ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
Size

648KB
MD5

e489c97b1c044154cdd9e2b6335258a1
SHA1

722f20100b5ff1c19af01a6289e6447d3deb2541
SHA256

ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75
SHA512

981fbd233dbdbeaac0c5f704e8d9d2b0eaffd255741829c0bb4a9c79f5ce0901e8e782f6836f749b262c5d43b1ca66dc4dba179bbac1b83e9e41e08a9c71b49e
SSDEEP

12288:rqz2DWUnTNjYGgpK/vnRsmH5Ckt73qfKrrzD89f24pWYbCXGah2JoHq1MGJlyw9/:Gz2DWsTNjx+mZCkt76f/24pN+XNqNG6L

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3960	alg.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
4040	fxssvc.exe
4904	elevation_service.exe
5064	elevation_service.exe
4760	maintenanceservice.exe
2628	msdtc.exe
3196	OSE.EXE
4804	PerceptionSimulationService.exe
3036	perfhost.exe
2016	locator.exe
1104	SensorDataService.exe
2320	snmptrap.exe
3372	spectrum.exe
4156	ssh-agent.exe
1468	TieringEngineService.exe
3588	AgentService.exe
1040	vds.exe
1872	vssvc.exe
1200	wbengine.exe
664	WmiApSrv.exe
4040	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Windows\system32\locator.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Windows\system32\AgentService.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Windows\System32\vds.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1433cd1ec3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Windows\system32\spectrum.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

msdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exeee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f3ccf496ecbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009930e64a6ecbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c30ba14a6ecbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009930e64a6ecbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052487d4a6ecbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000351fb44a6ecbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ffcfa54a6ecbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f6f844a6ecbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4e57a4a6ecbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000444fe2496ecbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005577ca496ecbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056968b4a6ecbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2600	ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
Token: SeAuditPrivilege	4040	fxssvc.exe
Token: SeRestorePrivilege	1468	TieringEngineService.exe
Token: SeManageVolumePrivilege	1468	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3588	AgentService.exe
Token: SeBackupPrivilege	1872	vssvc.exe
Token: SeRestorePrivilege	1872	vssvc.exe
Token: SeAuditPrivilege	1872	vssvc.exe
Token: SeBackupPrivilege	1200	wbengine.exe
Token: SeRestorePrivilege	1200	wbengine.exe
Token: SeSecurityPrivilege	1200	wbengine.exe
Token: 33	4040	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeDebugPrivilege	3960	alg.exe
Token: SeDebugPrivilege	3960	alg.exe
Token: SeDebugPrivilege	3960	alg.exe
Token: SeDebugPrivilege	2876	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4040 wrote to memory of 4592	4040	SearchIndexer.exe	SearchProtocolHost.exe
PID 4040 wrote to memory of 4592	4040	SearchIndexer.exe	SearchProtocolHost.exe
PID 4040 wrote to memory of 2152	4040	SearchIndexer.exe	SearchFilterHost.exe
PID 4040 wrote to memory of 2152	4040	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe
"C:\Users\Admin\AppData\Local\Temp\ee02d26b6c15a50e0c55c131867aa8469759b8b14f871e97089917df3bb00a75.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4032

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4904

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5064

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4760

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2628

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3196

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4804

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2016

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1104

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3372

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4944

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:664

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4592

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2152

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
7bd5501c127a353b7490a65de85703d5

SHA1
db3c0e7f3a468cbbbe36f3319da90496c0b98c77

SHA256
99058a55011cf27991c436e2a50800232415d9d4ae38caa1dcee687f917a5773

SHA512
2e4b025e79e443a961100a0fa49412137c8779340cc05ff05b5d7b19804785a9b0b88eccdf05fd07846bfe85752ed6ba45242ac785b5e833ecfe7c783a5f116f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
3bfcc0571eed37eb4aa23f9907a6106c

SHA1
008b226fb78ee43cc3ac810737b78e1d07c90da4

SHA256
1b38f3c3939422ccf22a2b8d0272aee8152aa1cce2cae792bbae6e2c2521e18e

SHA512
12d6d0fe05186c61392093128cbefdc7aaf3ed2ac8706f1a9d277c8d5eae3c73a343f835222054716d2a7cab79ef50b1ae7317bae0e36eab0b925b56450150f6

