3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
Size

648KB
MD5

3f5d7d7f0496752034a4a5f85ec434fc
SHA1

e2a10de26f642dc2812937d14a1ac14adef0bbcc
SHA256

3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b
SHA512

35244426176355954198634cdce7163da387a2c55315ad7ea012fa916d1ea95a87d1230e2bd7ae6db6a4b4f1e40b7dfc506cb6bd395ffc34b56f2138d69e6edd
SSDEEP

12288:zqz2DWU9UMAdB8qr0zw9iXQ40AOzDr5YJjsF/5v3ZkHRik8J:ez2DW6atr0zAiX90z/F0jsFB3SQku

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4108	alg.exe
4312	DiagnosticsHub.StandardCollector.Service.exe
2892	fxssvc.exe
3712	elevation_service.exe
3324	elevation_service.exe
3788	maintenanceservice.exe
1392	msdtc.exe
2420	OSE.EXE
3864	PerceptionSimulationService.exe
2364	perfhost.exe
5080	locator.exe
4496	SensorDataService.exe
2820	snmptrap.exe
1508	spectrum.exe
3372	ssh-agent.exe
4492	TieringEngineService.exe
3856	AgentService.exe
3444	vds.exe
2824	vssvc.exe
776	wbengine.exe
3404	WmiApSrv.exe
2800	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4c426eedad45b396.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exealg.exe3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe

Drops file in Windows directory 4 IoCs

Processes:

3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ded953d4a999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6f371d5a999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aaa2a1d5a999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ebe6e2d4a999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000579b96d4a999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf5574d5a999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6617cd4a999da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
4312	DiagnosticsHub.StandardCollector.Service.exe
4312	DiagnosticsHub.StandardCollector.Service.exe
4312	DiagnosticsHub.StandardCollector.Service.exe
4312	DiagnosticsHub.StandardCollector.Service.exe
4312	DiagnosticsHub.StandardCollector.Service.exe
4312	DiagnosticsHub.StandardCollector.Service.exe
4312	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2680	3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
Token: SeAuditPrivilege	2892	fxssvc.exe
Token: SeRestorePrivilege	4492	TieringEngineService.exe
Token: SeManageVolumePrivilege	4492	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3856	AgentService.exe
Token: SeBackupPrivilege	2824	vssvc.exe
Token: SeRestorePrivilege	2824	vssvc.exe
Token: SeAuditPrivilege	2824	vssvc.exe
Token: SeBackupPrivilege	776	wbengine.exe
Token: SeRestorePrivilege	776	wbengine.exe
Token: SeSecurityPrivilege	776	wbengine.exe
Token: 33	2800	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeDebugPrivilege	4108	alg.exe
Token: SeDebugPrivilege	4108	alg.exe
Token: SeDebugPrivilege	4108	alg.exe
Token: SeDebugPrivilege	4312	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2800 wrote to memory of 3132	2800	SearchIndexer.exe	SearchProtocolHost.exe
PID 2800 wrote to memory of 3132	2800	SearchIndexer.exe	SearchProtocolHost.exe
PID 2800 wrote to memory of 4432	2800	SearchIndexer.exe	SearchFilterHost.exe
PID 2800 wrote to memory of 4432	2800	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe
"C:\Users\Admin\AppData\Local\Temp\3c853272725401cb4150b83349b7955cec3dc2e6f3059f1578709aa69506965b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3496

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3712

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3324

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3788

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1392

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2420

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3864

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2364

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5080

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4496

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2820

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1508

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3400

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3404

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3132

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4432

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
afd960d50d0a0767d06d51a85f90b718

SHA1
6a434293168cf89a34c36b1fa37a06acd43c1e8e

SHA256
fa7b46aa98680129f85b9914542711d1def2adc8f9e7fb78211ab6f04f48fa30

SHA512
ccb0f75c8c52111b88627bc67b95599a8c3812bd56345844893051a3b62a0a8554549f61c11ef1c9195b0cb71e8e1cf8d22eae7ded4313497dae37e8a22ea729

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
4e2758bfcafb28116537fa9cadad6f21

