18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
19/06/2024, 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
Size

625KB
MD5

ea2ea1be68a2d6ee00592e28935de921
SHA1

e52815021ec496a6e395592bc76af29186d736f7
SHA256

18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2
SHA512

52ae008692e9c78c194082b07323ac99022182418d6735648c138cf279abe995c4fb4a5725395f5f97c572f92505a287b0e16f7db769602a316db073516ec6e4
SSDEEP

12288:72HWRPelh8t14F4YfDY+o7KO68G2G9Ih40cjs31K6fq+hTR9PyuV5xFpQo:q2Rmlh8t0D+7y8G2G9yL0cMoThTR9PyU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2280	alg.exe
2800	DiagnosticsHub.StandardCollector.Service.exe
1236	fxssvc.exe
4988	elevation_service.exe
2244	elevation_service.exe
4664	maintenanceservice.exe
3564	msdtc.exe
1496	OSE.EXE
996	PerceptionSimulationService.exe
3796	perfhost.exe
452	locator.exe
2564	SensorDataService.exe
3400	snmptrap.exe
4384	spectrum.exe
3608	ssh-agent.exe
2232	TieringEngineService.exe
408	AgentService.exe
4288	vds.exe
3888	vssvc.exe
1648	wbengine.exe
1768	WmiApSrv.exe
5092	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Windows\System32\msdtc.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Windows\system32\msiexec.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Windows\system32\wbengine.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Windows\system32\dllhost.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d17d23744ba38143.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Windows\system32\AgentService.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Windows\system32\vssvc.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Windows\system32\spectrum.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Windows\System32\vds.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108875\java.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076d36d387cc2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ae1943f7cc2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db17ed3f7cc2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005dfddc397cc2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba4964387cc2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000be680387cc2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c319ce3f7cc2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2800	DiagnosticsHub.StandardCollector.Service.exe
2800	DiagnosticsHub.StandardCollector.Service.exe
2800	DiagnosticsHub.StandardCollector.Service.exe
2800	DiagnosticsHub.StandardCollector.Service.exe
2800	DiagnosticsHub.StandardCollector.Service.exe
2800	DiagnosticsHub.StandardCollector.Service.exe
2800	DiagnosticsHub.StandardCollector.Service.exe
4988	elevation_service.exe
4988	elevation_service.exe
4988	elevation_service.exe
4988	elevation_service.exe
4988	elevation_service.exe
4988	elevation_service.exe
4988	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2816	18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
Token: SeAuditPrivilege	1236	fxssvc.exe
Token: SeRestorePrivilege	2232	TieringEngineService.exe
Token: SeManageVolumePrivilege	2232	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	408	AgentService.exe
Token: SeBackupPrivilege	3888	vssvc.exe
Token: SeRestorePrivilege	3888	vssvc.exe
Token: SeAuditPrivilege	3888	vssvc.exe
Token: SeBackupPrivilege	1648	wbengine.exe
Token: SeRestorePrivilege	1648	wbengine.exe
Token: SeSecurityPrivilege	1648	wbengine.exe
Token: 33	5092	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeDebugPrivilege	2800	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4988	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 2424	5092	SearchIndexer.exe	112
PID 5092 wrote to memory of 2424	5092	SearchIndexer.exe	112
PID 5092 wrote to memory of 548	5092	SearchIndexer.exe	113
PID 5092 wrote to memory of 548	5092	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe
"C:\Users\Admin\AppData\Local\Temp\18012f3692b02f98c0f7ef80e5e84565eaeb23efd73d2b3a87b05c12be2194f2.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2280

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2088

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2244

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4664

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3564

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1496

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:996

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3796

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:452

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2564

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3400

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4384

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4412

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4288

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1768

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2424
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
32ae5a692332af238ddaed2ce152366e

SHA1
e8eaa8d4095a32ddcdda48bbd1aff29d8620b824

SHA256
79770327a52e997545f52b5ed28844dbe2626266c3a7944393cee7726cd67db7

SHA512
ad4fb134c5cd24d1cf294e936eafe77181b903c064ca3caba8c4145bd0db4a613d3662c9a1c5c4665ea054096704330ea98d07157826566d8166d9f3a99d3a03

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
bccfd9a48ffddf00bdfaccdab43c9c2c