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
b11a6e5cae8377e5756276833d66efc2

SHA1
2f2c24b42a4e340f0cf6e5824004bd129034e887

SHA256
b2809259330a00f87a736271b09b74bb12d8a761d506d55089ac115570182f31

SHA512
da5e9781a4bde80cee3334c3a288929cc0ec5a917be1381beeb27354764517da36085e86c3120f35fe717517aa0f7382b88db9ed56f938a29a01181dfdc73c79

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
b8874a3d02d594177369434d9de0323d

SHA1
55384a78ac0d4cfb437865eb7064998517614f21

SHA256
9a5b95ccb635519301647855084d40515b72cc74b65d62417089e31aa54b9514

SHA512
64087846cfb68bf382757f5b48f2f662908c898e0d3bb7930bf98e9efde28243437e0c645d206c6b963ace92090d72e55b18ca5dcc8d27de512e7de853fde919

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
9c19c797b790e30382c9077a6d07bebf

SHA1
2fde131bcf7e21a15d5aa2eeb29781153c5da3ea

SHA256
199fa1076171f8634bfd08af37fb2158759d8e3f9aeb27334dc1b69ec380ffa4

SHA512
9fadc75ade74c5f1db676b90f790ece27e12fb109985966980b5cd0318a4e94ebc8c38b96fc52aa3c8da5625eec4a769a70a65dc3ea8267eeecf181c5e8def84

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
3b74914244e20f68221aa1edfb8ecef5

SHA1
7faa2b2330969a7762a1b4dac6499c3d87f4cf95

SHA256
9276ce21990cac0386c99aace43633fb6874a5c37615695d9bee85ad185567a6

SHA512
daa1f55ed5f9313e6cede74d1545678a320ef4267db888ecfb968410fa124e69d0fac8d72eeeae4d5ade99f0c503e0112c5f8cee8e24552e6663e142e2141c7d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
5625f9a718db8a3743575e40c2a7529b

SHA1
981aadc2c7f4f2269aa706073f642cfb02b8b0d6

SHA256
f746e227290f70ce5dfd7a562e2a4007899090fa450d4dcf665a43f7d21b139a

SHA512
8642ffe4150736045c599ea02482999efb683e63c3b40bbc7635238ca649f1f356d03afe452e9000b1321cd1d70068c23f2f05898bc24bbe4a3d6bffe9229b4d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
dbe0a03849e1b0eb43653f46e1b4dba1

SHA1
d08b114606d3d0f7600aeae00e685ee1cd0521de

SHA256
b3d10d3494677ac1a17a8f21376175b39405797807a3b58e96eaeddbd5367f74

SHA512
188fdfcc5e8eb58635f9068e989fc80c34931857818f84af6d57eb5d5bced6116b46a3ceda9138f51f4e6d27f4e7b73089e290c8ecda73d1a5d36a369bd794c2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
6d31c2f44dec32d65fe95c3cb9b8200b

SHA1
26ed509cfbd457f7f05a4986c3c12145fe6b321e

SHA256
d15a3812e32c7ec79d5dfa0d0981c294f09ed179f85e75db5ecaf178a2362530

SHA512
b56aa46710d0c5335850ed68978ee8273ffd51bafa30e5a5acd72dfd35a7623bb79f81fa0192ae633b488ccbcdadf2b173f1cc5ca8e26d9ec0a099f8bb779f61

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
a93fb3bfafd5f9d91ea57a1ad4dcd66e

SHA1
d26a7fe7a820316dbdc8acaaea12490bbf902cca

SHA256
f4943006e470522470f4c0cc21aca26a884574a735c5658fabe683fcec2188a7

SHA512
0839c3bcd1a2e227e76f0578c12b80e8acf98bb0f82203a3d36d2ac70d81c626c2764a231e34c3dd084c769a3d93cbc2f890462e4fb85133ed510d63f9a4fd35

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
a77d1681b68b3b0971090d4a1e63c9a2

