5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
Size

1.8MB
MD5

a19ef8cf8f99826a81eb25129ef98c02
SHA1

6b9aaa976b25d7dbf9feb020e8e451e382902cd6
SHA256

5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec
SHA512

f63e5d59a640eb40184a771c03fe83128a228eecaadd5845ebcb70e6b77aae89aca2330ab33da5038371da74a9787f0dd4da1bf3bd47c4b4254f8cf40586c8d2
SSDEEP

49152:Ex5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAhkQ/qoLEw:EvbjVkjjCAzJ2qo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4772	alg.exe
4328	DiagnosticsHub.StandardCollector.Service.exe
4776	fxssvc.exe
2728	elevation_service.exe
1048	elevation_service.exe
4616	maintenanceservice.exe
1400	msdtc.exe
1004	OSE.EXE
3904	PerceptionSimulationService.exe
2532	perfhost.exe
4956	locator.exe
4140	SensorDataService.exe
4412	snmptrap.exe
896	spectrum.exe
428	ssh-agent.exe
2180	TieringEngineService.exe
4188	AgentService.exe
4776	vds.exe
2332	vssvc.exe
2444	wbengine.exe
736	WmiApSrv.exe
2872	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Windows\system32\spectrum.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Windows\system32\dllhost.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Windows\system32\AgentService.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Windows\System32\msdtc.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Windows\system32\locator.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Windows\System32\vds.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\50ae32f885ca13a2.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Windows\system32\vssvc.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM35F4.tmp\GoogleUpdateOnDemand.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File created	C:\Program Files (x86)\Google\Temp\GUM35F4.tmp\goopdateres_no.dll	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM35F4.tmp\goopdateres_ca.dll	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM35F4.tmp\psuser_64.dll	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM35F4.tmp\goopdateres_vi.dll	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM35F4.tmp\goopdateres_bn.dll	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File created	C:\Program Files (x86)\Google\Temp\GUM35F4.tmp\goopdateres_pt-PT.dll	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e7b2d8a1e9ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac3e518a1e9ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cfca1c8a1e9ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000522a5d8a1e9ada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097681a8a1e9ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f66588a1e9ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030df108a1e9ada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f8d5f8a1e9ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f491e8b1e9ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4328	DiagnosticsHub.StandardCollector.Service.exe
4328	DiagnosticsHub.StandardCollector.Service.exe
4328	DiagnosticsHub.StandardCollector.Service.exe
4328	DiagnosticsHub.StandardCollector.Service.exe
4328	DiagnosticsHub.StandardCollector.Service.exe
4328	DiagnosticsHub.StandardCollector.Service.exe
4328	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1692	5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
Token: SeAuditPrivilege	4776	fxssvc.exe
Token: SeRestorePrivilege	2180	TieringEngineService.exe
Token: SeManageVolumePrivilege	2180	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4188	AgentService.exe
Token: SeBackupPrivilege	2332	vssvc.exe
Token: SeRestorePrivilege	2332	vssvc.exe
Token: SeAuditPrivilege	2332	vssvc.exe
Token: SeBackupPrivilege	2444	wbengine.exe
Token: SeRestorePrivilege	2444	wbengine.exe
Token: SeSecurityPrivilege	2444	wbengine.exe
Token: 33	2872	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeDebugPrivilege	4772	alg.exe
Token: SeDebugPrivilege	4772	alg.exe
Token: SeDebugPrivilege	4772	alg.exe
Token: SeDebugPrivilege	4328	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 372	2872	SearchIndexer.exe	112
PID 2872 wrote to memory of 372	2872	SearchIndexer.exe	112
PID 2872 wrote to memory of 1800	2872	SearchIndexer.exe	113
PID 2872 wrote to memory of 1800	2872	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe
"C:\Users\Admin\AppData\Local\Temp\5ebc4e803b2fe6e6b49bb9dd66771a8cd1523de8610ac2fb6ea3629dd7648dec.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2108

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2728

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1048

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4616

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1400

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1004

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3904

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2532

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4956

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4140

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:896

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4652

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:736

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:372
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d9c49d8f263197ed86fca5b039caadc4

