb83cb6517

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
c3de99bef805c01e2b99c5ed8444c81a

SHA1
d4efffb368432242b4d80713ac68332e2a6d764d

SHA256
14cb71d91d446252275e661d17324da72e8798302bdd7007e3d4de08f2321fbd

SHA512
084ecc5d8ff2a1912aa2dcaa60884322a7d942a33572116fbae5345d1dc7cd4506d81a225d22922e8987a61bf39cd510ccadd20c548e3f124152564a74b31664

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
937fbb6e2ad71a18b09d9360cf981016

SHA1
9a7ce53665478490b26033dd66617c9554c4f520

SHA256
de3d2929e886cfb6cc8584f9135a8fb7b8d7b932d9244e5290a3cd44407fdef5

SHA512
316522df58976b468373c47e60bb52a34c8d63458612953273158c338285c37dbf37874d6ef44227ab402b715bf1934b36c4a388fcd6de500d0b9a5fee66fa42

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
0834c1b2d05f476e7e0eabafcdfe134e

SHA1
5fd047db008455fa38cebf06c9712c9b1ac87814

SHA256
f0fae673cd22d16cbc5702e93e3ba0a6d9ee6107d97726d436769ad66c870db4

SHA512
2e27ec7b45686d2bd88c9903043a1e76189e952851e89abc64210330b93c11a1a4730270cef70e8ce5eb311d103a6cbb0ad230c821e7bd71d6fe8f1daaca83c7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ec3e683f5475d738e1e000783f720bfe

SHA1
2a2ce9d335d5e8ab42e64caf9133664ca27c7f3f

SHA256
4c73cd3a3677b17024bd2f010d7a77695f3dd5c9f9dd6f482962dee622b8aaa0

SHA512
2970437fe71988b9cb94e6c9c25a05f6113eb1f80f54a3f1cc59631c389a65d1f3c3d2c7c3d0758b6a1ea7db09851f6168c4e8926b812ac04d47fba77a4b7941

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e7c342bd90412eead02453e0ee6e8f7f

SHA1
6cd0527121667d4b16e12e38777f6868425dac00

SHA256
b23299431849491e8127a7c95caac6607cb179dd4ddf87d1bdd5db1b23318db1

SHA512
441c7c9fe1477bec828704a4ad70d55200362eb78797338e2411d2ffb8fc606f5a921d7999be7acadbefc26f3db5802b57438f11788cdb146c4ae4cb66e41321

Download Submit
memory/396-316-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/396-22-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/396-16-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/396-15-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/400-6-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/400-1-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/400-32-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/400-0-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1136-562-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1136-766-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1492-597-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1492-775-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1556-128-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1556-129-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1556-353-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1556-119-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1592-588-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1592-520-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/1592-525-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1592-527-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2608-90-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2608-27-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2716-552-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2732-581-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2732-582-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2888-768-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2888-547-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2888-600-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2944-146-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2944-134-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2944-140-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2944-144-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2944-133-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3000-315-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3000-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3216-516-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3216-584-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3264-589-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3264-773-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3340-601-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3340-776-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3744-767-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3744-566-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4120-148-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4120-155-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4120-149-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4120-456-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4128-593-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4128-774-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4168-592-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4168-534-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4168-535-0x0000000000810000-0x0000000000877000-memory.dmp

Filesize
412KB

Download
memory/4200-463-0x0000000000760000-0x00000000007C7000-memory.dmp

Filesize
412KB

Download
memory/4200-457-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4200-459-0x0000000000760000-0x00000000007C7000-memory.dmp

Filesize
412KB

Download
memory/4200-504-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4200-510-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4308-577-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4308-769-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4724-544-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4996-585-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4996-772-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download