SHA1
fb266e87ef24c1f1d8660171f5f298b10e7687f3

SHA256
1f59473d9ec184473f53f955169f7cfeafc7adb2e41d2a3caf30aa7025c278ea

SHA512
c84798ea4e14656aad194a7fbd15a823aae58ec6422ee9ee4df632a72ba55d3b05e331ccc24c89e2ecc43a470c1ded29a00770550f24a1a0b12f8e4cc104a041

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
290a3f6e8af66a049d8d1516923d3a5a

SHA1
89e50dc7ca8a09aa2e50bac56f9f8811eff32bfd

SHA256
61f658f6da467165a4848eefa07ace6ff7809e3e0d13d949e1e473204650faf5

SHA512
368ffb6ab0d3cc568c3e8121af34442e06cb84e0853678328664759c4e13eba83335044b5236b1ddff1c45dad549057269e2de9a24e74a0740918024010c977c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
cf023ec6823a188358a702303231295a

SHA1
eb4c721c8f6c54ac5997cf799c9dde49dd385299

SHA256
ff12c15c9dba66c7d83f699a2d5bf3a35e0039de5420afcaa2a10b3afbd33172

SHA512
a21098e8f6b8beecc07909f052a28db5d3d701fa037b86cb65ce78f151b4b79d3dc20f4a046bb6797a7cd25b551c4363f52e287b5e63851caf52e2282359128c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
063ddba9a3f413aef51cd76a7699dc3f

SHA1
33fdb66efb5a89ff9ec30899f4599b369223ff8f

SHA256
3a69946b409f861899ade627bba709bc433f24c03d2f1264635863880438f9d2

SHA512
99c8d2bf6bb35321b4f3443e9b896ceb29c00bd16b8f20a179d1abc0e366804e0194eb0801e907561a31b30968b0ec10115c77f10ae30b07e8f69e0cb1e107fc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
328814b9ef53338b64da6cfe44256186

SHA1
9e14759bfaaf197721e5a478d51c9c7fdbac0e7b

SHA256
4e90f33a4d2a0fcedd7ee9ce10c9faf66e3384eb9597d7dd67162e00a065ca29

SHA512
d74d554d48c59cf3e623f642e3c899304d26325ad5c034e58829a52483e930904cc20eb1db9a74a77f0656142db87af2943d76b1a45d9d58725844aa87a3c16d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
7973191e4926156c29fd1812eb1ccabb

SHA1
db279501c88bdc7cefe41988baaf8aed187ef19b

SHA256
341853afec01f711b6f0a72ed5562d3b31448e1f3e9674bbf2587510ca0d8688

SHA512
94c5933cea68a0e267646556f1f99053a9cc72fcf0ab795efc9034c588a482202f990dd989517a474b5fc3513599b5effec3c29c50efca0250d0f49268cc32b9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
c01a4c0c24e4ee4728fa3101b5e4b673

SHA1
864d788f23a61f3849f52a53032498f59bf251cb

SHA256
009b0c9df972fcebb7bbd75e845162075eba72a1f6af21ed95bec21967b2de44

SHA512
01f221cb8fff030410713f0affb9fe881aec991a39e7f483c70dfb3c07e5edda3ce2d6231df4bc09d62029f7914b742333f491ef9c1b81b8bd5cbcd9d8de8251

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
3adf52269c8235b6a2a594a977df50f9

SHA1
a542df2c672be0b0a6c6f59d365349e70500c41d

SHA256
db6b27e4245c9ccfa183115751dce210e7548798137014167ede42110dad86dc

SHA512
a569fa065a774c9bfef11578823cccfed18e3b77e22344a7b78a8f373edec854d09e16bfc9db087af6963ff7e8bb59235b578197c042f3a94d835545c0245db1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
d96f88c0395f819506c79e30ad0e747f

SHA1
e220200b39f54d9dd35dfe629071a02fb39ec12e

SHA256
8d2729a38823a0ee319da9272fdcdef97bf254f53c03fdc77e940be1c92832c4

SHA512
2f192ffa7482d5b090a6c1f8ab9c16764910985bfa82064abe618b2ae1a81668ee9e2bd89548c383a841ae625a1c80b44fff8dc7a53c07147449a6c069c1da29

