009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2024 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
Size

1.6MB
MD5

fc45f540f3010082370698a08570121a
SHA1

d0303d149ebbe9ee8725ef49edf525ed8f1a2c38
SHA256

009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583
SHA512

f89bfd93488d88bd1951b1e973130286026985cfec65ac7bc5b2432b0904ff6f03205a35eb946cd78a20894fe9149a808e614e58602ef04a61b1b097c43eab7e
SSDEEP

12288:Edz2DWUfxKXfxTHP5vDDtbxTezGwd7EM5dEfp5MkVK93P+SdkSS+C3/eoPdBvn:qz2DWSxKvxTpDD6qrf3MkIkSFuv

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2268	alg.exe
3400	DiagnosticsHub.StandardCollector.Service.exe
224	fxssvc.exe
2784	elevation_service.exe
1748	elevation_service.exe
524	maintenanceservice.exe
4564	msdtc.exe
4792	OSE.EXE
440	PerceptionSimulationService.exe
1464	perfhost.exe
4936	locator.exe
4768	SensorDataService.exe
4588	snmptrap.exe
4408	spectrum.exe
4704	ssh-agent.exe
4164	TieringEngineService.exe
3484	AgentService.exe
4212	vds.exe
3336	vssvc.exe
4604	wbengine.exe
3652	WmiApSrv.exe
1948	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Windows\system32\spectrum.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Windows\system32\locator.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Windows\system32\AgentService.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Windows\system32\vssvc.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Windows\System32\vds.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a6cc50bb92844182.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Windows\system32\wbengine.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{EA7A97D8-06D2-4899-B7A7-E79850B51060}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96406\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d97db0462d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c9e9a0262d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000112bc00062d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084d5110362d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048e9050362d1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000358ec20062d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3400	DiagnosticsHub.StandardCollector.Service.exe
3400	DiagnosticsHub.StandardCollector.Service.exe
3400	DiagnosticsHub.StandardCollector.Service.exe
3400	DiagnosticsHub.StandardCollector.Service.exe
3400	DiagnosticsHub.StandardCollector.Service.exe
3400	DiagnosticsHub.StandardCollector.Service.exe
3400	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	948	009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
Token: SeAuditPrivilege	224	fxssvc.exe
Token: SeRestorePrivilege	4164	TieringEngineService.exe
Token: SeManageVolumePrivilege	4164	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3484	AgentService.exe
Token: SeBackupPrivilege	3336	vssvc.exe
Token: SeRestorePrivilege	3336	vssvc.exe
Token: SeAuditPrivilege	3336	vssvc.exe
Token: SeBackupPrivilege	4604	wbengine.exe
Token: SeRestorePrivilege	4604	wbengine.exe
Token: SeSecurityPrivilege	4604	wbengine.exe
Token: 33	1948	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1948	SearchIndexer.exe
Token: SeDebugPrivilege	2268	alg.exe
Token: SeDebugPrivilege	2268	alg.exe
Token: SeDebugPrivilege	2268	alg.exe
Token: SeDebugPrivilege	3400	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 3508	1948	SearchIndexer.exe	111
PID 1948 wrote to memory of 3508	1948	SearchIndexer.exe	111
PID 1948 wrote to memory of 4064	1948	SearchIndexer.exe	112
PID 1948 wrote to memory of 4064	1948	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe
"C:\Users\Admin\AppData\Local\Temp\009bcb0e1d9a6fa1a3ab981ca5eadc8f6aeb6570aa6ab7eba13aad69afef9583.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:644

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2784

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1748

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:524

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4564

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4792

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:440

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1464

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4768

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3648

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4704

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4212

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3652

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3508
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e650011b2f2e18eb92e2d5a1dce1c3e8

SHA1
2d7bdcda0f5991e5f0e0312914e72c8dc54e8777

SHA256
1edcb19cfb55e56cd681dd1216a93b391549640341846c0891e42449f420d62c

SHA512
25aa742511bf3fc3de67e55a77ec3464483aaad76f86648e0b43417452167007c73e5c4a7b1697078e1ae67d64ebb3fcb8d83e8b1d8b3a6ca217a028aede2a56

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
f1993f1b62f9ffdfa778c04b021b3169

