6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
Size

1.8MB
MD5

31d49cf2c39023022186dc1da3ad0538
SHA1

09717bf6a2c5a8855c798d82bdd99bf19ebd396a
SHA256

6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac
SHA512

47d7c1b645f6d412038fae8591173c22789cb79bc24ed3f41e27ba5e8c10734c4500c44a5e2e51dd81e2a51cb329f5fed34b4a8530e9042a83c1e2770ddf216e
SSDEEP

49152:bx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA6nY8pfc98dc:bvbjVkjjCAzJfVfc6a

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
5052	alg.exe
4416	DiagnosticsHub.StandardCollector.Service.exe
4648	fxssvc.exe
3136	elevation_service.exe
2736	elevation_service.exe
4560	maintenanceservice.exe
1268	msdtc.exe
1880	OSE.EXE
4964	PerceptionSimulationService.exe
3644	perfhost.exe
4368	locator.exe
4976	SensorDataService.exe
4536	snmptrap.exe
2996	spectrum.exe
2452	ssh-agent.exe
4488	TieringEngineService.exe
4648	AgentService.exe
2036	vds.exe
3808	vssvc.exe
4580	wbengine.exe
4108	WmiApSrv.exe
5016	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Windows\system32\locator.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Windows\system32\vssvc.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Windows\system32\wbengine.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dfa91bf385ca13a2.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Windows\system32\AgentService.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Windows\System32\vds.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Windows\system32\spectrum.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Temp\GUM3CAB.tmp\goopdateres_vi.dll	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{202F91EF-93D8-4437-A499-C36C67EEB76A}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3CAB.tmp\goopdateres_ja.dll	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3CAB.tmp\goopdateres_ca.dll	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3CAB.tmp\goopdateres_et.dll	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3CAB.tmp\goopdateres_es-419.dll	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3CAB.tmp\goopdateres_sv.dll	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3CAB.tmp\goopdateres_en-GB.dll	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3CAB.tmp\goopdateres_el.dll	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3CAB.tmp\goopdateres_gu.dll	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3CAB.tmp\goopdateres_ms.dll	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe

Drops file in Windows directory 4 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchProtocolHost.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000bf0d8ff5499da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015cba4045599da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052e1c2fd5499da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000092812005599da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000869884005599da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000108536025599da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059ed08055599da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000941fcc005599da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d77ec0fd5499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
4416	DiagnosticsHub.StandardCollector.Service.exe
4416	DiagnosticsHub.StandardCollector.Service.exe
4416	DiagnosticsHub.StandardCollector.Service.exe
4416	DiagnosticsHub.StandardCollector.Service.exe
4416	DiagnosticsHub.StandardCollector.Service.exe
4416	DiagnosticsHub.StandardCollector.Service.exe
4416	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4568	6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
Token: SeAuditPrivilege	4648	fxssvc.exe
Token: SeRestorePrivilege	4488	TieringEngineService.exe
Token: SeManageVolumePrivilege	4488	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4648	AgentService.exe
Token: SeBackupPrivilege	3808	vssvc.exe
Token: SeRestorePrivilege	3808	vssvc.exe
Token: SeAuditPrivilege	3808	vssvc.exe
Token: SeBackupPrivilege	4580	wbengine.exe
Token: SeRestorePrivilege	4580	wbengine.exe
Token: SeSecurityPrivilege	4580	wbengine.exe
Token: 33	5016	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeDebugPrivilege	5052	alg.exe
Token: SeDebugPrivilege	5052	alg.exe
Token: SeDebugPrivilege	5052	alg.exe
Token: SeDebugPrivilege	4416	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 5016 wrote to memory of 2212	5016	SearchIndexer.exe	SearchProtocolHost.exe
PID 5016 wrote to memory of 2212	5016	SearchIndexer.exe	SearchProtocolHost.exe
PID 5016 wrote to memory of 1556	5016	SearchIndexer.exe	SearchFilterHost.exe
PID 5016 wrote to memory of 1556	5016	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe
"C:\Users\Admin\AppData\Local\Temp\6045291692abaefb4e6e71cf661fa1fb3f9e58679061d93fb43fb2012253d2ac.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5024

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3136

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2736

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4560

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1268

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1880

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3644

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4368

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4976

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4672

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2452

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3808

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4108

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2212

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1556

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
f260550a999d30a218564feb838d58d5