SHA1
d8f3f7874778ab454f859c561cb8eb3dfdf0046a

SHA256
17485437f2c4667e3fe6d2ece5961cd007e9511fce4b0dc75ce82b800242f003

SHA512
813cfebda095532aaa2fe08201e131bf38810dd0fcbe9c9bd0e7cdf28bd97ceb74609135e4316a3c9d734878dbf2cc21edc7a434359fb6a14432978bded91e50

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
ce4b02e3420ec61be09c65f7fa969a3c

SHA1
43220a6ec4a58be464792ea75fc446f98b185db5

SHA256
181c3f179420ddc72dbbfbc6df561c626a96531f7c6b7d4ca4354ce58208786f

SHA512
0ed746086793198f3f9fb5ee6e684566757f575fead20813a2aa4ecb281b593c67fcb687870cc8844eee24648d961ef94743c3f9649c67475656d305467f1f0e

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
d301eacb4d80cd2cf0f4f9a4d57fa94d

SHA1
24df2633345c4172a2b887fb45e3ebd672380345

SHA256
657d0cbce3c043a7674dc66d66c3bd25905ed496fc9f6f926985a3a842c3d511

SHA512
d35ffd2ab18e27f3501dcc7b27bf20545e78e27cc3d495f582a58f7e7c8c988fb4cc1fc4307846f187ed15bb1b7b9ce0d95f358c8114f5015f7bdf3a9adff252

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
f1c620ce327536f9cbb498da58e7ecad

SHA1
df0fd10b01f3e152ef3ac868ea79cad603fed8ba

SHA256
3dad2badbd1f586c623bb25e840ea7c3e08be0979547e6ce14fcdd352b3bdfe9

SHA512
1133f957826558764b96d5da679c85b405df3904828549c240868f9588b9226bee228604ea57304777bbbfc8f032a45c95cb4385b68da90759d88faf570aea27

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
bdf5070efc69ab5d6f26a0bf84d045f2

SHA1
c73a915e55cfbc6f2c6418cef42a5396bcd036cc

SHA256
c5a37f5c629eab1eb3d74d6bc1f5eca80126647f7aaf7a07aa9441190841b8f0

SHA512
27b6aa251dce4b2b252a3cddfbb2873e3e352c432a5782a05ea8fdbb0688644ab0437156d70acf7ea6d36c351b43a210483ff256e45e36cd3b0bfd7711d6c421

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
01856ddedd6a88c352c5355f7f874285

SHA1
858d215a09e799341b572e3f5380b68f982d6743

SHA256
8bcf7214717b4004c611f74451bdd48967a42e1b66d92df5bc7d03fd3683fafe

SHA512
ffe450cad040771f3712a28e089cfa36d35eb951e9e70bbc731ccee1c9e4e08e2f59344cc76514a884bbbc1ac28183eef885b3153df1d7fe215b1523f29863a1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
9d9773326a9e9c482707113e38ce81a5

SHA1
01f9f92a0fe3a509f6d867dcc70ab2767cc90a20

SHA256
69457ef546466868247ad0797483f404f1b582fb49e5055e4deeb0ffddaf11a5

SHA512
643bd6fb394a60dd32fbaa51ec5603a6ff9767a54bb00b57454a11aad8026e3fd84b4a66de65f686df166ec6f2ec48af1e9db0b88e5d8ed898889cd54294a07e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
1a8e5d34db89e477d5c2d141d75060cc

SHA1
d23bc21bc087a20dc8b0259088ae9836b1286841

SHA256
988b5d339a612153e1797cbbc760c13ec7f8dbe08bc003a8093648d0111fe071

SHA512
da39be5077189bd74c60b5585e0e1107a976545ecc26543587f25f5253f49b31ac3e24b1d9d5f4d2946959d83b678043e58e0bd08a82cb7d23af4c83571a19c5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
4da2ff455307594a83b18c19ef4a1c39

SHA1
7e6a0a4d1caf2975cd5fc0647e7ea21876fc694e

SHA256
530c5477dda0bd94eccafd004d0d858012705457a11f91d8e04044ed0fa35a08

SHA512
bde5498cc6e2e19524569d338fa6cecc719fe6c0331d266f9cd1d8a8191ab341f9f4df7e584bb7190b9170843c677a9c94c82bb4b0263173cf0016f8405736d5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
078a73d8f351ccd950c15b6827d4b6fe