SHA1
b2827ece98957e5c0e391b4146dfb717b7b68c73

SHA256
424382ba0a471928b1682fc6bbfcc0422620a754bbba819e8226d7d8a984e310

SHA512
3be92a47949a52231332364843a104142fb542fd0925cb99dca4603e93343c8e0642d6d073a2dcf553f8c411db135e558ba881973d837dc4c28083ca216621c9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
98edd7217b867bb93a2e6940380ce862

SHA1
41c4648157a9d5e10903cbe165fba8f22ac5f1c3

SHA256
c24bc912c2dd654b69d116eefc7d83a65875bfdfadf082a086ae218ebc8c19ca

SHA512
6c677d66926b11d3ed42f0f521b0399443c9cf4cc4a2f1f44f465abdc2295c52ab190aa6362b3b1222abdbaedd1f483a01f9a9870d6a536f2cb9947d0b60089d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1211bea63e29a965a9b3d056b6b260ef

SHA1
454ace97741de12dc401dc3685d20df42af8a3a1

SHA256
642d1e5b95c490322f49e7fe5be584a605b7d37c7a258c3b757e62f1940fefb7

SHA512
81598668ea2245f6417a381fe248c6afde5a3bac5d0afa6d2fa848b8e700e1e881b0654832493ee511b77b29c7760c22a2e44c5fee3f8112e9b959593010340f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b4a5099a05c3c2e72a07cb1f68bb9099

SHA1
9b39aa4b88c4c968a66fc7b38767a6a848cf0c7d

SHA256
a9fd2ca216715d1c6c70689db1f137291ae9b74843ed5b2f037df1a08ec7e303

SHA512
1bd9f69e7f523aab691a4ebb8339ae1629b60eaafe722e5cbb3db2686ac92354eb266179487abbd9db5b4891a439bc244b5fc7242efb3920ef70e5358924b79a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
e101f260d84eec7288797571ffbd6178

SHA1
8240560410aa7d5358cd8348495dc9af61413709

SHA256
3bc35fb09546c20e4bfd30eebbd34c0f5ea99a261f5a59cb280e79996fa1cd23

SHA512
57baae7d22f7b9e53badeedd51d7a04d527d471ceb17b3853fd04679611ce63b0be96c0968a310ba51d0fe9d64aee4dbc64450d4823c7dc4ce890864a7f9db40

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.8MB

MD5
1e277b733a1df67fd1650f2cadcae7d0

SHA1
d1ef9512ad923f31765b3d2ff03f635b3471b1e5

SHA256
394ed17bfd67179b3d667d271140c71afe48fac7b3a8a6c6fec7037ea574bba8

SHA512
df3dd6c04cc2107be3887e719ce2b21b5f984d86d7cdea423c324b0bb23b690f1df3370ec492d77fa8b0d1b4d4f89e5d913642294db37c9840ba5596bc90f50c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9092ee1826315c2b2092507b59252593

SHA1
7fa79076258ee6307da8b4c648bdeabac50d9b0e

SHA256
e08ed672a73bab64bd753ae09d972791f22ea71fc29f1effd278c35cfde77964

SHA512
94d931a13dedab362f37a66a8f9cc71c7fa3285e85de1e1d786563c2bc684daac6c080d89b76477ce7156d444e1c55a3136d305343fee41d8344338ef1b2d75b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
f5ab757fcd598f587c9de352e1513087

SHA1
961189138cf126f30fe7d947c279ba3f086d7922

SHA256
c0bbc7be7238efd7bdebd571e815e987a4eeb0798651b624987cdf37a3ec5107

SHA512
8f37614ae545b332f9a6114a99e1a56c7f696318ee50974a91b9930697b1afb10743daa1d20ccc76933b54dadfad1a96d74edda5f0ac2bec5111e88dc1db01c8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a4c0b54aab6b6f179b51c6966471ee07

SHA1
7964c061ae633cc6f686cbe18a7ebf5cd70a3a5e

SHA256
522aefce2afd02a1b22f58f59feed32d3b162bf35eed352ea09af99877b066a7

SHA512
736e98f47958cc5ed62706fbbc61bb06b8a761d2c9904563bade4d926e6009f18197c2588a5a68696999d6f990702e3bd144e0aa7ebd16dc250cc55de9ac316f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
25642f9c2b074e491f44f954f3635700