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
5e2c8aae4caea44efa0ee1c04eaea35d

SHA1
5211998fd1f5a772c9e5714829890cdf8ce00310

SHA256
753ed9da43b9d6155792f5a167fe5b99ecc8ae7aa01f19883ac6b01f0293e955

SHA512
e450b2040aa6627535d507964314b075e9a53415674f6f501c3eb99c21810bb8896ee7264ac2657da8f5294750c0394c7e32634d59f8a3b18c35d3bcf6b5d7b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
3508e3e3e5717ccce196519f081e55ad

SHA1
8511c99a5a5d3951c24cc194eaad294dc67fd446

SHA256
4bd348c573305507ee43dd714cc2fd539797d7e6b85ceee30a63eb96a9d42a67

SHA512
5c963b693e2e644d2917e329462c88ebb67e3d0c680e4ed4a8419f9d6070fbbe34dd1b7eab9030ee0136d3261370afa5611702be6243b1de19d339d7927c646e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
54251eedf78bdbb14a76a431463d3f12

SHA1
10d648f9659817c7f17994aef3222015c5c9df0f

SHA256
23cdf736ce25135d29f7b0e4e15f109ca4b8f23728124112d4f2e90f340f32f0

SHA512
2e5b593a743797d49431c36a6f86657c9ae1714bdbd7793ac48b71d03145f7654d0c571ba17da14106eb6595f6090a6114d10d636a037ed01f4893856e783882

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
526721d3f92bd0fe4d06e7e9b1fe536f

SHA1
dee683155b480aadc09c34a207ffdcc8eb0c98f5

SHA256
d3fd85cf0930f7d527b1a56beca24e46d8c23c4442c5e2d15b74ab98576c3248

SHA512
ea0a9b135152c56e7252a6f9175a185a9788ea1601e8243227927d905a1f031c8616d3fd07f9f5af090193ff82beb9f3f44ce8ba9da0cd608e7f24116befe034

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
aea6fea79b292223bc7e912b4424c205

SHA1
7faf7d2172ab1081d65db3a373a713111739e2a0

SHA256
3f249040e9283c2494e0a3e343d239f73e0a178e79ae00de9eeb0f0fa3bb13ca

SHA512
87f6223c6650f465858db60ef28b01ca2b7e87213f1c0579b9328397b9603503883345b611dc59a20db8eda6014886283a0797f7e18071dc9506d2fabca1f378

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
75f39d475aa942c35cc27134db9288ab

SHA1
6c1722b1c948041148003897c6405886306b7b77

SHA256
aecfa70f418ea46ad577e067fd4e2d43a9e5e48e38b4e332e4eb331658fcefeb

SHA512
d3b2618f9eab55e6dc6b41b0ba8b844f3fef9d9d5edafad81bed2658a19af2c850e7c4e26aa48ce7197031f3789d9f95b4da520abdf198428aa46233e3216ab2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
ff6a635c719a1dd996f2a53e883aecde

SHA1
f92ff66fcfccc350d44f74616baf74b9c7f810f0

SHA256
2af69c6d56eb73722211fcf2ab5631f6f79ea8c90dbb1650496fdc900de9fadb

SHA512
2ba945587691820c63864edc9b9e06964256d590dd6f10496d170bdb1f6065a44a28d9672c034835d5891dc62fbe1e073473a468b31c44ea94406acd71e5b52f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
ab857f85fbf581df1d84ff894e4f4852

SHA1
367c5f449e770d65c108ca5b8d4e90fa86436cec

SHA256
490729258fc7b0ef264ac0a68f825af3dcac710204d8d1ab9005bbba8c507302

SHA512
6a971fa293e259ab8266ac8a183b063fca8f3b523a30173c63ebc2a5290c08f52d80cffc6b6f8e1a604cf166f0f10f84c0ac13516f6fafb224509c94a9333445

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
9a4b35c20eda74b467b5d6cf611617ab

SHA1
331cded0f6af558602d8175cf423d4c58fa712c6

SHA256
fa5adbb5f00421cbbd8d7edaef27894fb9c42a14bcc3c32541128a521e91eb73

SHA512
19842366cb7eef656056881b1b8836873b689fb69e66656e725c3b4b8144905cc50a55348cc0d6637c255402b7d754203b7e59a005c8a9af837ef5a2eb34430a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
a30add4e2b530c43555888eea0af01a4