SHA1
f46323c923cccdf5db3b88707e8b0589dc28ede0

SHA256
1800669dcaeb46ce6854605784e293905e7b16de379587579039576a222cc273

SHA512
54150075d075c75de68fb4b55c06a488c2855f4fd452102c04ff7262e8904106ab68aefe1c7c35cc1ec41a84b1ecfdd907bf3f09fcfab1c31cff5333945c3b89

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
44d515e2974379163a1754414c5ae0e5

SHA1
cb271d2b384dca7a600d6c94ebedfc5ebbb5d458

SHA256
e0594c98e4456be3cb45859df12d8755760b533a6fd0b5612851ad094addabc4

SHA512
23d58bdcce376ba6c312ec602baadd203d1270ec8e14e8941379c7c23934c6c73232f6f2cdd05ea2ea891ea5568370abe12ff6cf5919a405385b280e485ce7cb

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
45b914a8c1e3b7e9e87fae19a68906f9

SHA1
12f394f100034e222792b3daf8431f9b0f1dfcc9

SHA256
8aca2c02d797aac158c65367092f60b58e4c7013d893a0c0e7d8ea8af35ca5bd

SHA512
83ab9f1e27510b8db4b5ee193d87eb5b4f8a493b82d7191ce1992a6e2abc7c883e1d9f4baef09374c16911d6053f08270a57afaf18c048d2291171896f222166

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
b9312bf7e2922a94a65a286eb308eea4

SHA1
c021534ce95075385c7b58b4103dbbea2cee174d

SHA256
5c48700ce6862194ef2759b43b88a1abaac0725b25cae4a5350ef4eb627beb9e

SHA512
a59846c74533198a87fb9caa7472a59330061babc7353828770c78ebda2f9c265f641350a778ccdf72fac9752e5e98d9dc73965616591725ec8ac490f7e2c038

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
2c647dc573986ca9dd6a0ec59738c2af

SHA1
a4da55deb80642cc0d2f90348325d70994faef08

SHA256
3b797a5195f4d41c9263dd4fe436ee1f2020b15faf5fd87b62afdb524b6c50dd

SHA512
1929950894dc9e4a0eb4f2f9869bac1f87df1694a5103dc145f21ee507c97c1679e17c416d5ba8db102cf24b3ffa3d8c139136d166187beee2981ca667404d1f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
161e2f3a507935b54209abe618d7ce68

SHA1
482e0720b19db1ad051a32a2fbfae69c728825e8

SHA256
915d961ee550440ec6554f48224b86823f15d16cc99438a6fffb4b8d0a0c2106

SHA512
b78ad6b6e28a289b90629f1b0d53ad487ddc32131f29ed37fbf460c0eabd8792708c51160343bf9940a6ab65b960d3e6ffd1fa36991ecd4574dfb107ff7cf788

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
5c5a876787b5b3b1953a0edf941a4408

SHA1
5fa340422919ce295019b188addecc955e49b2ac

SHA256
40c9adb3345fec72f976cc268be9d9367518f91ac5f40d71bd95c87c923dc20c

SHA512
b1dc9c07de10ad0490caeeb8565751673ae49974ec7237c03d8d97ae40308469cd532f224441f5eeacf024eaa255b2fbc475dfd9fc7f4e228f1297ab8f994a45

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
766725301672791146716d48d27a5fd4

SHA1
a09b17096a5b35c4d7fea8e641099028adfbe42e

SHA256
5dc27f454ac97ffb95c50e7d828d9d922e5c763b413b9e586f123bfb9bedec70

SHA512
7bdb6d6b24757f57b0962a7a2717340c7a9ef6644654956fe77b9b09aed123877c6a293a4d0b7bb28bea6bdcf63e65bb75d4e55c35ad5dad17dd1762d66575b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
d8cd85bcbc14e038b9ef12f08db138c2

SHA1
1f209df281eef9ff05c4c76080d1605c7f9291b0

SHA256
c8305312e4b74c2f568fd0052c4bc5012740d61e262d2f069ae6c1a38d60f789

SHA512
239f52f22a19e7f36dbd97a2004c3e1dbcd42aef8522bb89d934829fef1dd8547b028a7c6faf0f37103be3e7253ce42a3819a16d9022ba3d055ac90b714138aa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
ad026040aa1285f2747accdbb3d79183