SHA1
47392041ba0182be558059943c3a06b794865c9c

SHA256
6c91d4ab5cba73b349e57bb3c62ad3bc51afb8ef7398a4e3a21b658b2079148e

SHA512
66c191e84e3ab2c5dadaf9f8a5867d6e18565dabb154eb39a3e520522ab012cd09b82a9444246e0f3b4bf6ef7aa6baa51df427f83f02540f751d4dc97627d81a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9ea2768313dec400ac3f54305eec4819

SHA1
2245cf76d9f1431ec663c18b9ec5159f4540df94

SHA256
8d773d883c1ff6ffeb9faaa1cb6e8ae79e0fd59d148e96e7406f3aebd54d8d32

SHA512
e2addc738ed246eb66e2242256a5e536c7166791dd2556b622b593aff19e43e70e4e83c8394f4d63bcd4bb34a023c75096ce9a690e545c11068e5df727d633b4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
8d4402cdf21a53ebf52b1d6a48a3cb99

SHA1
7bafc4bb831fbef9ee046c3c1417b57e243cb71a

SHA256
7bf741bda2da0857ec8cef900b7858922e0d9033c621f93b021b2803e5bd51f6

SHA512
d507823e540c05f3ef06e8b8a3f6860d2375cd10dcb6764033e841948ce6d926cfd347a23ccdb27ba5ac9f18ccf6f901f87170937ae6cb77efc0693f560f916f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.6MB

MD5
1393e710f13fa82919522a6c3c6a2c6b

SHA1
99ab944b65093152a6334183e3a4c939fb58ef4b

SHA256
b4caf0643a9a404a7e3b1c116cd09580c10b04ca5567bcc355f8550572340ba6

SHA512
3750f58d2fc247483c6eb79d5462cd7974ae709621a07b7a54c1c3496f4f720b2f0477de69d2c325cea00ee3e9dbb051010f35d6665309e21c967c9bf23bc1e9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
dc1b93b7a77bc3de0424a3b02eabe3b8

SHA1
42b9ff7f8c6bfc8af7d753e4691ff962f6f9b08e

SHA256
7e9054b85d260c65be9e6e1d82ffc3b875164068d44b246c787c07b2baafe145

SHA512
0cd384793a5beb5e69f43d5729fef4fadb9aa3c7580ce42378e5d4f542510f799735d06a5e8867115bc0e1ab4aa560cbf9ebba2e89dde31e41ff77268a58a901

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9ce72ecb4dbded17a023c849c305fcdd

SHA1
4ffb97810abbd8bba4c134c6bd161bdcf2ab596f

SHA256
2e76a6f1efda8fd1c36ab6e946c97dbc56d6a7033bfcc9b81e294a8544d7e255

SHA512
fa7203ca01ddd9c470be3fd06b108afd4e80a5dcc7fb6aed60622d68bbd9a87c957974501fcc540741fc304182db9dd51634126d0ffcc9320fd395bb045a1b10

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
d2711aa5cc62e5eab0dc67309a34f104

SHA1
e07f77be51a6e04035db712bcb39d695f0676ea2

SHA256
7f202c00832d290fcf11d72ad64e7badf3c1bf6b1dc7e6bc12a05e89ad47f086

SHA512
e951ebed3df52598a7d57c0a923c786d1badfb0b7ebae0c6d835eac5eb1f3ccd7b223793765813cda2d5d32865054611566934f80ca5df46ed89cdd894edda8f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
80f2ecd22ccbe96b272a8470e112bc1b

SHA1
f940b2e578da66bb470c35fa5dc74cd687b61f14

SHA256
c7cbbe3d6c128e1484f668638885e9ac677540f8b83c4d886530159d1b09d293

SHA512
d8d712b3973b3510c53f119b8f3659027386f8d56c4bf6fbcc916afb89f983b7bbfca417c113937e62127ba7d7b46f85dc799cceea100aee69467f7b01a94cd8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
3dacaff2383cbd83352b861144b70344

SHA1
c8690553c3fd7e1aae5c609ec431ba55aca58523

SHA256
9241b9bb619a65df590c84530a39a54eefd8489aba954b6d2c509f9ae5498b69

SHA512
28dd9295b31213a9c0625b5c4d1f5ec772e110faace7c3de3f6914da74a3d130169966db32b85dbd4215c629f1a171bea320538b6424a67b242536e3f10f7dca