SHA1
01f484023f24ac02c10748844c3d9a0bc21dfaca

SHA256
4f471a96281f8dc46a4e60d13fc900f7dbc5fc3e14132f205c1bf8e44589f91c

SHA512
9cc9feceb53dfabfff17ce23ff17a98ae0b42a52280a217b8fb451bc6cb5ab96f9195ca5de28d9c83b7e1cd06d772f5df48693830025a9738fe48d19477a1d55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
725512cac0a14f1eebe93eea167240a9

SHA1
6e3995f3a4c0c37042d783725122efcd462b55b7

SHA256
10d1baeeb978fa5b1a85abb1be0eefb834c06bd040ae548b4e6e99f557b2d410

SHA512
24b5d59fe250db5623d8a6526cd6ad3b2f1eafc977f87c877a7021a0fab8aca6a673071700166342768a68eb4be1e1fd2ff1191050cc2e860a07fc58d778ad89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
bec52c9904103b4f1290f832e84dc10e

SHA1
37b2258ef16ff39f40dc77057f0799e046921329

SHA256
9e7b482c52f06ef19749c2adfdd692374ceeb6f755a46729b2700c99306f952c

SHA512
2d0760bc43f5fac63887bc871b02ae225f2dc3394c43749403d2ff92be6548d25003571e1831d2cd520af72c7acda35866e3e132c41dcba9f75fa21dba0028f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
b0cd2f042ec8e18de35fdd77b2788cd8

SHA1
22debdf057f917c3fd4524ff6947de5c0034bacf

SHA256
742de30b5fcc0aded75d54270cd9c9a7eee7fad40294d271b845068b4a0bee87

SHA512
3d24c01ed82f3bb860fd9853c2f3f9ed4928d6b6410d9ff7864a43204fc4128ff6626b4351a61eb960a1c41c43b9fb7fb21cc1577791658a60d599d56de57ac0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
7d918f87f9d6454778880282b332c0a0

SHA1
f4aad31de3039bbeb288480e9e7479c2b68fd8db

SHA256
9a89d395ad32927b39b83de674d48e5a82316a11bb40f957650866d8843a7a4c

SHA512
2191fec69d951e66892f932a2aa7bb0b2ea6b7ad6f301f3c8caebc329eab110659d5a74ad9864cc6741aa8dd5d42986fdd630b8999066f84a6649aad1b990a15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
6800018529047e01ade3b72a1744b062

SHA1
59c20cc00c04a4949433d725769d3a76b6ac9613

SHA256
bdbcb239944f75484a94d06041439e1aa4716a783709f722c75824aad8b678e3

SHA512
8a9d647fedb109fe3b03da858fa62b7ecb8679f441514f44b1ca7099e3be07aabf7042d5bc4f811fdd88f517675f83cd1e5f18ad1e2cd7245e82db797593caea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
b6e12722d6cd652ab1fc2de6d7a2a23d

SHA1
469bd9562b6ada9547b3d41fe810fea41fd62209

SHA256
57f6e921d7a49b6480512a284784d945ec4dae7e9de07c512ee934c0ebd2a116

SHA512
677284c8e082213bb54acb0e2aeb4ed378a5eb3c099f35fb1b1f62f07ec1cf219d098c8046ebbfb863b8ffda49b62c7cf60e423928e7e3c0436d723e902debe0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
cebff912d33958161c92ebf4709674b5

SHA1
b715cc5ac6a2f43e19fdb2bcbb6a0d23e58e1f22

SHA256
17d2feaf6ee201b34c16b0a16cbe5e3b403d9f7a8d9465780dbe57ea0f3b7290

SHA512
9e31a66c8a6e04a21032d45e48760e0d836b99da478656649dac9151c2accc691a6cf845c441141e0a0aa6e5f23c672b37651b2cecf4eb1a6c1c9d35a434b3c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
5ce2802a9b44c6b7954f9bd1a10c1470