SHA1
5fd331e866ce039bb64be67d6e0eca415a6c34ef

SHA256
354dd81cdfbe9a492e0f8f10af7fc2b0b049e93ac8a3138afed5c0a580bf5be5

SHA512
43a7fc67ddbc01e13417de6ad9d7ec697b087454545dd9ad3e90a40dc043e1cea9e31e7cd5528a7244065559d6328b9dafd1f73b5ecdc7d6d2d367d4c9ea46da

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
f5f7f110acea4969479880e70c53686e

SHA1
a187475052fabd2806fd48d1234a96e40ff97e43

SHA256
8b355201d28d4df21fb94dfa6233468a19346f605fdbcd56846de0d954cf23bf

SHA512
cd501653b5d0b1779da24854acb16a445f9c303ea8dc7b822c0aee3df0029686edaed91e882d802b44ae0c4b08761757188a935b4326b8503e05ec54dd62dd95

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
88d908a9f2411467ed8cf933e429e490

SHA1
195b544f013ce6c3a95bbb17d82da7332edfe923

SHA256
95d1406d6c57421b7fe151b138c9bfc1a44127a8397d648afdc8928674ddd096

SHA512
dc408b67cb412c7ad7823b3b1825e9681997688bc26d7cfa1786124d859fa8f0e5c5a074f2bf703f89bc322bd3112d8692addbdc3950526f269dff76ed6a65e6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
57742fe3cbc9649afe07c1ecb1936e7d

SHA1
91ee36e16ed3f1b1b7205336e4814002bbb1e3a3

SHA256
b3def369d75f7fd5d3b61d5e8c9e753256794b742ffb20591b08363ac86b02a4

SHA512
475f0162ad98dbe004f0e6f829ef24d2c690968157492d3f6ffb111721824a7ff9df79a198edc30b1237e69a74b51aa190a80d3203d011a8ea3c7c82f8351442

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
58f3b2b62e79f3490f963c44c690e561

SHA1
00fcbf07b2f3a77fbd9b85c2035e12092f1d585c

SHA256
5284cb855f28d59213f66b5e23a663ea70b46768541d303de71ba823b02213b0

SHA512
818734e4207fa67ba7fd75a3c2332b7c56b8f90484ac52640ac640f755b11f311b23a1975489584ccd3403422111995605234ffd8e4d0c1daf70c8238846fb94

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
3530d1747d2ba86027c076b8ecbf069d

SHA1
ce6a76b45a7ef4c9dbb2c862641c77aacebea8df

SHA256
ca3847958ee7d75a453ad294b796dc4ae59fa944e67f7984471175b759683c9e

SHA512
39f13992cd2ca75f251f6112fb44d4d8acd0e1717cba39f52122c6beaaad36980f7beff131e8dfd6f3e8d4fc714bedfd7e7051a597ce567838d9bd7f27146b32

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
32d1e354070e6ae8bc18375eef63d417

SHA1
4e89e4adb06674018e165b1513fd961d4f42b1d2

SHA256
3dd9efd299698fb6a878445aa2cc55e0d31666f4c6f1bf3140c9caa915fc49f4

SHA512
e90d52be62334189632ad6570015ad30f11f223b7650707ce566942b42b423cc5e4a7f45baf3e0a243f0ade340d2ef9af029c2baec364f780452cba03e15a405

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
d32024f7c1d39bb118aa8ffaababaf70

SHA1
c7d16618d0ab2d1e01c19e1be5e51dd2bd3538b8

SHA256
abbba93eae56a12f01d93ec5a989662915f5cb5852b9ea7b22b8d835ddb503e4

SHA512
fc9910ea32a1e2efb54c5111c5508df46b520bd29e561d4781ce9c20c4b4095d700c7b9ef4b6fa71f25f3e83dff3775cf639f2903990dc90a54f8740d39b9977

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
1b423651c76efb8a01aaa588e5ddc623

SHA1
0f011fabab1bea784a4584811f673b0df1d13bfc

SHA256
bd86c2d05ceb8b3921cecfda77d272ec492c4764fcb67f14f05d15259a907483

SHA512
acac7172add96162fbec554eca04f9ff231d01291031e2aa2c3684445823d05a3495abf047306576360b39c1a5dd45efac88edf6f9f1b3dac0cdac630766f986