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
047725038cc7fdc700f0afdbec978e9b

SHA1
08d8e98a2f4345cd501170f8bcbe166dfa6e6064

SHA256
810c21f72f013842040337c0b16f74bd52efb8a401ebe09eca099c7f11cf32ba

SHA512
3eadcd3a2e2ec05adeda6d57e88710df80c82b8c042573f8e4ae12e2b78b1cc87a8436fed97be0dec407cc53ffb8f59b7035e1cde3275a0b03d02591058f8fdf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
73e7835578f7e88e2be2cb8dcf0c6ab5

SHA1
062e8005b43b0b6323e520966913912a7aafd35f

SHA256
e60126dc2b0ad72b06621298772520ffa855724cfacd704822becef126f1e496

SHA512
f701654c336a0ada4caad68de6ceb6e1b6135db85a7a7ac1b753d5eaedc2854692dcf5b1ea74bb5366220980432f773c7458d4ffb39df0e330c5de0f0438e83f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
3089143683bda7df67d7305510c89f9c

SHA1
2890aa838f1f0fd68d0765b2ef65f67d1fa5c1b8

SHA256
1db7fcc848316f2d5d47921c42b1f36721e7df9f723a0a82a1916498c4f4efe3

SHA512
0ad12cc46630cfeac72b29615b545de301b7a4aef1e56f2861d7fd1dbba06241701db8c255d09f694a1ca06844b98232e66005541373ec0cc0e98258345c429b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
19e9005b0db981d7c5cca1df1ab094ae

SHA1
d04f9919ecc40be9da4832a862a5899cc58f5fd9

SHA256
06cbb31d0db9a1e88a3a464f89856a25f3486d2bb1d36fc32f8f3fdfcc15a34f

SHA512
de037cae43428fe86399cb5d9b1665206117e536c3a7eecd0b86db383d28a3f6499f4a3aebf5b368c1b3112f1890adb5f018f1b532231dc8bd364c129a808d30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
bb8fef626ff799457c5d0a6bc3b49f5a

SHA1
64f06cc4bbd3b3f12ef01b8b469e6c8f401cda3b

SHA256
51c3adc3df2058b67b0f28d121609f094ad61c44924ce2631423d6dfc8bcbb8d

SHA512
7898433dcb74b84ae4a66b6ca1d304e2aa49356e1ae13216ccb252980122a5bd77c8e4fb5647431422708dff24e16015a0d7b3e0001565e9910e6583a06a3911

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
932c83708739be0752907734a7725e3f

SHA1
d3265bf28a7779ef0dd7d1b16c432df89eb9ff19

SHA256
039a73a9f86860e5bbd9445abc59f9480a0f34ecd245b8f7e9a6db717900f098

SHA512
234836a83034b9b20c5037ef915a85e607ce780dbf2ca7869fac367decc47cee42583c02beae4a37c9f824c65314a6bf2d2bcd47eb94e8bdaf3ff08d26a19f3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
2526567a639d8fdd54c4964ec9067b57

SHA1
f6f4e0c7fb5e9d69503aa467f146412c40cb33f4

SHA256
f8843b8264e5025ccd4a19d34ee091cdd348de14223612419b2c5e204caa128e

SHA512
8fff628c28bf874ce29181b1483824d973788a34f8a887df4f3014994a74171c150f0a29fc8061e9ecdbc9e11e9eccffa931ad7ec958f5bad63306aad5f1d33f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
f224c9677616f2f2ce51628eeef11c4a

SHA1
41abb45bdfb7c4ed4494d160eebcbccbdb43c783

SHA256
461b0fd2af9126a28f3ac3c52684cdc57aeb14d1a7cd099687269e612013f229

SHA512
3039fe16c65c15bc1f7f73c7c1ed0a4ae05f0278f607ffa88dc4f3fff1ae90cfadb13a137984662e8f196366a3a5b6b7c86183bc5d018e30c62bbf8d79cef11c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.8MB

MD5
1b55a0419bdf3280749be978fe81ced2

SHA1
3d9712c6365bc101627347bad483d3bfa86de155

SHA256
674cc3403c2c36cc0bb323dd13cdb733541836ae249a373017ab167ed88da974

SHA512
a145b245b5da088cffa63b612c36ca8c71d94d326bbcaaff8a77ee2ab505376df1df22ee9f55ed024484ac3519ba73ef6b63d1751b49a4aa59eeb8782e6eb626