SHA1
2dd68c93bbd96ac77d55252c11e0c293776dfbb4

SHA256
350324aa71bb08c817bf37faf5397b21f7030f6f5655270e6183082925ba64b3

SHA512
3398f2ce2997fe5b2b570b4af9d8ec76dfdd67e55587d3c83f2f9abac8d5a20146a2d6fe9bd7514c8458ee2cf9b1772a70cb2b18eae9678742ed164579522866

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
02d0fdd25c6a74e32a5acc543e1c8060

SHA1
23d4e13a1a125ea4049798ea97f3b8858ee5f2b0

SHA256
1d76527b1d039f21d2b1e1fa3cdeaf458857cc986a7998cf0052b0a4ab37ac4e

SHA512
023be2de9cbf0d4dbaf34800c8ab96b58e716923c4f786a5a64f2be0ae72d80aeb8109a5ddf131aa3c3118ccebed79c2d623b55f7464b07853a12e799cc62e20

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b5a5427d9248519cbaff0fe816f31294

SHA1
aa481e4b446ac06b952ad1d758bc59a76e3cb548

SHA256
7eac567490a56b964e816e2d4fda40fe0548dace0df5d7533981aa09557f55a4

SHA512
1c0bdc33f5d528d9d3498246e1d267739fb29a388d150dd155dbc993737055f8108efa40702ba6366c2a51c7e358ec047e3a12e7be73b5545c497521c79d16f6

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
47a093e8e9bd85871830ee5e3068115d

SHA1
404ab63e3e485173f6e1d4e5f9b89b008a265b1c

SHA256
4d2d8741e992c2fceed92bd05c675920d4e7066fdad15fe2b5c9fe7aa1e3dcc1

SHA512
eeda3379b604d01cd12239422352d4a170b145d7beaaaf33b3674e6042fa3e48846f26a73e535278e0259440cb37aa61d0f452a011d154554bf42c362540d77f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
09afbd4026350865983976a13c001a1f

SHA1
e57fc6eae53dbb23b74b03de1f2f89fce2df9a37

SHA256
521fd285d06a975a29acf60b31a97a35d6266c7fb3e55254831774a4ed3e0ae2

SHA512
520187db8ebd4606fa7927376e66d7f6d95f3b994ad474dc6616b22230d8fedf295b409c795b0abf2054b7bcf65d082f172dabb77a1253337c64da463c2746ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
0e7777501e651ff24dc0e5d7bbe065d2

SHA1
6aad09accf2462efe63f5b75dffea73992cbafb0

SHA256
8a1e363af674500b35e7c94f79284b8d7ef7fff5cf7a8d1e4a10a02399c3a522

SHA512
24d4130428fa980fad1df230fec6ceb799cec3b3e452fecfa0c770ccedb715077928299aba0568a4b1e35c46844b058404c24441a8df9427fb0352ba74f86c69

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6c920406de9b1442d2f85fb18037ff4d

SHA1
81ef23457d06bdd0752e3e0e2a29e99f0bcf0a64

SHA256
9e9da066a545f806eaad5b7bf7d87b2775222d80f48b96a21565c372f84d6edf

SHA512
f8f28134debd24e49a11a664191e7e04e69706b83c385b7fcab7c86fcf9fbfbf03a2c1084e8e65fd44e19988e765a0e91564320aa7026c13995861b7f4808f1a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
e115e5fdf6919be288d938d00d32c175

SHA1
cf2f1c17ea67e6191d8f539ee68aaf1f181f24ad

SHA256
bfc2bca6e6935d4c127ce9ec8946e8d3ca2031222ca37adc958c38c991b751aa

SHA512
cf407cf024f3f0f45a8db6ffd652b1b60c79ab83e5ab353f04bc3b2f0f5c289991cee3aefbc50a3af6e6b8fa5c52a8275d723ee575002148933180b98ef2ebb3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6510b28654bd512595be99a7b72f8812

SHA1
8195acd1200eaa285d168a5df240bcd0b575e2b6

SHA256
90ee69f53bf965724cab54fc1dfd6082c4e58f7eda54909f7730ff64e38f6bb4

SHA512
e93ab036afd3015964f8a63c3b17e09139e8a8f750e69cb5d18cdcf4d5fd7b7c35c5bfc0cc70d9f8e7750f2c5dbf82d5320e6458163603d3d81526656f142ebe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4b46ab8f86878041134e668dcb77e43b