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
b945559c6b5b360448195c7f6c470339

SHA1
59d05c3e9e778fd44a1523090321871a57a97007

SHA256
a09d15089aa6e5dbfeac5a05767588f8def4cb7eeb00971370965021ba87e66b

SHA512
8c4401ea50d48b3a1f9ad4f48cfd6d11ba967b525e02f0dd2355882c657f90f4144c7d69111c1e5c5c13916cb8d16d27b1c9cd119f2da9f9a5684998e4bc2b51

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
5dca61cc5f8d3149cc38e7e6594b7c3d

SHA1
7a59e4b523d0e48f91599ee658753dd4f557f4f6

SHA256
fa071dfeeb7c65eb2991260d7841836083be0bc2f2ed34e6b4b4cc39f0339409

SHA512
4d4468be234367ba04f53064941a1bf946e0c41e1d68aa9e125f58142089166b83bf48b3a5ab9ca046c739e41eb924a141c5ff8ecaecf6a372b82f7a2c2376e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
a192bec7955a36225a682a19457a6ab1

SHA1
0aa1a6d2f96e6ff5f5a18cb074180803ec8f7b03

SHA256
03a55ac4216a5a3924f44bc8a4ce60b318f5a758c82aca606d2276de21ae485e

SHA512
4c91d4683501d6346ecda0c60a686478d2b5c780aa13b1960536e070d37a2d449625f2aec673425a46e6ee7981ee2f9a6d9cfc5e4594f792f8ddc1b79520e9ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
0055e8c6cafb9b8319176d2e3da586f3

SHA1
ccbd7ed51a84fcd0721089e3fcd821fded66ab29

SHA256
1946d144dc0734b2bbfdb3142efd1cb559cbd85d79d7dbbd28844f143ccaa493

SHA512
2feb1b84ddc8c2e9c2164b20e473ad342cd5cd53a06f0fd2410a886fb4690e64c1f5299fdb4d61a8ec9349bd910e0763bc161417d04b17d63a10e49eb40b7c77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
54da71a0a16007d82a0a79450319ca52

SHA1
2f4e71b21a7ec9949e63a665c232f695b832c980

SHA256
f09bfb268a88eba490e3bbabfab9b7df0f8adad3bbec096983e676dc4a502433

SHA512
34ce6d66e615c496dd1e2338074ca82c08a48c6d1a41f317e9dfcd9dbce6c903b2d5a3502c99abb99a908dc4bb767d2f3e69fbbe9752d3ff03994978a1970f59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
cc1e4ce594a69535b737bc155b0d4674

SHA1
c0595d2d3ec2debaf5b0ed4d76467369273c4a5c

SHA256
b78e24257386320402dbd0ee45926c3ec3149ffb13f4e5890cb0b0c6e085a0e5

SHA512
f93b03bf01a45367608a0762f7e77df02ad11788428d6b62ea1423a260b741d4f150ed114b05711962967e825dcd416f0b67da353e7c934dabb81148fc5cfe60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
ed89823c4ec4847e40037502e69a3b31

SHA1
cbee026647d50ebd02b42b696188b6e08e1b511b

SHA256
bc3ed9d7d2ed3955f1631e84a8726f51375521ddceb5e8926e2f00299da7c59d

SHA512
d1a655cfa0eeebbc174ab0aa06564ae40282f2c0747f959111529d384f9cf815b714c3a9d99e4351c3457925236a97780056236d6638ba7c222f6afbcd5d598b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
8b17dd62b9a101c6ec17e35f5440856e

SHA1
e1965f1076c2ff5afde542d194b8dc279f23279e

SHA256
06764187c0a50ca2b634eefe0ee1318c60fdc02e4ada31694d69a0611867ddb3

SHA512
866537821f348a40cc3327e0201994bd0eec6c5eb5b4d3dc58bec6119b9a9eefd1eee7f8955213717028d0535bd28bb987e6cc4aca6169436b4dce38735c5e46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
54424663ed2fb71efa39472a233a381f