SHA1
396f4680d79a4c9c937cb1e042a25e2da2e91ec5

SHA256
14accf88c65ee490ee2d615eebfbfb5d1975330e01ef46553420668f8ce4fbce

SHA512
adbe52c6eb0d21d035068c74f8da7928935dbee28ccdc23e1f9fcfe58896585645a3621b921a0ffba28051ad7e3391a355450ad7ee6119dfe9409b275458b699

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
bc10793435b8cd5431049d03cc4ba29e

SHA1
4d477becb4335a168563f4896dd943fd02919a17

SHA256
d53a9cda317a8ac41ea692d8241d287c7fe5a7b6bcf00432fa1e3f2a67d24f9f

SHA512
d0504f2498c3bdd60b26e90101d9fde2c001f2d96af3522738c041d6fe23a8fafedd88a44c505aec9385252a14112ca23fbba77d6fbdb80f08520279750e9ee5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
4ef8c4ea0ab9705b3267a1c474f9b4f2

SHA1
c870bd11079e4ef5e6a74f52c857650f86045481

SHA256
694fecedd078aa7bad4ca66cbdc629bea49f8811032b08beb648245c6ac7d878

SHA512
d23b237f1c09a49d98ec4c91ee32c1506c773ec30b96ad32b285e233b8fc5314edf117d90b776a9280284bf913efac108a1ea79ab46c15342b09c513b1c5341c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
1108d216da3607aa8ac20dcbf6eeffaf

SHA1
493fead6050fa2e6aa7af1101c8208beabce60be

SHA256
ffa08d29cd09389a2cd5b7fec9a7400879f38497a82638562dd9f7fcb5a342e2

SHA512
77f246712f9e1353ddd54bae3e8efece166eaaeb8e85715787c4837a60260b2054ba3e947d1032ce9121122ed9de5e80eb3c906872eb341967ed230dd46f80a5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
f7747b74025803afb301a5c62e368d09

SHA1
f7ac2372ce90603db473526054bbae6476b82f39

SHA256
1e0d44a9bc6c479f6e77db49eea97490d44f0d12313fb112d06d15fe609f27ae

SHA512
ad73721edccd0bb899e91094e709322917d2eb3929325b15f4e70d30849fb6ee38e216b8a7f92bdae55a01c04b1b6f8bead2e32e05f8e6270c84528f2d791ec1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
ec83e30a730a701f02e646ac7a4aaded

SHA1
67a515a5ec219d592f6016610f7bc5fa1b34a723

SHA256
2de3242bf54eff57c1471093e58095fa2d589c80eb7745525395ed9a633d0df3

SHA512
07a531775495d7ab04847f7c485aa7dd268c15c064ff1d7f86bf2fc76e804b7f4491bf601463480739b9b9544bcfd22489153b1d74fd9a75179f409252119cd0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
3e3988c520a907d55add9901ba76f93e

SHA1
33f8bd4cc87a30d8047be4838dd8459072f1bceb

SHA256
a7985a74433e2cca74b88a085cb4a41790dc0c72633bce2b0ce8d013ec058153

SHA512
7a801256a9ffc4cfde8401f2ff17a7615b860e2b16b2364454419692c5ac95f505ba98c2b7617802fd13415bd2aad2f16a108c4c710803ea7a84738b32924b55

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
e8e8971a10d690d585636ff0c0e340e4

SHA1
e4c13064a7a9639f415e9792cab44efe55554f81

SHA256
26aaf82b9f516f29f5c31db20d18dbecba5a23ac1613af95ac3caf23a1cc68ab

SHA512
c671fd207dd81f228397ed49d16365fc4d422be621197c5b3fc59eb3ef5868c796d66756e186a60b371676013addc449febcabc72a8537c32bcc6aed9ea6b7d2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
051d9fa23e9102b4ce301b2918e0a7b5

SHA1
2166fca9b22b1580651d2ad0c9b4b7965cc43008

SHA256
2c4cd574be9d779d8b302c92b4736170655aeebf915ce862321066c0853017c5

SHA512
adb64777626d4f5418edcba8d26e07815662a0a0aaab8e7d5fc28d2d99b6f7fae12a0ce3d6bcc075feb7471691450f6d5a03ef8b6178f2cadc5bbe57ec40172f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
bfd79368f4d4073e0dc6439d51afb16c