SHA1
0aff487c9a7c7f79d13463c77dedac022ad865a0

SHA256
8dfaaa364a82fea8e2f2cae21ac0ac02afa6d78069b24f3ac7e17ba1de376a0e

SHA512
08676a5d04fab8b93114ee501decdc72a091b17818e2e503a065ae65eb121ba99f7d32c0c51f63167844df7d2111aac54c8fa05f1f0f782067ebbc42b1cadd63

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
3fc1e0105adc291f764ef0dfc2ac1fd4

SHA1
0509949fbb2c60b8a65052ae5264f9fe485e0baf

SHA256
58bfa9e04d53f4779b279f96a046a312add9b3fa574a61c7eed146fd59da322f

SHA512
7c8b31054f0cdcb4db1d3082fd9c276bd5bf3fae45c15c211774420579c561248248b1a75cf5e8d4e186d15baee047065b62a11cab7d02f01a2d1fb2bbeaee67

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
43124c9fc9912882cf831ab17700f6ff

SHA1
32feea7b88b13f094125bb15e17c0174b26115f3

SHA256
b1b0c675c0af468dbd2217c60ee831efd137ed7be5afef4d3cae8cf84b32e39c

SHA512
f1354d09f4c57d8de8018e40ebb3bf4c4bd2880178ee682fdd1cd59f9a74017d68f033662325849df282e069bbdec3ece33dbc9d7b3ca851d121ef179009d8d6

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
feb20219130fe98b9f4645e3bfafb250

SHA1
f70448e63b41fa64ad42a8cf1497489aa5ce740c

SHA256
da5b9edf5f5a98d59189a4be561771e34b42b1c5c29f8e5c096875690566cb74

SHA512
677ca0c05bc8face3d8b15d91e46d8faada32514b974a66481a5d1fcf6f71584573795ebb7875088a3b9265a1dd38c3bffa721c7b899cd86168c8f6020d2c9d9

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
4fff96436531ff523bdf71532fc9b88c

SHA1
97d58251f5cd4e5e50bc104804cc5c15e4360e7a

SHA256
c3899ff9b4036a416435015a4c2809289ec76882f09ebd2a1dea283431c99e50

SHA512
4dd68a410790fde23dcf5a09c5c03771828e1e28be14208f62191ff184e1f4b1483bfed06b61d99aeb7c4fa63c3fc7ba9cc2ac302e86e3a47d55792c840b63ba

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
b0ae1c1b1269974fe1cb08a6c04a8ffb

SHA1
08250865066aa1c9577901105cd4f70c1a4fd912

SHA256
00ed756ff2428aa76af025fd6a9393d6216f43303714684d30c7b51b41027b8a

SHA512
acf51aa98fce4d0cfca3db17b02703c55f20929aa8e47ad709ceab8c5b0163b0927a42086db32eafe8d3a7d619a5b510f05504b522957b78401365de09c73852

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
a9b398b37e65799604384aaa7533e085

SHA1
68f6fe45957e16d74873fcf082310701e5acb32b

SHA256
b558701e1944c3096c5de6412ab22cae866b31991aab908fefda0035a323f8c2

SHA512
fb567537d446d9a7e22629e2947194ea59e4c0c402963e720e77285d7ed7126532d543fa9981382198f79c4a33474bd68ccbb1768b51991bbb23a96191e35731

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
bf541a85f4beaa3b0766cad38698da26

SHA1
13f99a7a58ad85ba1662bf4e989d5b9cbd66576a

SHA256
38b465f1384b192504a05acb247f28234c50704b94930a90b38cc1a121a3ce78

SHA512
c3d9c0218024848c4930f39abe034d1c0d621553ad4d58b6447308acf5851e43225f482021a1f5e1e7adec9d115499a69f1addf76972362eb7959007b1614125

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
f4e3f4c8219362553179a4a94ca6f2b4

SHA1
4de159d915e7da12548af540cd1cbf842ecca9b6

SHA256
a96efab46524af802b872b433bc8fd8c2feea0dab6c28070fd153745f28d8ef4

SHA512
c8e5b016e899efdec2eff63fea9a42667f069b51922cd4d4e06eece301863f269d5552d7b2e379485f8c75c8c0f79b2fe0db85d36321891367c4be522ea3b7da