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
877eb466f3c00655c5397f095af90639

SHA1
829e59b64de04bffce9d59ab0ff8eca007b111cd

SHA256
b4e1850af19a10119694eabe31f7be6843b4e0ade71abd5f1eb76e9412c66a6b

SHA512
00c38b0cd11f61ceed738f884344c9d708946c0c1dcfe151e21a368e85a63cb1f1a7eab45e5cc704ecfd991fadbcaf5ee54b1bb64e24a30b144a8dba345024a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
adac7628ffd5c5833b23446d71dd3ea2

SHA1
d3bd538bfd6c49499da01a8b9fb0993f3c0ae385

SHA256
9abdd66de312eaaf008db510996e41714ee241b36942d98a4e6babfc36262bc6

SHA512
27bf62a73540e5acea1f2236594d35a30f1d2d7b19b08ecc4586254d4291fce671f3693972f5467f61f25af22f6b9a7ee3f587ad880daff434bf20c5410bce92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
4da28eb7df28776a22b6fba57e0d48dd

SHA1
6809d8bae7df1901d0dedca2a7fbcf7a07e3d52e

SHA256
b43f60ddd3471fc7f6bbbe8f32f9c593035605d5c8c5665670085a1283eb04b8

SHA512
7267a18232ebf5249e0a46dd75603cad921a8247e521d2da2bbd91f9b7db91c46fac386221d642c77499b7238904965ea152be218430f6867109ea3a2bb03ada

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
c7a59b7026a77f6cab84b1b15f3ec38a

SHA1
34f5f4a3ea31f3db08ce2b531b17aa9927d61bc1

SHA256
5e09a9a0234a35bb01c54b996183cc308cec5f88ede79ffa178859ba09d375d5

SHA512
2902c1ee16b6311b2ae9eea7e43e50d4c34cb1d4e142696dff77be02ada3c0da61d5902a1401f066d5a5a02d0ebdbec9b37bd21e8e04fbf3298271144db4d021

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
06e58731e7bb600a766b420f013a41fa

SHA1
dbd7fdc148e6ade4d946e8771aa1b85408c4b661

SHA256
a07f7d01dc2bce2cfb143135bd1b726ae12f33e79fc3911f67e7f703800e9bdc

SHA512
fe06ec71954eac762a0898f1261c50105e34b38ad3821c651723a40fda81ed8b1cd7113a70faf338f47498f7f927c8049d3a5b866ff3b3d2d5da27cacfcd154e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
a2d5abbe86ebd99d85fa1439c27de857

SHA1
0a6e2c4a8fd906feef14e0136bcc39bec2b53fec

SHA256
4b362d8ecb96dc1e19d6dd68f15dd2720f01b0a3016f8d4179debd359f836a44

SHA512
cad26a09cef65aded167cf7c4797c39b329c9ab64371556a51c69e07194d91a709d0efcd1dc17208b7a329465698d59270b5f0c593290f5050c92f7818c25133

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.8MB

MD5
0b9f9b390260412997e3c83a1f0f455f

SHA1
04ff37c24457dd98d8f323026a41e5841f116516

SHA256
701426299c864d6b6dcc95d5b7c39a3620a8a3263463c0b1b944fa99f1f97fce

SHA512
4738e2d1c9bd381417c2a9d4a6c8ebaacb3398a00af9068275318806b4ada6af626f7a14bb692987c86a1c1b19c7933abaccba44412646f1dc1a775782c152e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
3e25476523f7b98c98ccacbca5c19ad4

SHA1
49eab316a8873ed15c92f7a5352002233a4f3267

SHA256
64d03de83eaf66e270c9854f2c2672b8436181187ba2c00d5d9ffec65c95866f

SHA512
46b5f11c4b8008e0bc970e56d623143b5db0540e6e7377c72d5adb5cb4e9b92aa88e66c8b2cd439422934f56a0f96d4eacf3b5ab7dcde409da3e2a0a46ee6802