SHA1
53c1d2bcccb156a40bf137123e59f4b0aeb4cdc8

SHA256
e2f45e196d8ebb98a172284451f6ff0250a272701c7244d9678a430de45931cc

SHA512
4f8bedec9a0df2b61847de04c05f5507d9fd6b8e1c1bde2611f1a8f44bb976b2d6c5a092fd0f6fbd6d9c3e5951862f3d76d248a01dad9604dc5f71fa8539a19f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d9ef761a3bfd36a870a92ba49a6275b6

SHA1
c9de41a1e9d5cf6149833e29d9198c5d35558ee4

SHA256
c2dce235a6f869f8ebe0feb05551446af9de8320f3b75baa60e856f9de0556b7

SHA512
e1138f9c5a1aadbffd7351c351dfe65359893d6de7127a2bc8f49efee1ad6a2157184d7f7158687cae32d20d340d7d206815b2e537f66b41e8ceda695bdfa0fc

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
7127782371ddd40d524640ff42bfd516

SHA1
ded45a46622f754c78a2e5657c80c5c2e5fefa9b

SHA256
f39fe0e529efe3ceeceb4a443dd4eadfca86db09ef2be995be634ef2c6ae3e7a

SHA512
8f29f57756b2a671934badbbe0da868cf67d82e77f0dd7e65dba5e6c0f754b6ab08363fd2ba1ae21914819ed45e1f33e138f290870c4180d2035c1e4961ea728

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
8075c45ec753afbe43e76e9e6d8bf6a6

SHA1
13a0d80d601d7ad796ab21b132c5fc6224e2a6cf

SHA256
1b2817e5b3acad02b53b1d7eb4da67275fcc5e6c4b90dd67cc7e9dcf7ebf87ed

SHA512
c2e714a2329618dc98c64bb682b857d680c1c9e7889af6c9ee200069065a8a9b3c75ccbcf87cb65478cdd8b40f16b720059cb0e6caa345c09299e7c065c13431

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a3fc8f1004bd1cb1b41070d3c85a111d

SHA1
3a26d620a5f08af203ba5e22da0cc1468b2a40c7

SHA256
355c140970c1533610ef2dd3b0f2dbae135e62224e5f8fb9c87136e38b803ab2

SHA512
3f7a184bdc56a38744aace77b412da460b9cdd13b4e740c69b5113b7bfa72ed8e237181670f364ddc8861422442036e017c93acfbc350fbc298421ec3c266e3e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
b650ea3fbd79270aeee8ad19ce65f2e6

SHA1
2e07a3b5618338782db90e6bad5ca63bbd63310c

SHA256
0126de4309f2e650deaac4a5804c5d5da0caf7212f0806f96ac9b256d491bc98

SHA512
63971f2c3c9474b5a08fa5cbe18f5ee9dd720c940b6453288c37b4bfc55869e9726a26073754d660140e8d5fe1627936032c9a08992e4ae1971dcc71e23dcb61

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
f4116c7f423ab225407891cdb08ef131

SHA1
64692f8b1e140012f4a2b8baea3d14ff9093ac10

SHA256
03ba8108106e7f4849a69c842532a4c1a238cfc5cf9069168fb90e9f545fe149

SHA512
66057e6e8962a69165300ede4aa2be3e87ba6db816bd3ca5be37c8218130a77ec4cde77908a0035cc8dc39192880d3bbe68ad8b4a2e1508f5febb4424e6a0b81

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
00c652af142c3bd810cdd10771ea032e

SHA1
5e31d8bc2a19e13a901269adcec3d3f2b63f05ba

SHA256
bd5b78415213d2ab85a0a7a115cd09234b8d2705b2ddb7253dca9bb141369ec3

SHA512
beaacde61acdb2d99292237bdaefeca39ed30821bf4a7584afc25a745def88c2127467c547628b10540ecdea2c890c67c580376e4a42f46f6946badcd93df920

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
800222bae51b214108c8fe042f84fa5f