SHA1
52628078d35904cfd79c53e9729126b25ce46cae

SHA256
d877f9172801cf41bf7f92191a96a095d2ce4a07331d4c991b5a52f3ace5350f

SHA512
be2a84b0b99f5b0298f4093e27089c5d36f0d4269b38a8bf11d9a401c1b9906afa9f29ab68fe71d65fcee1e5ceac39f02d20e68d0f457bff4e53f083793ee227

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
e45cd3e1d79f0dfa333b53d6e7b249cd

SHA1
a836d057f50c93b55f416f5cc3576c6824f4e9d0

SHA256
e74c703dca7eaf5293ecd838465689ec86dc3cf9785d0c8a9c1e6ca5a0c2a5a2

SHA512
e790b151f3e8a698c735ca83d42b14eec8cc50f8d2e7d9640b07ef9a2d2c0be30f7bfd56341bad196a43692ddcdf7470f9b9a7c780a56d3abff98be918e81ba0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
154be961d2ca0499c4a9429907594376

SHA1
baf49c7bbbbe5a4ba00bc5e08714979a82f19838

SHA256
762a98776df3169171310359f1958022999815b6bb567c952e5ce267f45b77f8

SHA512
026cedb0de85097937d40ccf67650122a52cd67f7085d36102eaa7bb9db7757d27241d19b2b5782bb31aff5d12b9cd2f7eb08a4be597eeccca5cfb1a5289289d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
9e309b9b3b5dea68f8436b563ebb9061

SHA1
7d94d5a92dc41ce5a4228f7c5d1c080c2c6d78d6

SHA256
4ad89fcf46359a4add8485dabbfccd6810a03186415549437ac71a2e35b6223f

SHA512
1c66f2c8740286c8fbf4e36ff2927d4c55121e2b4d2aab334e3f34102a7410e24f6f795c5efb75601164996d31506e306906a4dc26a5bd14da8136ec81365589

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
06a0153315368471801114209a1ff2bf

SHA1
633363edace2053543aa468e66d6c9f546816d1b

SHA256
36ca1b6e510b0eb5c930aee8e442b059853cd6e9d02b4f611dc037bc5b55536e

SHA512
2a0c1b049b24a403a4fd86bd9f953a88867008432fb35ef2f3cb83822648c87d4c6b5bc8ceaf11ffd6d79b18d75bf6a6aba469a651647577b62d996f087f095e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
a2af2ecd0365afa8d2b1c76ed8e653fb

SHA1
fd909091999f529f2133cbaedf981f8daee5ad3e

SHA256
4e716ddf07f978b37c6cb94b2c7f2c845c738238cf9f98ef2c8c85f0c849e930

SHA512
dc1124c40523dcedf745001a7fc9ef09641f610d693ce997c72c10604761ec11702b59f451e97e2a86487603dba107dfa32497d3f545f6194a72bc3caecbd0d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
f08969a0b7735f5025a0e316b2b2fca6

SHA1
bc27466b64ec7a21d1c61d518225ff1cf45cc029

SHA256
4e0f376a24eae29248ad157cf8a58c3955a7a6d930fb0c714dd4cd2ceee2e738

SHA512
83ddc4d9756f83554af18d7206bab0f4cc04092e680d8dd6e2fc30febbfa39cfdc9d5ee2feed1d9883e9a777fb7bde252aceae3ce8ebb295b47c61404ce508a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
75145b32337e11b2f6b617b4a36683cd

SHA1
fed9296b7500a794229f8624166fe442dcc7e8e5

SHA256
e3bbd0a7b07773a0a01d7f6515e0dc5dc59379d608d764730ebeeaf9e92bfb10

SHA512
27c4ca5e49f5c3ad80d20755798c288c9b3fa060a0eb507bd1f5814a8db0b668b69230359c8ef45361b24d64b1a3a579730b215724cd1f63fbe23356716cf7ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
c2c79e4d6a82b8ec923396154fb55db4