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.5MB

MD5
a00525758d29c967a18907b0f5c875d6

SHA1
03852766c5a7df70dbbb711d9f1268b4939f8da9

SHA256
1d3f76201881125db4540c55c09709637be840b5598b8f15491db60eddd7530b

SHA512
20e6433ac207c3bca79ab03fa4056fd7c50197496442a99ba08a4babe06237d8c1fe5e0957c818a0be0c5305000edb7eb43bb41f62ed2d2a97b768c4dbaba18a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ef19ee68b17732fe3801c646138b09a3

SHA1
f8c0447df74a6d6bc3df4331f63bfb8cf060e571

SHA256
2ec82290c1774ac767ce0c59de849e038839170e524fff5525d549a72a7a76b4

SHA512
ee010ee26536f0b1a69c4a7d247d5ec83badbcad344b79bb1bf0b7e53c61f70bd532d4564afa3f1d2745dd4f9fc1f231aebe96f11f59a61693267b4a94631ec2

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
75654301d68f6d2597141f5ace6c0180

SHA1
f5a11470e322778e71143d42812199dc1b0a826e

SHA256
1e7a29b46923ae3f9eb2b81f3452a9db9859659497b36abfb36e50b7097e4851

SHA512
92a3c8722c6031d7bee9628c4b2dd2448fd7a3642cf9d412d2f53b65db0415552352a7251bbcd1a457463290987dbe72ea8c6a96d13435463af7d6323ec3bd73

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
ef4f2273097da6541f5194daa1937715

SHA1
d3d8dd211bf992daece420cbeabd7eb9acd927d0

SHA256
9b5d18234783037372c4017f76162442896d37a7b9e1b1226a8283ebdc9406ff

SHA512
de905f699140bc75c0ccb2e8f174b62ee7660de38507b9c9ba3d1387b0c8f1359e83f62f42aa6fdb3c456c6ebdc6ee6a0a8e69949f9edeefcab7c8491567c19b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8c79442d6a9b4e0a0f56ac64d1cf5cf6

SHA1
a6f131fb580fab4488171bc8405723d9b442ed8b

SHA256
6508d7b10d50b25231251ab0425bdc0aa5ad9228514876b3fe4672aec11f8a35

SHA512
79ae65281145e1b43cce10866de3bb4e2d436ba19668af0c227d3602f0fdb1a5f04a09b18e9c3771b96517eea37b385792b59f97a8fdaa8a456c542dab6f465f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
49afe67a37f868b4c3269aa8e4b77637

SHA1
e5fae9c42b451eac6540374dc84331a39340b660

SHA256
29d454c5575290049f3ed64870dfd01342a924cb802a7ba57777d1b70d3ef108

SHA512
ead2d16f92f05b704f98ab64057ed992c6814fd061783dc4831afbd0c5a11d4211866c5c6fadf9bab98f3da5a5ebec4cc8a229ca2b1a903091ead85c76ed76a4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ee9262ade0257c688eba7f647db415d5

SHA1
3d42fb2cc8342f059f305559ed022165d19747a4

SHA256
d6f5195254e81549ba889af755f809b2a253b5e34d71d90d0501b5993e5938d6

SHA512
cac2098698cb7c2e8823b353bfb11b28afd3aaff8c7a89e39baeff24f0998918c2e5a69bdf3254e79cc589af7b69b42ea7a2dab14599147a2ac0c079dfe324c8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
68e24f6c5ed60f5027ce837bfd219eda

SHA1
c9e42a15fa87eb79196465ab247113afc2cf947f

SHA256
7ecda37928ab7a81433e5482cd7d92ffecce36044a2675c55ef61c0215a8d297

SHA512
d2f3a32ce4f6aede05024efe18f88b70fd5c257a40bdaafe08df4f76e8f3509bfb79aadebfc53c9581a4f91f034bd13ba19865137a7b4a8e340d2c18a338ec87

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
76e937563c9798789431affb9d72e300

SHA1
03278b2bfccd275ca5d30ebe1e62f0c14c8d7057

SHA256
f1971b26b83e1c1c74e7a91d73bd596b9a5dca9624e884e3d32b4e8e03a426af

SHA512
f707266a03d0edb7c2d2c853f6d0986b4bb1ce5f5885174ea065f54a806fa4b7a5902fb4ca4fb3e3e47f76dbd81a09f5bf57140b0872b3121b94c225f4ca5716

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
8a8ffdb2b04bb532eeaff3aff9644b92