SHA1
06105e8418e99c13cc47c503b929fb2d61e13ae7

SHA256
45bfada6fd9ff02761012298cb8a02c930180f8a150cd478a57de0cd3feb4802

SHA512
87442f0e2741fac5d4477e71721194cc891c350e644373bdd244b871f7674826f78d8598c1f768fac4a1fdc3ce97b24203f8057db2ea6108b01a9df2f1412ee2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
539f91092d4f157b7f93391d22486ea1

SHA1
82f7ccfdff32996ae9dc784ed85d0c56e1412e9b

SHA256
050037e7432b57e2a61560b88d83e2c27578f13e441baf0bf8639f049b48008c

SHA512
585ffccb53737a2df4176396f874cf5cfcfe08904f98cc2c45f31d4da3c0ef77aba8341698200157779117321cca4e828055eb2b34c1a920331b07700be059f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
a83aeeff356c675404e46878bc598494

SHA1
bf85ca6045e44a076bc129caeace0cf382aeb8e2

SHA256
2deb454753ea247d4bbc396366e4e485e824ed891ba1333a1d8474e2b102e5d4

SHA512
7c2b292f6dfa629c12c334bf2354c95a56c03e8099954c1153ab4960c7aa2e5181907331b78013437c597745e988485bdf02413fd4c14634c2fa2a090271f3ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
d1eec47c420b3df5dec8126931ba6913

SHA1
95894e13233b6f71837db1ec72175f3141b80b2a

SHA256
9b8c785c23417442235bcb459bddc74475f2d7aad23aeb32688f684fca2dc88d

SHA512
92e701bd08e895b5a90887edb127b2ac21b16e4460a4d0416b2dcf0f3efe8e2e0a5f49394560d5da52bc3937a56a539d3a2d64f4c158f11af3bd6061acbfafd3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
b8cdf68b7b1e520bf660514d4a2ee124

SHA1
01ec91b1d14d667d2cf89ab9db2da968283124ca

SHA256
030278786723e748eb77c83a9630918634cfc64d0211583050981f72508f0c1d

SHA512
7148a20475948b9325e9713158207c3ec381cbe56ae7aaf61de194035639366efb3288d6d4d0a90c439be8f3cbaf1108c04dfcf36de926aa9a8c03393a0a5299

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
fba504d566e3a0985abaf26c7fb791e7

SHA1
565d7f6040ed0844b2f22279b16e2214fa68d26b

SHA256
19d118b5e1703ab8b294f93f6ff2cf025ac3bf4a14fb854788ac2132a22b9e26

SHA512
4fab20926a160f48c5f529210b38ea8ed0e0c091d3757da259bf478e199b34cb06269e557c99ab0d2e243fbffde34f3c41c68d6e183bea873f8c4320589bf91a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
ff80f39e89c78462e857aaa82388a723

SHA1
b6aa7d445d11ad0531ec393a04f710750dcf0ad0

SHA256
acf4cd280e063eae5553f6c7324e41b1e9f614a8d63aa066f494ed2a8c629ec4

SHA512
044c50dda9b6a2bff02c8c0310dffaab04cefcb4ba9e36e9f83f8eb8193ca5d7f6e11cf86dac0d9ddf19f1b946ebadcccac7ac8b136837e70a56ae2805411f56

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
63ef8a7308e474e6757c3d6b0af26087

SHA1
872e4786f3d0de9fb3c211cffc6ca78ecfc5221b

SHA256
f592a65372d4662aa995bdc797083614b4bfdb5734f10c9c3f4b563a95970d00

SHA512
40fe8a64f8a542e0e0fa20fdba6cfa298c1e120e8c8db731f8332eb9a2de7d47ba8a5cdad441c5b3af96eeeff5e9deb0e06f301fe8c45493c7d4e8fa33b55d5b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
919d97ac059c4c1a8fc1433b207cf921

SHA1
b88da8647241be3fa5b02f8cfe71b4631fcd2551

SHA256
9f081567a1dd0e7fcf644dccc5135989033975554064230a16500efc48b1bab3

SHA512
8a55910c37fdc4e5d44d4547a59466c8ec9e16bdb8718eeb9473615f16d9965a47e15e166eaddbf99529d35ad40e96d4f9562a5b73ca4b1568a7c8afa85ea986

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
8817246b7d20c0a598605bfeca3529f5