SHA1
fd88086997b9ad671aec186a10b493edf17d5864

SHA256
850bfb2554264b4fe23c07ef53286f2d130cbab7012159d8d19ae0d9926bb7e4

SHA512
c95ad4bd2c773364e40b771ac20b954629fb600fa73219212705faf7a3e08283ea94cd26f19b5e21d23c38ccac0785b1dda6609107e28824943838481d65a3a3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
a48b4e3b035178b79f5ffd7c9a6f351c

SHA1
baf7ee6160e0d2b92e81cb3fea0315c4d6abb369

SHA256
b4243ed7feba953c39f2b133df76cde1ee787ff3fa824c86191bd02d53dcbd93

SHA512
bd243df30d2c1a2b8813251a11c74a8c91ed7d1b560458be9cc58ad81ab208d14942abec30141abca6b8a35417592deef077352127a01a09aaa88fe23c728d6b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
49b23ac959bb3fd777f71db84ad9e62b

SHA1
2e7d192474bf33ac694dbd87960843c50607a1bd

SHA256
66fd7fe45746c53f5b2ecc75b21f8e4654c246615c439e68c1277de65588fde5

SHA512
0917190e8abe65f89eeac99d18e1c2a82c6d7f82951d13bbadd58c23795244d966710371c8cb00e3a7ec88ac91cffbb913d3701fc2db2018f2ee270812484024

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8aeffecd78fb323c11a5bba4ec01d298

SHA1
8bc1b7b958a1227c7a49eab55cdd73fed5ceb2c9

SHA256
25c79780f7a7729247444a318956e891aefd4df66c63d3580a90b14337566c16

SHA512
ce4f3da76b9a17fbaa47782861d4669ddde42f76456b0c3151d64c70c287c4ace9ceda1f52aa25f23a7037a093b4fbf611eb557babd1727d967d572ee9c1be5c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0fbe7a5ab4acb20c5a5ef23aaf944b8b

SHA1
9542d4be6ef47513cbba4b05392a6f3cbaec37b1

SHA256
f1564bb4a4212c2b7441f7eb17cf7551b1961423b0c1d5438b7fe03b9f888327

SHA512
bed0e6332fd410236e9a2c4b57b8cc3aee48179a4814ca143093b1c3e7614f7aabb440110f30ae7e0ae961174ae9372bff521d90b003721a419a86327c96c880

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
53ee1ac86a682c01e4cbf306a74b0de9

SHA1
2a35ce42c91ce8822467d47122bf7c08dfa5169d

SHA256
74b50d991ca81b5dd325f47c2ef715d5c8d0636748dd5f68f2fbacaad83356e2

SHA512
a3999e4a6d9334eb44cf3580e0684017095aedfbf358d261a17fd0fb5e04cfa9b85674fa9fb2ab57fbf0dd48b3495c3bd8777a1e9c4e62d1114d74b2a4cd5bc5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
0527a3598d8f7740ad4d49d0c15a216f

SHA1
26f56d0eed97329a00ee225bdb5ec8331fcecdfd

SHA256
ad715a26d711a49ada743ca1d3caf46c3834a9b6e5f06aa175cc3a1049d406c5

SHA512
006279f9484dc7de9210da1b242b302a7124b149e75f5ae7305e840e024218dca0ccbc8a0d86e81a4afb7ec5270b724a2cfa93f6264ed1c82b08132126dcf578

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a545a0eb2172345499bf6eacdcc67add

SHA1
6903699f3ba55af15f3d3e72b1351136035f6a68

SHA256
03eb17766c64b8ec6d76aee787994ee92fe49493eef875f9190644588d77e020

SHA512
f15aa84eef33a0aeef0ce9139f4e017a63e854ea27e1e3df7ffbda10c94b522cddd9204066186f8a259eb2dbdbce7e0f7cb27ce1f9b3a1fd16d09f7eef03e890

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
9a5bbb139b14ecaf253f5cdbafd0ecd2

SHA1
eec4ebe4b55e2ef5e8625f89f91708fcdf675514

SHA256
48c8d0a557505094544602e913b0986be20c429f9cd340e9dc9601540ceab85f

SHA512
5e2ab84530cacb7db8fde02796747b31a78fd173819494a1c3f6e1188ab17b4c9c39b94a292f3b643713feafc0c74f7ad704ab1039999a33eb1afcd420927905