SHA1
652eecabd85df711c5d5600fcc5ee6475dff64e8

SHA256
3db97e444c0649a8ebc269f9d804b4edf556da57bc0f5d749acf67bf816c7b7e

SHA512
95da112e27c6380e34946ad3042a6f1d28873bcda2da562d54edd822d531fe5d0690dcde56fc5531498b3f37d68b974b8c4b607a6611abb117589e90391d888a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1d1522370645e51f4b2a2c9d65db669e

SHA1
d22a25dae457576278d81cae919c5d8b245d5595

SHA256
b601c1d94b734b3fc665d637c064ea941702fa24dd14d83fff22d787343f78aa

SHA512
d0e77364bd942b3f1c107e319499ab7a0e3e6869190d89ce285d12c675d8d004e8eb36c90c03caec328a5fdf4a3026a524a284c41df89592bccc6ef283279996

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
543a2872df6a3255797c9d78333d7cab

SHA1
7bbd0b891efbb87692a8d272e87ec8d6ecbfb27c

SHA256
098b680129ee25b73a4db6e44b4522cb95f44fea3e3029580dddef9d90ac6774

SHA512
acf159aa9b1418b565badbe66cd82395d8f1762e0f9e837725e6558b60857d435922dbd2afe98f8d2aa2ae7642c463e75c4654533742f700c6a0d01237325d0b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cb62835ffd6aabb5b2b92e977d38410a

SHA1
8489a6b95a5d1cddc6de2f25cf0c683971d6619c

SHA256
8f1bf3f9704fa87f9ed7057fdf1d1e6ae7adeb7a9fc73af779dbd2409a53c6d0

SHA512
586aa72cbdc3af318e5e076ccdb2d0c242df1f37b56a13473e5a13a52a091dfd4d77b0b03944fb39883a97ed607b3ffc80096681fdd77775dd4951aae7ef5d68

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
9fe8fa1273f9ce4ebc52c8c6eaa880a0

SHA1
b74a10e503d9ad44e95d341b0a72611565fb65a4

SHA256
e088b110412f63090ea4407dacee5f3eb993ee22ccba8c608a18b415a766db76

SHA512
4da1afdd7583b59a3067fec24cf1a8cde0bdab9280ae7cbecf579bbb205516afb53a68fdf227fbc4cddbb6b9a1dd5ec848f33f0e24fd4cdd9a4f86fab848bdf0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5cbf024674f212769950cd1ccba80793

SHA1
7d75899f6518e3cfad3af494f4dba9b27722188e

SHA256
e72b018c5937d1552f6bc312e54ff62c647c5cf2a8f23ab983788f72a6c995cd

SHA512
99040e9ea1f2474ac6c4af4309462801efa5a6409b8859fea5488c3614a915a4e0a855f98156d1962d6e53fd339817926fe510840fbc0b15471ae3d84fc38c43

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
42d85812d67003a686d8ff496b898bb7

SHA1
92b3c376b002c23343f4ba791df298e36585afd7

SHA256
1479734c2ca9c4ebc5120b4e250af6a06c84e404d66822418643db26a336ad11

SHA512
3a83ed49f6b16638dbc5fbf12e664d91e491cffc397f9612611e77422e21bbe7543578af141fde7694796afd9a3d0a1d4f374244f54e8803840119214b65ad6e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
663509ae6058cc438a9d6b29e9e50cb8

SHA1
857fead22e66e7818ef0f584d76f777b3669fe59

SHA256
f950da3df81ff20c3afab7656b2b85dce638534130cf6686b6cf035bbfaf0f97

SHA512
ad10268597c76f1b89e934fccd3a5a98d734c4deb465cb0c1fd70944ea87e3a816c81705fa62dfecc9cddc1acf56fd8fbc39784730d082de4d9bec4335507582

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
93e70f23795ffe4fad538c96b5dcb06c

SHA1
eddbf15caf6bc75d8777f62ae60803699e361f24

SHA256
0c914e412213a3a0f59766528039e0c40e15b0dbdfc5d90575da3e8691e6a9b9

SHA512
55abef8d1ef3395008a3477d16a6dbb18db7f3f4d0449ecde94285cb8f23868a9b9e8400b12002ec06eae1b00b91760863ae3dc23caa0e773ff46df7d7515a02