SHA1
65de903cbccc64ce9ada9c9be23e7825e1d15bf9

SHA256
0bf695f139cf945fbacd798df1199cc8dd94bc235c2db1c169d2a02df42aa916

SHA512
1f78d13813823e0f037bd10e87d97dd8e50541fd494a37ef27896105db8ecadadaddd4ce6a2eca61ea6df61c63e5f7fccbd744c17dac7fec31b8db23704e1d62

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
760eb990bdca28d520a9ff6175814670

SHA1
595275e0197ba90e5a4881c392d5380832efefb7

SHA256
9ae10275962186b989febff2f0272b50d7a73e1656aaa2df542e9bfed2f6b920

SHA512
e17a2028236fdc68bc3036705ba9d127dfa9e361357a36e8f288466564e9bf2adae1042b2c3b63b0c3f39211f6101c161e303c526ec4803690b58af1a1293cc1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
60dc3d19c859adf075ab004aa5b06924

SHA1
56cc2c3efc68fd4236a4bd195acc6718de1dce7e

SHA256
5846ec247052c1f2438bb177b7592cbcd8cb2b347bd4ef081058d8217ca7b91e

SHA512
2c6e2f1a245f21059256cf17bba20144bc7b427ce57d3b3e34b6a8c8030ed3ac49ad585a4711ca537dffa0087a318d7c1d945308ea08c5d0e09b08920f9a372f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
62df0900e52054d74f97107b89acc178

SHA1
c382bc3e2ae1b5beb25c9b1aed4aebedcf877aba

SHA256
3309a6246188cb38a01293596fb8d22b1d7cbccd845aff2085f615f70fb8c6d5

SHA512
52976458bf1772fe565de38fd0d9a9a033e22c1b905fa4b59a5c0140e2cc4fa69ee8699d6bfe378bc1e30aec4c8f6a9b44d7887f8a5bb4c991586db4794136d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
891c4775a412598135e697fbaa3ec53e

SHA1
87086d622cb017d59a742cf257cdabe50146201b

SHA256
ed3cde7e07bfbb14df5cdfff9f8153c10b6d2e5942eb5948ce4ef8dc4946ce4a

SHA512
8b8b94a026c373b5aed6ddb6e7240b7e157b42de8cc6980a6e157b20d6b21a9b68998c053dd688999a4964c6314118951eb3bd215c5f1f362335d8fe58c40130

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
9bb06f889650a14288df5ec386f4cb98

SHA1
bdcef01321d5b94fdfff1c3b3f0150e389678341

SHA256
946b52bc8917450e09ca9c25156e85b25c65a455fa9f6df35e5ecbc34b8dc74f

SHA512
1c8c8d492c03e5f0251e320f004f49a42952623c9516c26b510d761b0ff2525f02efd7273e70056c6a64baf465be30ee7a921c3ca076c978c4c9425007e550ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
885376a8eac434d56e3b02f3affde58c

SHA1
11a21ee8745a7e66af5efec1d0969ce60aa20006

SHA256
7988320c491cd801a59b948348d74de89466d822ce950f2b8fc3e83f1dfb5f6c

SHA512
619f62357fb258adff9369426751bda9d18130038d2ebb197adbdb4fc027f51727bdd1c60ed544c65cb84f8975f715347071f3e2380e89a49988e52faf771d48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
97f37bd9ff97872f721a7b5d1f4cb755

SHA1
fff3f97fc15d9baa1417455b55ddac67c98ec321

SHA256
4b521bbe02b392036fb210278ee0e3472fe1e45daffaad8e49d407e8dd768605

SHA512
1d7783f36c702fb7818ee217690493acaa7595c8800bd6b0c7d9df086fc1c5a8d089eeb0222b7f5706f369e1c1a4f6bd4950e28a46eac4355b8b1fbb7e6cb75f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
02ccee6b122a5bade2d0e7944c80fd25

SHA1
bff481316074cf9460ca7641b65938273dc78736

SHA256
104759edb833f9ba8512068f42d29d35f7a6470b3aca5ad17a7d38cf9633d569

SHA512
4ddae9fa5754bb21140699c8dbf58b7550f92818ff7b37813665b9067ac3598302ba0b84b77cd80b0ac3d7bd38f5b580c893c7a4573248522e97a8123659052f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
93fc36c70e85c32a52995a79c52e72b2