SHA1
b3d48478df1e0fd88c2755af61ccd3281b52799e

SHA256
70d9eab8f9270cdc8c26f4593373e45ac5796b5d3b5fe800855271732e5bfa40

SHA512
cd8908cb6106cc43b2cb1bed72ec56ac85e031c59e0034aff30dd128990dd9ff9f99839163cd06540b4b00d71bb372fda133517dc734e8b4f2479d3e54aa0e44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
dde260afc25c3430cdbdecce14ed79f7

SHA1
e86ffce447dcc5da9f6236613d3222540214308b

SHA256
a073ceab79c26ae023fa381a32de70db78b48515ba0b0cb4c0820626c6f5584d

SHA512
256e6d7baf4e06f6a0a15be51a5ca070a105e688d1c7ae65403e73c737b23713f350c3ad0425ebb419e11e76e682b5070ad1402e86f298a34c047c8f7e7fb4ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
57136f41c8b01d333134b76eb3a4c0f5

SHA1
137c56732851d6b43c4f17c6ba60e81372a4a9de

SHA256
b321d1149ad473e69c05548bff2084cb127b10cc4d8b371ac9c7b233f402d82c

SHA512
a2c97f4927ce6ac1c353033cdd6518ba751ff68fda049ec758bbb2da5971ed5a3d5ce1c94d558c02a6d96e588bd3c7077768b09b924f77caa35540fb3a70dda1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
05da4ab8e8d11972a133998926323df0

SHA1
f4c6d97e92086eb6b4f079417749c0908115b64b

SHA256
9681f7b470ab66213605a1ec36de1da78b2a8589f2e68c85ead66311c63e7b50

SHA512
2c9109a38d3330a0288b1b6f11d1c418f9a0f94117315499feec91ba02ade17b3121b74f0cb4003722b0e4b49578be2b4aafcdab7de260789fff458f42a0a5c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
9ef664ab77e73fac0b0e7c63cf840fa7

SHA1
c1ec46fbe71a8515df78d865452fa275c3313ce7

SHA256
8b6ec2fd4fa9500f862f1ebe91cf786eec6f042cf0071b71bba6a600240c5658

SHA512
7a32c8028e60f65dceb4af20b0fcb3012f10f00c20438b20ec33815b36d15f0bbc0f5510579fba419ef6513653576897227f2d2a47d7fdc61ecdeee408175498

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
3280fc1c6b1524af60225586daddc923

SHA1
8465f6f1835401e60963011c0ca5c4a7f230e16b

SHA256
a6b7416908af14a43f10f11ea5ee33809986106a1f4ccba03204b4ea959516a0

SHA512
fd145e8a867ec56f500dd2d72bb860153c304c7c53241a0bc009759f97f425154b9bfc62ec8a7dd84c52a95a81863f60a20e416be1400fcbc8f259f7f6abcc8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
c03892c7f19e56e079113bb9fd53d4c4

SHA1
4ef5084ed0574d81f4bd28eea0b7367a8c9ceece

SHA256
5df0bc479e029854ddb9adad96220781c48b0a1da43d6805b95c60b14ddfe8c0

SHA512
fcf167c92376ee36f0f8fe6c35f606abb1d26f4a29d6391a80cb71f013e2ef912d4ef255b6c759925e31a0cd3c16697e110593aae28f21a062c13ac324f7fdac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
a50b6ed10fd9981f585e6808a6ecaad6

SHA1
a2fc74ff4b6f4c0a5160053d5f0da773fb4c8c00

SHA256
fe92b90e084be816a83eb86fdf8173937881d74b15f0e03e7fac4de22bd5ddee

SHA512
ee22b9596f9028f046044cf04d8bfc51cb9977b9bf87865d601abb801ba2664329ac708e88f5acb25dc02ec4660d77ba9ab7ca0a3223389495a6e28bca5d1e03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
1ec1d19d4d75f1c7bd9916ec4dfb4a65

SHA1
72f3dcf755c93bbf11292fb68b25b439031eb1e4

SHA256
cef9058c6750d5c47c2a98affd11b5e8e47ab9cb00a7877ffa8264626809a3db

SHA512
c3469edbcfa3fa08f40c9101b1a2c5fb8308061502a9c96ac6bcee3ff7f82d212807ce0c06f17ee12527fe9d4f2cb869d440c7d207de6ace0ee3dd998bb3d882

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
cec6ebdd1ed549e6083b38b3f05b7c64