SHA1
2e5866d8367416237efdf606ebdcaebea38c92e8

SHA256
b94cee3f035e8529fda1dd152467642e85cf21f70931410648e5005de1566843

SHA512
d1d711a07a2da9ad867ba32f66f41d7c7c3d3b64aae91e475d6f2dd7ca53e63563b346e770a31c20f7e81026085c03bd6e0c3c8fba311d64514e0cc722bd9ddf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.2MB

MD5
1201a716a3176c6bba110c88a310a81b

SHA1
5ad76741853b415815d4c6800f406f11a203c890

SHA256
541d891808ff501feed769bf50aa08d109a2377c68eafc402063d1244cc2d27b

SHA512
bb16fe61781030d022be50e9fcc998c52872b338ee684c0f9edeff87aa2d230f5ba2b4d9aced8aa0d8e90077e7368209fb274e7447b60570908b521defa5e73e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
98360a1d84b328a1c997c82c67bce937

SHA1
779ae0a6a1983ee7ca3e235bb2336c9aa21e2c2f

SHA256
c4c8f0cc13c231c5c7653a88c8422ba8031cf3f19703b3f8683bfba269306e10

SHA512
8c4fe74b325e55993db4ef8b09926527d85f9d6f012104a85cab83f458788c14705a2e36d8b481e10cfc5e5dd3630be4e938f36773e569cc38132cc925a2177b

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
c76ecbf7cba680a44dcd042e06c56583

SHA1
1c1950be7239ced51694399bae4b5628b0ef2c93

SHA256
cf0fc3683b39f2450f5ca8572e2e97b337a58314b43af112dd03335c87dd32a2

SHA512
0454e6b787f2be67bfaf89778fcf2d9d2ada287737c592213c959eb3dd186d8076ed69fc49d89c2721d7465a3e8870ca8ae42b4db9b8c7fbd430d1653c60283b

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
11091d92d537ad0ce891d414dfa87625

SHA1
96ff8b10cb24fb3aa021efee71bc0e2b9d29efbe

SHA256
efd9e1989c12e6551130979a6ad7c3dec0b512de59a22580631d36cded3c2398

SHA512
710e1bf32c36700e587af924266c360c5b6fa1c90a9b20ff01f9522e1a5678c512c77b79e5a5d0f68cd56b2b438f3d068b4e3dafad8fe12562ceeb8ed28622e6

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
52ce11f1df6433d604b69b302d1e8ede

SHA1
36ef1149212656137eb002626fb5aab3c2a14fd7

SHA256
ee39f0af3e036b88261e909ccdee710c12263566949964bd1b5e6fdfc768ff27

SHA512
a045beb5da1a2ec9960ef794adc866ea7f7f2dcdd01f6e8f455fd1f82c81c002dd1c3230d0953969267cb3ae6cd7dc6343a1a27ee49b27719d3ce58bce3ca4e4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
7a2a97e6215d6ac20826c101acb91fdf

SHA1
6c789ea5c73ada5fe7e8e9766e6f9cccc1841274

SHA256
7e9342f4659125b7f2879795425d19867e4e7b97d7ad1ecc7ce757cb07c75dfb

SHA512
3958f5329d01bca9126c3aa091bc5a5313b88deb018a1bc5913d55ac362fefd9687bc0c56d9e1e1712f277e3ff7daa20fffc06ccac184a71a87156b80854d7d5

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
3182fb364c8d06a718d0bdaef7eb2203

SHA1
81ffb46128b75061ff0eea46074051972e75935a

SHA256
d0eb670d0f151369cbf6aa07a31aadb521e68cc269e966b41b1d25b7d2b337be

SHA512
908f13c3c6bd2ed1f2003ba9d501283bfb73d4398f89e2065d3147c1418715a2a8ebe555d75b75009f2685435c7ed0be9d62f75db1ba047d0c3afca56bb545a0

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
2c5a9c9822d92a46bc651d82c66cc291

SHA1
9258c993b23a930bb51747ba8f5c2e22b097cfbf

SHA256
feaf886765337b8fdb62632ade15fff96bbf435b5368e8a6b2174841b97efd7f

SHA512
3e9ae9217c90cf22cab9644a166dcbadb1a10778cf4ac1b84a33124998cc2a9177832d7070b25353dc2a74bdc57b45cfeacd83997bfe93c7afe2e0a893d08347

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
1d69f67050a5fcd2ba43ca5e77dbf6bc