SHA1
634b329eab3a34f6127a6a3c96f7037bb3675349

SHA256
28086f9fb38f7fede8e0cb8655b427e62bf6b33fa4705fe1097c9284acb2d91c

SHA512
90f64cf48348846791a5744db52835c259e733cce3f8d9af0ff8f43ac191be556ff2a46598728a3b1e2de092df677d8ce870ff0eaa70ea53187d18e9503bcfa4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
8cadd961b76b7cf8e07fe2a3c97de03c

SHA1
74fcceb2ae064833adad6c5457993b07a6dba6ef

SHA256
6113da1497e861bc79d2965f8e4592c4f1d8173541df448e827c4b253c3e3f52

SHA512
34af11d3fb78e3f5f928e6a3d9a8981d6942aec853007b31807e6e169494219ffc15c0b6ea962cb928dcc0b063d6eb5fb3a0fd3397049691bd9096ac891575f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
78a1524f69b42cf50357a01b44641979

SHA1
659df97e793cabf065e8ebcc884c05e1291b88ec

SHA256
4761f74659490044e349d3213496d0c708cb7fdf546410ed59cea49fc25c2fd7

SHA512
1aeaba48ccc15bda06d873ce6b583b11afa553cf7e45d90ececb1dadc4f18ac2f6de3d33d338d8dc3b21d270e1125583ccd1da18e7cbb0f2f7e2b22ab998f2c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
eadf5d7d6f9ffb99e2148905d1ecffdc

SHA1
22631ba6569e7e6fd5001a132826430c21b47a04

SHA256
718973ea95bccca2c90cea9c3ea36690d066940846497e7439d9cddc1ab4d05a

SHA512
9bfd34dd7dcc3ccfcf6689d6906b49d865bfb254df9b4f4b354fd7ac43c9150072847b72bf5af07c42a5fe59f54d42572da0b72f9d6f26fd3fa040c748845fd8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
ee3318f6dd0f0bb2000eefb1bdac9e4a

SHA1
289bf203b0fadf37a2eedf5afed47a6d0ae0ae43

SHA256
9ece7a9b04acf76ce89b48df3f81348e2b20b0cd23676e59de1935a42065f2e3

SHA512
479d44bab337d8eb9a644472a9b286fe02c3347d08c650f9870982a208eb061b1096c267c89b18e36231c4d42cb22165bd718078476ae7133574067a018b5464

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
581d6b2c3473595e5d1f868fdccaff63

SHA1
ac2d036017d800fde42d5325410ee1fe0809403f

SHA256
d0070cc817cf87e749cdd765d63ff6aff21f2247a0bacb82959f831d73983b88

SHA512
4e91a72993be6053e49e00f5dde50ebfcc2fbadbd8f5de94fa4bf5a9f1d04f4fc2ed3508f2fee9b64225ddab647118283c5e3e83bf8384471cc995d9e27ed2f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
295009d59f54ff8be7e5bd4fee9598d4

SHA1
764a5c65cc8505deab23034f3cbb4ddf37612599

SHA256
4a9e16b485fb63edf41eec0dd6ff774a720a8e9fc3ad9f822be0ff629bf78035

SHA512
ce25c22e52a2b70891d14c6614b1d54b2e0730bb5ff2f3335c4ad73e1f9f432d7fbba23d95ecd848b3bdd53792e64bfba5592a18213d5ca00d88e9e75a42abc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
9b97c337bbde3c33a68366ea85c2987c

SHA1
fbf057b883d04ad9484c5c8a49fdd3fa13b9f715

SHA256
3c82d5254b9d0e97ac11b4a09369931682bbdea2540bbc938d2ec9366be0fd6e

SHA512
c7bc70cef508d7c55fe68b2900471bc32b07fe54b9ae1591ce486c66ec231118f251982f86eff7e1b37517b70cd330b8788be90835371d0ad1a8e3ef0fb7cb1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
5c87adbfa3b3ace85c952177d9e8d240

SHA1
b300669f46970e9ee06ae08c6fb791cb94ed9231

SHA256
d7d569bdb9a92d54c059e875c0e26d37f2701a3c02aef8f878b0916cbe41190f

SHA512
755bf1990f5b01f29db5b8bbb03e94c9fed74a4496e6f51075b0178c34eae284422debaceca36789d51127003cabc21c304128be63876ecc604fbd3e18705d6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
d54cb7a77343fafc6785e034a08f26ae