SHA1
83dad1db1096b6298f17724d7717a71ba01ca6cb

SHA256
e8e64d9e038463dc1e3f87c46217f721a47b718157c750c208b4bf3fc3851271

SHA512
5a47959eead8103a045bbe2533fff8203a635587b19f0c2855525aae6900a4bf4ffa8aec6ad1bb51896ff8299c85a5c374bd9a8c0f35ba8afe2910d6659ee975

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
93b12dc0c4ea99c2af3ddb06afea3995

SHA1
ba579f7a7bc47516783bdabd3da8ffd596d22547

SHA256
263d0a4927880c1d9e8bd0448f454029e736b924c7dd8b97c525ce83acd39652

SHA512
ef6c737401a65a537c22a1950a2c3baeb7200f4488d582b5c55b0048489cddb320b30159893d1052d12e06127d8267a0dd5a6326b4a58e70a369caa0608c96aa

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
0e746cc8177050033528d68cdf1e0fb4

SHA1
44f6b544fa0e45eb74cbcd7a48cf9df7045288d8

SHA256
a176f84d5c22e823f63a539f494eb5b79fc2dbaf4e816b658857c63b3c4b636e

SHA512
a4f67b95a22a95bd224e64b0d293439f0d9eec0b0fecdd387c420631f9d1bfa19b3473cd415449ee18002419ded46b72b783c479d3280f589c9f4d3a18642575

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
c6ee81414ee8bb1a6873b4aab3046583

SHA1
c5fe1afc75854e82eb772169d2f2ba7a1e1f54c8

SHA256
58bd9d596deffe5c1ec411ebe6580f4191a6aa9b2ef0859793d05640cd5d5afd

SHA512
c6f400145de26a5fd1e2747f3fc23fdeffb054efe73c38fa595dcc6f9b9936e325c1e190a52dc767df0026c14b36f5709246b85cd995990819bb18a2aaff4b7d

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
42a3fd66a30e69cf9246c079c1a2dac8

SHA1
00362e6770a03f6441c88499fb53994e500ab7e7

SHA256
36f9408e66b7dff77187957059dc95d6214b08ccb11decc76410ce441e1945e3

SHA512
b7d72fbce5eac5403278a18bcb104d83b3a7ed1029ef35c176a8cb7614734dcc0a86711b5be539eebd8d2f445ad312cb29b26f6ba365c8d449db4d97c62496be

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
9ca4752d055c65258e05498d639e55c0

SHA1
4d643ef75187ba18ae27151b08951a8e6fb4cc52

SHA256
47c4880580a75c8de78268914ce900a9006981209179639c3dfd0138b31d4b8b

SHA512
84d75ca20f003f684962687a1122e621e67d48ecb11d5ccebd94be849ffb72b82db3e6c0a50ea056858e046d888395700e97138218a5b67c687be6bb13bb7f87

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
82d00ebf51b111a98ec3ee9a752f032f

SHA1
8511030b5989dd0294f69fa7dfbe3d91610099d0

SHA256
408e00e40a66c799aff9fe404eeb5058b4e0f35afe7f804f6267e952bbfb1a4f

SHA512
363b019d2f9b7dcb6422a38581f2a20a58427318a8317dc7bbd743a9dab5affa2d2ab09dfce1d8c60633368b1469be199dd765b6cd542a0f9025f5a8f0ca3174

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
2170e84fc4b0cfaa5ea5012cd70c9dfb

SHA1
2e299dc41af629c5749c9612a5b88b7a6b4a65e9

SHA256
6deea1eee047c9868669d399537b499a25ff3d918dee252a9d012e2e877e1a95

SHA512
761bf9a3fe5049a470de51f07c20375b52d3afb4541adf247957b8636a5bf1f657f78f9bc0ab6ddcd59bc1e767ebebbcc955abb450d6935b3b739433f53c5d70

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
4f372a407614e3588ba625d9d2af637e

SHA1
c4ca51523ac290dc59f698fac147d22751a14d68

SHA256
9f488f327cabb61a7bae202f3907dc2b8beef86da46db281e2adf14cc9b24710

SHA512
d576109c74072c880f575a86ad7e4e30afb3a265b69c62fd83532557c850d7411f2155cd832283310e8c83002c167575f416143104d03c11f0cfecd71247195e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
d01cd0a8e5473295a7f884fba67bb12d