SHA1
33595039fed29c9a121021826a0e116c8e4390f4

SHA256
48f7d4b1509e2e88fbf5db789fc694c6cc3c79b108cdd9223a9130cec0d18cef

SHA512
680a4bceb1cc9bed97a54de5dd18bf1564774cd0d161c48a9b5b594ed26e11a999ba3964f0af714be52f80c85c19d8510f95e0ff367d7fcacfee1c50645e8a57

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
0215719e4abce896627513dc9690182c

SHA1
c922e3c1e8ea4248f14a4b2097a503c006a1064b

SHA256
ccccee0e932b4848c0fe695f5fdb4e4bebfeba465ea04cce260688b7677208b8

SHA512
2d8d519a1b18c68d6401e3a01b44b139a837db2b66ebf337528ebdeef095729bb5d77e11e7b8e66b2bccdb74e020da3e8303a03102bc32f0d4bef4156f526069

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
22245bf12fce1f16c5de05dc4ba0af56

SHA1
3e78316dde643e137ec2de4557a597837689ad09

SHA256
a3b3e06991d22de83475c903da22a95c9f330c4dcf4bb86ccd6193cc082a13a2

SHA512
5f4a732c65c48ca6b4a5928b4b82009deee006f7933b75c11e9e39cba44c9b70c20d8a6e58bd86c4a9ba3c543afa19d735ae7cc6eadedd54b619af950122abb2

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
258050df09d0b6ec665dbfd1e696d5e6

SHA1
3c65ea5e16f075b58266db414ef75f38fe58611c

SHA256
89b93ec137429ff3d100d208282a130cb593dd29cf63582e10a8584a9185c8cb

SHA512
ed8e7afaa19402ca26673fb20499f05e87fbcdfa5ddf5348440a8d2ed4527f0d9081daf1d64b3a72537cdb3774ec6334de6531542a4c656d2b0887f33592dccd

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
5cbf2201856c735bee132dc100ad4153

SHA1
36cbfa6cc39ebfd19fbb69f6abb9410a91e43e89

SHA256
dca8d605f0643f7b844bb2e583e06488120334d1872b27c0d56a3455b58243e7

SHA512
3390079955698f6cd068db8d13507634dd19dfd4630ddc62662873f1882e7bf7aa312e91ebe3094a98b4487927c0bc3427328888b5ccd0321a07bf229def989d

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
87848a2f508eb9338c82e42dcb25d611

SHA1
1547d9e0f46db8519e3f5a361be7a389d15dd2f1

SHA256
06e27b9dab9cbc6af1028a064b9c55b0a6bc1bbcf34a76afaef278f09211fda0

SHA512
adb10819ad6481ccced3b49dd4294fea95b45d42d394d4452aff0f1e924b6b30f4ed6a0c324afe4705fc446f91a55412d88d88cc369ca4a6d527ee78d7ffbd4e

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
9d8917a2521633b38fed7b5da938f680

SHA1
419372b201137b53032de15513842ec3b8fdb066

SHA256
afef5888a531a6478075359a108ff48926d1d132ed77b6d2f4140ec83a3fd044

SHA512
dc14fdc1554b8eca05af73b15b98e84dbf731b6a48529e5de852b6373788c29e7dcd56326e48597e77fb7c82aaed99855464b60adb00fde489ddc79cca97e2d2

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
df64c5e05ec469f00b9fadfa317f0de5

SHA1
fc2d8d600b55491fbc2b3aad9eb0479446406601

SHA256
43866394a8b06d430daa006a3211788dc79195a46acb345628c16d16b4a5f0ec

SHA512
d92f8321c5f3990ccea774000a91b7f65615fa110b3be7d0d6c7e15018aeb175afb401a5acf02396d7556639d48181b739531a3598af49892b0e540288f30413

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
be0ded46771ceb2d3297bb9699fc627e

SHA1
ad1e53e7eb463a10e8c26f0e3f1616576003b034

SHA256
999305c7a3734e8932050d17b64128e295c144bb65040be18c3b0a3db47688ec

SHA512
2c65bbc94addc1d2ed553177ac6beb23a79de34378a83f6e278282e4541812838dc1d1ec9b51b461ed0210bb3fd4ae6c0ecbec7691f9c75f1c2c76e3581305a5