SHA1
32889b605ca83355abaf6a4b0cc2f54b92da7aa3

SHA256
e9c74ac8e9f0e5cc97e297a5c50057b1c53011d08a3e42f8a4e9cb213519b103

SHA512
d9a7313f67f9c2cbdd3df0737d976f73597aec0e11fdfa26474658bb762ed282b88104f746fb6762e5cc8d640c758510e179a7d6ee6b10496b998c9c49b8ed86

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d5c82ab82fb3187419528e6fdda008c6

SHA1
6ba711ffd877c351d574841def855a1f3d28899d

SHA256
b5d7d3df063fd057376e818aaaf5beb6ef368bce541640ccc9c9010e8264f029

SHA512
8ec655ca231c6ff7ab97d1d8ac792e8b4e02f3f0a88f28ee4b2734b43349bebdf670f856e75cf36edf6ece8855e3210cfb19ba1f36ffb03f85c111aca119f728

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
b0864afea9a695ffd132dae0c5b67ed4

SHA1
3ff1bb63d1f90955e19489d14ea27d96f90af1dc

SHA256
2475f29ef5bbcb9a3eaecf98cd84d91e3c46e42e4e3d6cd3d971df056f034c2d

SHA512
53c7f03da85b78d3d3e9947df1657c53f80c1f36e2718c28f2b406eadf640953cbcd91a7cbbaabc05008d7f920a5b2e194bc55ebbfb06c65d171ed120647e069

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
d843b54b273c732c5229ba12ff3ed59f

SHA1
47b5a38d63aac579ef927737dc564ffc44dc3f62

SHA256
49b64461446a5302c59c44f68ae8a368d92ba556c8b64f6d2f506c398de5aff0

SHA512
633d38b5faa2b4da975af51a033ff520cff910e69e093ee4d1a2b93a12451ff63de11f373707a7361897464c30b570467effcbbb10704ac7daefd6aeaa695277

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d2a74bc941b0cc5fad6c81b80c49f6f7

SHA1
20f650251ca599cfbc7fe2879763f7648c091894

SHA256
248e8b0d567ff3d2e95df28de9f41010769b1ec8e265f87c4de1c4db8cfb8ad7

SHA512
e5ead4497b5e52149121b66de6498e3d40447096d8ad179f122bf3d785a44e991db1a32fd821cb59a0a3d0acca604729c43bf7a63747d9364f74284d64c73048

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
10b0a0f105552b9660b665d06195db2b

SHA1
c3abe8a0ff33cbaca0b61b5596ebc7b102219eb1

SHA256
23210f9a88180df86ee4a5f9ccf438ee5d97a7feeef8a954807183143391bb80

SHA512
2e4163e9ac99948aca10957a5c2cdcc5645b7d2d913f44c697c23e4854e95d166e10edd58842c3c0f12d120c4dc3562affde926962b40730a0b652a9415cb78a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0cb71041e861cf3e58eb1976df81870a

SHA1
feeadffc9306dab47b074563ce6d32bc98c43d77

SHA256
8e93b43866aa7dd0ee264be8c1c03d94e747ebb443f17195b4e8ab15c5d13c04

SHA512
2f9ebcec228fd9bd866b0b1bc09bebeea5f7413c3d2e931de7e7bd413312236fa880b7777d20c220a5ae9cc312b13e6e6c9fb16aae009e0b4a17830c9326eea7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
041fa70b3264f6e82ba68eab0ba20589

SHA1
dbd2195f7a1888bfa319e03a0886da3683418ee7

SHA256
0c51717420e4ddd61c71174d1418ccfec1c28feb02af89e68a4bdb96d1372983

SHA512
8e25d37c0b31b00064f16a504f5476256da2708bde8512f1e80a0b696fd4378adb4bf591205b893547f2c4772b6afe27ebbe8cf670443e2155fa2cccd0841707

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
255f3d4f043439b991bb0e6f505e3ec4

SHA1
1bf4717dc55ede1135a6f6c50554c2992077cb07

SHA256
3497d53fc11d0319839e3f5603f5fc7267b7694e6d923ad0af307485512d04a1

SHA512
77030668b6108962517e832b54892aaa0db05753532188f58aac2efd172a25ac71f84f243c03e7ff5c13c827ef18f377d4a0b2a346d90be0aa7756c6cc75f24e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
990db9b0870ee168713b0b0773f30f73