SHA1
d22fe64ddebbd7cca75127adb2048d2e2b40b9e7

SHA256
da73f714f3136e861ff759fe7f687439f697e5b2a4a47c5e9b254ea9d740239c

SHA512
85f003770a8434751ee4cbfcfb1b73f1fc1b79bcb0ee2817e1d6a5bdf4e8e8a15c6e1f0460d6c165cafbc868ee4077b584f1ba7f0ced5686c8dbad58b5f06e4d

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
055c2e691d8f9069c823263522c9fe34

SHA1
e76322c9fd28b9dfc4d18c6eb2a7d69eddb30c77

SHA256
26a51c21c743e7797850bb6266e2649417e728a6cb7801fbfde02793a64ad899

SHA512
0461c2088e8246768a26df860c074306c86645692fd2e80e3621fb28106a470a2fd6f662f18b20fa5744c43fcd5fb480a2eb8d036a521225828ebc84d38c3d99

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
ac867863f0f0afc0c5a63c78da4cb42f

SHA1
7d70e0af66fc10fae0246c551c10951fc3cc5895

SHA256
2a06b7cca5d55652bb86d8fa86553687ff4ff23b124eaa1db9165e8f51a483d8

SHA512
b547eeb015ceaf14599850bdfc3d5adc31eeb03cbe0e2f92beadf5bf020086824e82ff7005e230948550db0fcc78b9429e546eedfd3ee771d77c52a8408d6d3a

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
0a7e6dedcdec6356a30751b8a70f774f

SHA1
b0370b77c5c39de9c08a91907117cd8f282e9f96

SHA256
c500f081dbc596590f6ec58a38589f631de3fe5e4ca7c69116e02178b45314d8

SHA512
e7b9bfc64730e52cf0a5d34ce327d82f9bbed95f6c401903992498279bae18fdb428b37fabca76aafb2ec5145b9dab5007cd2310bd55840bc7dc5c927322535a

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
ad2af65fc3161105ad925b6c2a1326e1

SHA1
f48affcf915a92720cff8d745de9c93d4b006f12

SHA256
bf82c68d9784e41b637eaa377092ea257fc1146f54b74bba6dbff1bbcfdf69a8

SHA512
2f2df18771025d190a16867686382dfd24ed0a7b24d3ec7075c42254cdfd67babbfbf021246a76695bc5371e633e0f8d76aa3fcd11b1d2e47e4cfe9d433e7914

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
f0a8dab00f782e0b3cb4292156749ec3

SHA1
a1010047bf0567180e20be512deb3512b717a7ad

SHA256
2f496d3a1e40e782ac79eb8858952b0cb6552ea903c41994c779fcc9a569072d

SHA512
63000bc5fcf0a919470b37133e8420fffad1c8d193f9b5ff2a890a2be3ded6fdb69b67674a261caf8e935c88ed05ceec7e09a61f6f62859df40c5619f443b8d2

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
ff77040d8507e3d9bf324f8f38fb4541

SHA1
ba75ed55fefe40aa62471677a38aa1a94e6d05ac

SHA256
f9c71edd9b7cc3ecaaa0e999c5f7e39cbdbe910ae4ddfe1c0c86fc4291e10f61

SHA512
2467b18ea5e264ce1671c52222818637ebfe2ae452f093a05cd6d7eab646f68881ff3437152a0eef0fa0bd93aee9340e1c18f66180e8e077032611f8c843e768

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
a280909ecb26e2308baf15c2aa3884dc

SHA1
f286ebfd9131b1ba91320a75df79851ca0d14394

SHA256
2ff08c6570a25713c5a3d6185cb87146fe3524c9f7c1553e45199b4958ef07e0

SHA512
ec651e601c7e1d3ea86fcaeaece3a82f9813a5e2ba08d8f5c72382dc765a822a72284514d5c29ad05208db2ef86c571bbb33157d5da8c02bc0f2f137be6a61fc

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
1f71e08087c2d77b89031f59ef19a3a9