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
dbc0604c1ab6755d7934c673c23842a7

SHA1
8e973735a33f2a8642cf4fcaa2ad4213736b715b

SHA256
3ed31514a4a79e6cbfe255e76c78db65346dc22be70ba44f7125ad1c6fb30013

SHA512
bdd0b5893ef460fa8405810380a60499fcce14ec34a1b94992554f801cd0407509d9a51363a85f13ddc468bdee4560998320c8533712ff19767d8ad1d5f34be8

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
1c2b9d6d853b8117ef9cd5f80a439aa5

SHA1
36d088d48dbb18640fb4d5157249fae171c2e944

SHA256
13dc881ecf4d91adb20e073cf9a2a652e965b55092b1e6c1533206967bc1f9a0

SHA512
ebe9c23eabf0bc8440678bf18108b5bd5a0c6c3ef8ab369d605ac8838788b97762f8d8273faaab76b2c3612667ce93d3a4ad5c10642c64e7da9eb1f4b794e0b7

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
51d9e86395bb9124f8005b65e7eb2179

SHA1
097407e5c2f568fae1d5bdd24db895e463155db0

SHA256
b9c8cb6892eb924fd802431cb7b0471d51831886b122c05b1bed0c46974aa73e

SHA512
6a7be5a22a303f9ed74b7dc507c89f42e0cde597e4342ef40f6256f69a86cf2dc86df9fb2584a1942d2e859e51eaf53a17374f3eece8b24bba707b480df31d26

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
7705ad5665313d26115676e83d3cc4ee

SHA1
78043ba710bfa45ac29ed8a0a7dec1b59669f8f1

SHA256
c791b3019daa399ffc8623aa93441b1cdf11e6e0be5e48fc1695a65b90f87a71

SHA512
b93acd082a58b569700aeac3805226c67e155e48317290d49d6273aca3a0720c609b3952ebec337bc58141b246b09b278732acc585a8c3fb29775ffbf4851ae9

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
3fa2560d08534cc4093e20818a8a1895

SHA1
145f6e10d93f566b82aa31110a458a63617f199c

SHA256
2bf950ca141c81273a6137b47225698d3f5ce076dcee77ba326c71ae7c6fd9ea

SHA512
ec6ec80ae7ba610e9b261e44fe09acb2a97ea0314a12f73968c670d13dfdc612e8834cf501e3a248d4111b6772dc40af1b52bf3ee15ace025574826ce575110b

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
68ce5bd52bcd245f3f38634dd4ba3225

SHA1
1c29655b2abdb54b975b65a582ee9e5ee9bc8b5c

SHA256
2564221ac4edae6e9a12313e479c8bc57bc5c8ad77d146f732b514f8f12f24f7

SHA512
22e57a36f8e18d02df870508670ea288b7ec5b9d3041ae5a4939deed821878abaa8d06bfbd03ee951d7924b9f6169254f25fab0c5720521af8c3f5d37b1e9052

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
723a5e68cace7a118ec4324dce14efbe

SHA1
321e16ee95a313515016f5ae0615cf7fbff9a782

SHA256
a097ed34738f33209c2f52cc8c63383800d506845bdbe55405e34a2158765b87

SHA512
bc0a1b8e48a2464e4972782c524cfa0490aef4481b6bb873855cee01fe0b1edcf5753f4589417e4b702ae41d17dd3b93aed6043b89d351f1db33b6e4ea654616

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
67727c26c58c56dd7237f0c4126a9d6b

SHA1
7478b947499b7cfe0e4179e1c22c89a5d6bd58b2

SHA256
54e46606a714786aee91a12d4825acd960e56c18f5be4f12ce621329b285c7b7

SHA512
cb2541ddd19a855a28bd2344a9b38cbbd984cca9b608b27005c46c09a0192a77cd5a5f7be47ae8102fc1c4d645119e34288e9d3c2786c0e482119f188bcb5740

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
0e40ca77771da13f11e4faef4c7e2192