SHA1
2c9f0ac51c3f52027a6d39ddcaa56a7a37778228

SHA256
7ea0bc8949bb2054cabc6c0867a5ffbc7085ca4fb5387584a1773fcaba68377c

SHA512
7a78c7bd018a50031da6b9bfe9da0a1bfdeb315030ca3f5a06704d118399188026054b31ed52495b7ab5d800a4786d5ffa45993ffc4bbc4dad45684ff25f71c8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
93b1d9297ead146c28d9d5589223987b

SHA1
d50082b6ffe52c286ae278dbd55a7e59c4f9de7c

SHA256
a357a38f662880c0a63428a0cccb8a9998953d3f5cde8ea0af83cf870592531e

SHA512
b391cd15571297c4cca0a25fbbe7e437eb8cbe08463b929758e165d489813ef758bde3b4ab0e29b686f6dd96dca5e18fa1179bb0a2610790d57c092c0560f1a6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
75e181d8afdc267aa80851067ed2926f

SHA1
f4e2d7e7ab40451b256032bde4321c19aace287b

SHA256
63658cc2f265f25389b3f829440dbc6776806187b33342a84e425bdc52767fbd

SHA512
75493b15e6768ba1bfb6e9fcfc51fbd5afbf372c436551a7b7abdad4e39547e3cd00d6000cde0b295c2d5a9e4d9ae876b93a34135d2198287a327cc108676aab

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
571d7103ff86ee021fb359cba809372c

SHA1
290994b001c3535e16e67f1d823615298e686ba7

SHA256
1e5562f3a59086a8fa3b27b13358368b3ce37f28a580814646e21bdb3ccfaa53

SHA512
c24e8b5ce53ed4b1d39ab08fc19f98e15d0f6b8f0c2074fddcdacbe323ccacca3bd40d6aa968608080f90e68eb5d70404e37f26986ee03ea31508eb91dd3cf06

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
3506ba095a786b11a6defced1149cc51

SHA1
6438ea5547b8fd7dff0940298abf37aabba7e61a

SHA256
9853d65f3c4aa133692b1393eae83a3b082be9e8ace2923fe30529f608843e01

SHA512
97232438adb6c6ce84d9f74e64ef73dfde38aed159c5a89ab73ca02dafdaf33df8898ee513e49e2cf290f81884a5620ce190b5aba48412c460794e9bd39fd487

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f422813f37dd70b61050e5453e24fa16

SHA1
2b20e0609af7fdc1e976426e4a638b89c2fd9316

SHA256
73b8b0bca843294c5be1d0666c8cd6127a7cacd43257edf44ef3e588f1920d2c

SHA512
6e020d1092d42c2f6af6e5d9c0ac6a79903c3ff5b207303a3234cbf6ef5a5613ea9922bfae567dfd0aa981fa976703a436584c6bdc3922fb21eb6ceaaa4523fc

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ab6f8b7274baf70941193a6ed4ab3d12

SHA1
a5eb4e200e57db0f601e00c5434157b8f838d824

SHA256
e31d66afacdf510fef5148935d99cf9bd0de501d32e8c27eb65d0081b29b738e

SHA512
259536c6c5c39d8adeb65a6c14bdf62723e75222ab590e274842e064084c2eace70edd0b1030cbf755283eaac47574e3ef78c23f5e105fd65a3e18b24082533b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b6ea35442e794158b9d90697728a6c95

SHA1
69db8dbfd8d8fedc0c077c704a8a226532a76916

SHA256
73cabf7fc4889fabf093d301fd4db7ebaacd8762eb107149647a01a890181cd9

SHA512
3e1bc4de3d0408fa96abd8d4211e1dee72d0625bdb65d8468dec1079c7bfc7cc21d05873719595c7f41810813fe4651a39cf8afbdd37b28a9ac5a63b2b184058

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
8b079c933190098b35521b529d635449

SHA1
a583a2bc5165814a225807158e94a15e24c9dd89

SHA256
742d045c774f65be77bf6495294e92a9c4990c9edc4fac4014ca25f5373981e6

SHA512
6372ae61d7f820d20478e94b223842aaf90e3f5058d9f151b02f28400f5e3939fc85fdf45e47cc2718569b6729dc6d67b0f938c8744abbbb7b66a2844fbea3bc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5d9ec04b4e2ab62685d1b4b7442a240d