SHA1
3c5f0d237a5b0662e5a3d15cba8d2bf0572c7378

SHA256
759b0784eb55b5866af5b95f22c6452d0b2d90b70004eee919202d5906e3266a

SHA512
0a01df6f2a737c4270e9091771ae6a8866a2a8862e8b8626b195f0c26a94f4bbb7981461c9908df819e133a5dcd745c5d23dc3f44865cb3bd6ec5f9969edb8bd

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
6e1af24b9d982aa88db50c6ace2b1e36

SHA1
9a58b725658d00d9e6c50790f24356148d7364b9

SHA256
c2142ece9a707ebb235b5e18509c3a8aeca3ac9f6b1df9b42a6f544e843d88a9

SHA512
ceae6e2e5a5625a38979dc4953603d5412dadb63638f68fa93d14e2996e380e353e8f5265e74a233cff058e8c837a590377b3f1bc9ac9e30e8ba82e5a96894c2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
38f82bec572bf85e879cb86c8f26e870

SHA1
35d4ce8da309ac82b35bc8f1da4338c8d2fff7ee

SHA256
f2b5a6cb490af692eaddd44960e81b039db0aa70ef9810ff3709df177a75e4b7

SHA512
0721a31a07071d26b36e168109f218f440ab348c608f0cdb4f595a90f3763b894f6a506fc85073120869b780238dd4979a158662aff81aa071bec9c380b5501a

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
7b8b5b4695796c2a2f4ac6335d871fef

SHA1
176ea5699c95e4f5cb542d5a8bb37aa5140caa62

SHA256
fa21912c1ff9721fe2640578e8b604bf804212ca28de5233240d48260b510ed5

SHA512
3f3e3b709625421aaa2208c27038699e24c7cbc68cb9af94ffc7e1c318eda387a5ac4153e44235792bf40036f13fe0bb64e3ca01cc4a9a8f0a4e2ba404c740cf

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
ef23c9edbe68165d998511ffc411f54a

SHA1
3f49fedd188ffdc9c8b4221cd24a928e2f927de4

SHA256
92b725c6fe09699638573c2a2ed0cfd785acaf1d42afaa5fdb2380adc3ccb098

SHA512
319615d0e5f05995edbfb6c1d01b01f53f7c4010a31565499518b0999269ba89c2078b8617bb5c8d191d1507cd2c92bac3830188474831b5eee2434c4a818ff2

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
de3974aaaca8c6168a0ed3a982d59012

SHA1
b6155e609fa3f890c30b46caf491c12beacd4e74

SHA256
1d66b7e2db3e9315f02e649bc567f3d5f912d1a385fba944a7b5db0dad85dafd

SHA512
429cc37b693dabf92340daff7ea01cd08f4ca0cb4bb21db6274690edc3c1a0a6a2a4d516417b96a9335605c33dea7c06f161767110673f193e04cc11939874cd

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
6a3bf638eb9edf9fc335d9fa58ad7b96

SHA1
d64c0e677698b13c95fa06bf0313539bdc24c5f3

SHA256
5fd44a8bb575737ec133d7cde05d45a3c5c15132f6913408154e7d70475aadc7

SHA512
5a4b778b521436b4115135110127560055031a2be2f97fe46a0fc70937851d238cbd76a6f02cd1358ae5fdf40dcfb5faf1437b0ba5b65205c6a56e1c6c830d12

Download Submit
memory/776-300-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1392-86-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1392-251-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1508-263-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2364-258-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2420-253-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2680-508-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2680-0-0x0000000002170000-0x00000000021D0000-memory.dmp

Filesize
384KB

Download
memory/2680-509-0x0000000002170000-0x00000000021D0000-memory.dmp

Filesize
384KB

Download
memory/2680-9-0x0000000002170000-0x00000000021D0000-memory.dmp

Filesize
384KB

Download
memory/2680-8-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2800-302-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2800-598-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2820-262-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2824-299-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2892-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2892-44-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2892-81-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2892-38-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2892-79-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3324-59-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3324-595-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3324-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3324-255-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3372-264-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3404-597-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3404-301-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3444-266-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3712-55-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3712-254-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3712-594-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3712-49-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3788-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3788-82-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3788-69-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3788-75-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3856-195-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3864-256-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4108-24-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4108-13-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4108-592-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4108-19-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4312-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4312-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4312-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4492-265-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4496-261-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4496-583-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5080-259-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download