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
38e15fd4b32bad865776dd9092cb33b6

SHA1
dad601d65d2705d703417f9a0b941a2f39244eb8

SHA256
4758f0fa4a43942f99598a7f52b43462e7f244c390e9aa86066f0f02a5df026f

SHA512
0b15fbed93ebb70a6b43dec81817c2bcee03b5fa731d124c055dc5b229ec46e3e90e03982d127093ae87351885abcfaaa4762105e56391b42d501b8329a71003

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
acede1d682fb3977a50c14dd1a2b0adf

SHA1
af456969a0c25e38a84ea9466712c1602bcd4fd6

SHA256
167082ed19a2d041aec6c712d42a8299118415133b3681ac6cc72eb46cb0ab1c

SHA512
a91c32dfd97d5924a87b44f655df5326c7be209581fd954f76044b1bc5fd6060e494844035f8f14a27d686eda6b2f791c7733386163a4afc0e563c77704606ab

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
d24e15c05284af2f5bee807f967835da

SHA1
f545633f7864d554536488aed0f400f5c6f94513

SHA256
49303a0d3a718faf8869c43adc56b642a75afefae2d4f4065e7f5f6adaeb37a8

SHA512
b428097e88538aac5479f08395806e841a2e4e2d2858d3b6d948cb3285d8a1912a789ceebb417a788306c0bded82b3392b27aa3592aad94d79c8fa83528d4e28

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
8b54c59a5e6685564d3457935456cea4

SHA1
2b96cdb5bffdcf2fa1fbeb942f3e79a0dfdfd63f

SHA256
55c68899a87a58b94bdabed049360e765de5276c41bf7d05449d14b524343092

SHA512
c7e44a5643f38e45685b49b2e0c6bf50cdb04c179587e98c1a612c55e4182a0db3b840214ecd158670c35b8ee533d126802ac566dfdcb4eb95111cbfa47879d8

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
a12c42f6bd27cc5e70b25c948da1ed45

SHA1
0b8eba74de616d0405dd7efbbd54337a692858b1

SHA256
712b37df38859dc299b723b392c740f672729a60923eb1759ea49869f72d1ec2

SHA512
e8773d1b507ad97c1f372c954a11fe9f0a9a13dec2684c00f65c18cc60da8c130e6e829fc59348a5d5bfa9e090946020c6453c3aa319702da6141d47998659bf

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
c9820813b97611ce636abcc5e54ac55a

SHA1
0c3425f6c4ead29af280de6b104244721f78bbab

SHA256
9b1e6baecb60486ea50b2ae491f2c35495ae4f472657b6e30e2c8f1397871e65

SHA512
d0ec90a48320c2cc39d6c595af3224a70a15d034d14870f879ffeff5f1f7f87598780d8009bfb9b826f17d691379172e28bad11e1321860a4a39ce2956810164

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
51905d8dddda56315f4e36b394ca5521

SHA1
8e87148b98c3e96ef1cd357bdce0dd35fdda6c8f

SHA256
ec5c4110568683ba77d7e82afd92e36f58aa7473ef39394f104cb3fd842d2d00

SHA512
27f8846c45b74646b06dad06934c35e07e780d2e858d0629185d359021589c5cbff64b00de5d19f73c283b96d7dff41fe9f769584f35a4a4cb21f1e2362a1a45

Download Submit
memory/1268-166-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/1268-157-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/1880-178-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/2036-298-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2036-741-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2452-254-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/2452-675-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/2736-252-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2736-136-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2736-127-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2736-133-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2996-655-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2996-241-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3136-240-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3136-82-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3136-94-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3136-124-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3644-312-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3644-200-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3808-310-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3808-742-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4108-746-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4108-331-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4368-213-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4368-324-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4416-47-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/4416-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4416-32-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4488-676-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/4488-265-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/4536-237-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4536-606-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4560-155-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/4560-148-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4560-142-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4560-153-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4560-151-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/4568-191-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4568-8-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/4568-7-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4568-516-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4568-0-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/4580-313-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4580-745-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4648-36-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/4648-140-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/4648-42-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/4648-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4648-288-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4648-276-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4648-139-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4964-192-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/4976-345-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4976-628-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4976-225-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5016-346-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5016-747-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5052-12-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/5052-20-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/5052-21-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/5052-216-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download