SHA1
9b108481bda5ac7b925404bf396c0ac3eee05684

SHA256
28dd8c252da87bb08ce4da6c9154a83a47fb144d29675d6a4835152470fc67ea

SHA512
6e3b5b1c79a553050007b0f624e3660cfd34ebc37124c5cc03fd6917bd6bf3b1f8465cfa78876b497d918a521e528aa9172fb2d35973c5d3ad0bfde23d8cff30

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
aa3b390793a9d6c36596fdf00fde3605

SHA1
7f71e32fc16f02549ed13be0a84d231b3da89da2

SHA256
f36d8d2c522a749688beefd02e45ad6a55f1f04f0a38f14766af0f99b3fd5f96

SHA512
3ed88a10aae457f6e3335ea4b9774a238f4e9f9cbaabd0820c65737e1de039d5fa685201bd5cf984cd32f26d9f024798fb0b48461117b457151fe037db605886

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ca3775e54ecebd59f2c48a4cac9ee74f

SHA1
593f2921ba2abbf70462f9d1cf9f6a21d5e51cf9

SHA256
e5facd46369e228c86e7fd8d6dd30523bf8678a883aaa8b07f4bf65d0c1ce211

SHA512
e5e28d75c153af17537d71803f7dc47495f91c82e5c7fb4e88aaea1c0ed550f554ebebf81a74a224012c3c35b1d50ae3f6e1c26ab03e9197be0a4deedd460a5c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d259cd959961478d64f3a6268ab1cc07

SHA1
83540fe725e2ad4c5c70b9faa86533c08e86bf71

SHA256
bea79c536652e290d48b258e2fcdaa2b0510dfffb2bc7e6e30c26155442e2d72

SHA512
74244a9d83b39daa829c56d1d32ef3d528604028d4f52628e14808cbf8bc4a53f443a877ba17cf6e8412726d24e38e7c3e9914b1bd10bf4af89d2e36c59faee3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
85c9aee0790b1709441924b78266ed09

SHA1
b6f697836a83e7b443a836b291763264305030f6

SHA256
f02f636591f195018a15e3bb462adcf27ef9069864c73174dfab8b968a5b196e

SHA512
06dddb6daa2f53986264e3f9141b7a1036b0708b83b16caba79934cb146fceff54ae5e3c200a5d60670f9bc7778e5156128af746d6c7afe1df3b76af86d08b24

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
bcb3c6f03cb02d282ead2a3836e7b66e

SHA1
b5f5fc303bff8e4d9114c54387f0684db1757dde

SHA256
77717f42f69b4c828efdecf4f49e9c1ea2ea3187c4cc1156e779a3d82c57d0da

SHA512
efabc144b5d50fbe0b8c6c609ffa9f2cb3745db03727231588b675d11c7bee69d3d024cb714fb1eaa2347e3dc15e063a36baf8061d93dda4b6e5a9f5684c0280

Download Submit
memory/408-138-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/452-154-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/996-87-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/996-152-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/996-93-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1236-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1236-32-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1496-80-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1496-569-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1496-81-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1496-73-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1648-162-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1768-163-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1768-571-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2232-159-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2244-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2244-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2244-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2244-566-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2280-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2280-398-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2564-381-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2564-155-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2800-404-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2800-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2800-17-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2800-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2816-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2816-340-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2816-1-0x00000000006E0000-0x0000000000747000-memory.dmp

Filesize
412KB

Download
memory/2816-8-0x00000000006E0000-0x0000000000747000-memory.dmp

Filesize
412KB

Download
memory/2816-151-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3400-156-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3564-79-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3608-158-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3796-98-0x00000000006C0000-0x0000000000727000-memory.dmp

Filesize
412KB

Download
memory/3796-153-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3796-103-0x00000000006C0000-0x0000000000727000-memory.dmp

Filesize
412KB

Download
memory/3888-161-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3888-570-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4288-160-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4384-157-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4664-61-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4664-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4664-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4664-55-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4664-66-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4988-41-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4988-33-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4988-469-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4988-39-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/5092-164-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5092-572-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download