SHA1
9d43325f450bf457e7e65387c390750b222eee8d

SHA256
9383d5451a82085647da5214ea81dee2fd1f840bf04c4728d6f10b209135751b

SHA512
693d566cda5c13dc8c9515dab5c62a4646da298cfaa2cc44082cc9a52bb8d8ef85b63a86b91472a9fe16ca5f55c179c98a7611f214bc633d7d0d1f5eefa943a0

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
1d70cec30c7321b5963656a144008e1e

SHA1
52213f9d218f75cf138803d26cb808b05cd5c546

SHA256
70f7c037f1f1f06a588c51a0480bee8c3ce32f9c6b1e8145745fe56a76127ca8

SHA512
19111d6a31d74f84ffcdb08e9fe667b67b2a5ac148bb4d9feaaac4def50ccecb79ed3036a114b781393f3265907cd32aa204b76b689fd1622192b0d6eed37301

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
b7bc5dbd9194631de5a524cf2c53fe33

SHA1
d125aa21e10f26998755b395080a1a45b314fbe5

SHA256
fcae7e1efc9353e9f52794b8c82da7471156d5d0d31fe23c5a45da0e7fa14ef4

SHA512
ef92cb8edce618e8813c816a61bb2b76dd2ef490847659f586f67da2921294724bda1409e33d4ef741a046c2f04cc692325f3575821e1b015503e763f259e928

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
8ca02576bbe858cb4043c91aec0fb7c4

SHA1
52375536774c5a236950cc05c00849a9b5a5498a

SHA256
272db5eccaf82d557233318f954256d0a1b80c6e172f3a65d4b65b5674511cce

SHA512
ad00ebb81a4fb85581b38e7b56b7ac653390bfab500eab6177e25a2348cfa6994753c46baad75f5ec13c89b07ff3e097d49acb8b5d6a5dab5b5b2207f0bd3316

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
852774c14281223ea8cdf4afd901ece5

SHA1
72ea72912cf7eb354f0a1c645314452428da678c

SHA256
780ccb9da71d7be2cf8b0e0709d906c5d53cd5e92ee55d5d0d64c229139f38bf

SHA512
7458f0758fc50137044d51b836dbd9f83e122d714abb0c9d8d6cc88ff5cd93d85543d34140c6a97cc5b364bad50896f2ae01067d8ad47081a25ab2e916831035

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
7917bf426d728033a6330c6fd1c13777

SHA1
c6a788002c46ba1e44efd1cefc4a6062e112718b

SHA256
45c0bbd9add807d47ff9a2650a351cae2a91f9c123ace5a9db4d46cea9e127a1

SHA512
c6c1c0f39d52b14693234e8fbc77311704361480814e3d12b47287b230ec114310310867cf454a5f48cd55567e3e7221040ec6016e26945dd62ffec052dde28c

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
4d281e30665b93bd4c1a754df263a37c

SHA1
317cdd3b6f5d9c0247fd90c3e7a3d15ac61eef32

SHA256
022f7724e198640ae52a46ba6e5f6df332286fb932c26404d86e0ce6a87a9459

SHA512
a30132b3815861a54839cbc6556efc7bc650a8050b0849107ab20d8e891b566703f95506ec3942c948aaf651572d2632a4a58b443015331e3c845760d4ab4cdf

Download Submit
memory/664-654-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/664-253-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1040-649-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1040-217-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1104-647-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1104-265-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1104-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1200-241-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1200-653-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1468-190-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1468-648-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1872-650-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1872-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2016-252-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2016-131-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2320-154-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2320-463-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2600-603-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download
memory/2600-0-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2600-2-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download
memory/2600-101-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2600-7-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download
memory/2600-602-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2628-90-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/2628-201-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2628-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2876-35-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2876-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2876-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3036-240-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3036-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3196-216-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3196-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3372-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3372-599-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3588-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3588-202-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3960-21-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/3960-127-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3960-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3960-12-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/4040-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4040-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4040-47-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4040-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4040-45-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4040-39-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4040-655-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4156-644-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4156-179-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4760-75-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4760-84-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4760-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4760-81-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4760-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4804-228-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4804-124-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4904-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4904-165-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4904-52-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4904-58-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/5064-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5064-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5064-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5064-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download