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8ff27c492f41f225a0858efd61f8b592

SHA1
43912c8b2b713a31fa838b5d6f0dbcfc948b7e34

SHA256
ca3f4b9433115eefaca1f24aa783c70f54eed27e12d55ed6799b8caea489346d

SHA512
16727eefdacf01ee12466c25f342bfbf682b931b52e4cc1df86d0e2ae48a66cd70997fc51cf1b48405205c965b9a24faeeb385259ec7b10c0533d5c71a1df176

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
e405407636a95ac89abf354c82f7f773

SHA1
92caa17466dcf4fe571688c6b74ebaf3e04fba11

SHA256
2a35c9ef3028a7dc9ac33940a6bc22c898ace47f9f35ce7a0ecea8c7bb172e7c

SHA512
af97d932f7c96ba15e3fa00fa44fbce8e1bc963e61271357e39aee0cbafaba53dbff63bda071bb5895206cb0a21927e8410c86dcca0a99331caee6369e532093

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4666667db181517a129574025ca40a2f

SHA1
2eb197f20d9035711e569349db28f17225c18d06

SHA256
9c9c266353601ba70ab19bac5e2f2682deaa82a3d7d2c68bc57bcd6ba6116a01

SHA512
045c87ee5d38890206f78b4f8b7fd9fb48536fd568021c350253809360ab42c5fdfb8f9bf99bd9c07d15c9ddc87476b575985c54d1955971083e3c0b0e80c983

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a16e94d8defbef1535e90bd9f874a15f

SHA1
f074795baabae6cd18b93c3fc15e963fa8236f6a

SHA256
d54d6ffbe66340589784461113cdb1b9dee4a01bbbbde96ee8bfd25d24a0b775

SHA512
050d354def8252a4966959480ea33b8a5c49503baf96c2c98406f740daa9628b1c0f3cd2d8c3e3e96107ed37866f3774ee59f68cf66a35f7e6dc3b65a958394f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.8MB

MD5
74aa35e619399fba8386068b6f548012

SHA1
592e385f709b0de84bed1e29f732b40bc237399a

SHA256
bcc12d1ba6b8578f48fa9d11948f732b5b05730c0e0d89f57f638a69c7c17505

SHA512
3079ae322a8304710ba77d188cdfaf9f6c4dda8ee590270c56821881fdf2be69ff92374468672eaa42df0be2bdf8f9c11a6bde1b0ff32c3fd52591b024be3d1f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
67f41f13b4615bfd7d5ced998dc4656f

SHA1
24411a1283c5b94b1d3e4ae137a9a6397a26be64

SHA256
6f2a40a2ef99908ced56e14e2eeb39e88c79cade27a994c74a215d3e23a1b10e

SHA512
eeaeb82b709f09f4387807bed8b15d723f098f15227f1b6c3e72066daf8ad84a672f6cbbd26b3ef0fd684d4666a3c8836939cdd8ee802acd435a7a6856038511

Download Submit
memory/224-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/224-44-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/224-38-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/224-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/224-57-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/440-231-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/440-115-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/524-73-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/524-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/524-84-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/524-86-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/524-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/948-0-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/948-410-0x0000000010000000-0x0000000010195000-memory.dmp

Filesize
1.6MB

Download
memory/948-411-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/948-6-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/948-8-0x0000000010000000-0x0000000010195000-memory.dmp

Filesize
1.6MB

Download
memory/1464-243-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1464-127-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1748-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1748-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1748-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1748-184-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1948-281-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1948-578-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2268-21-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2268-12-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2268-20-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/2268-114-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/2784-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2784-48-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2784-54-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2784-179-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3336-573-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3336-232-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3400-126-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/3400-27-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3400-33-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3400-26-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/3484-571-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3484-228-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3652-577-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/3652-266-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/4164-205-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/4164-570-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/4212-572-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4212-229-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4408-180-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4408-550-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4564-98-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4564-88-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4588-168-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/4588-480-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/4604-252-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4604-576-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4704-193-0x0000000140000000-0x00000001401F0000-memory.dmp

Filesize
1.9MB

Download
memory/4704-569-0x0000000140000000-0x00000001401F0000-memory.dmp

Filesize
1.9MB

Download
memory/4768-547-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4768-276-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4768-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4792-109-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/4936-264-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/4936-137-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download