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
33499196abf14b87815c2c2933e0cd46

SHA1
841604a7234bce4eb089a84557fdeee11b881e6f

SHA256
581be10df2ae3765aa938c8b6b619b8c3d4324c6233b8120d45e001825668319

SHA512
9b8c0b0e2509caba3efea52928b352f8fa34538943ab726df4c8ed8671000d515f24304fab49a2fb7d50dd901edc3e8ee956de7f32b21877f290b432f336f745

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
560b06e8099120b71c5cd763b98534b3

SHA1
7bd6ca9f7a1b67a1eab80fa2f96a8f8005c59b1b

SHA256
177c44857cb2a99e5deabf5bc5c94d21f4296e658b2b8464c16ce29e2dfa9070

SHA512
0a1be1c0d3bef3e06e7cd68889b804c8e1f160a8989984168b86e33fdfea64143cea690586b76708ea6f455d2061d6c5018e50ca9fa3a0b5c4f154c6c590c7a2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
51f0918b6713a68c5a360726d6f1d148

SHA1
69ce78b9366560b5a3b4420ce122c63aaf055252

SHA256
96405e8df0a73f20dfadeb9f615192307d335a89f9005a29bed2f15e8286678c

SHA512
4c0cc3fcb65b7e80d1fa7758a2722d218a4b62557d9616a75be4252e86685ed0f6cfac3ef92af199ba9bff017e0f23e72118b68fbb84e9f18f39251ae1c261b4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
e33872fddcdae8b42fe5896c9156b3a8

SHA1
8980cc7330d8acc9023d0b6b423e425593010b5f

SHA256
cef8750eceb240021d79a2316e61602f212304dbb4228bda3be73032bd38ee0e

SHA512
0f67557a26fabce677a955b6b41b3faa20a7c9d4c62bd10db4e61003091b47afec64e6f06dc51cc9df816437dcef0b7995ce0fe47cf8db3c7e548cae9822420e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
da4a89731350db7787d1fb52274dfc7d

SHA1
d44b6e384acca52778b1fdb530385393863d40fb

SHA256
edd39bcf49a303d4eb297bf5a2f01beb18f20ca307e389b4807cc63288629141

SHA512
4ae9eea9cbd5dacfeb16539ee1937511fe37b5c548186869de44551ff4984e52cfc1b33ba4ef053658470e27e1cb6a068ffd5b282284c088b9201aeacf3221f7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
83df3359401568950a5d349d84a65963

SHA1
9db88235ee7388e4791bfac0099771d43eaf7bd3

SHA256
d7c64f3df80b74d092870db91563cf51a993ba0e451cfb53ac09a190ffb1b12a

SHA512
ace82c47df794291765f3e6e6471bead464c9fe76d17859e33af28c711c88ec638f4737a9db3c5790636d4a797c97b3321f33ec0933a49d0fd7693983cc90165

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
236240dd97d8287081f2b04946e5fc68

SHA1
4210b20c24dc4bccc2350e7980b615b669446f48

SHA256
042b0d8b211f942353d8f4782865a59cf1f81c00e5a1b539aaa2f24e3fa601f0

SHA512
2b5e34c6306344856716200d3ce8a229fb578c669c9ba8fb31ee87c0677c5da3f2cf3c6b417f53be5f868a290e07358fb04ce601bc036998b41c09c2e1722124

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
83055bc35bb3df55c588a863bbb0e52a

SHA1
d865cf5da9ae973b49dfe05cb817c42e06b3fa3a

SHA256
6fe45b5d3594da6db6e88ee94ea45133cece1ed811543c30c2393b71a8c0988c

SHA512
5f92dfc3c4d4eb808c7f72e8c493184fa4337d989ee5b418904f3535eaa32fbbcfbf4ff37f2259d5d25382bab9b1042fddf84c5b4e33667c814c5c693eb24c96

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
3eb0cffdf848004dc0e2b625c85fca1b

SHA1
fdef7ae718d7a1e8b3f3f2615754548d0702fd95

SHA256
df5f6b506faeb11462c8abdf0d6cc9f31710c90c0bcf2b3df8056d7d37de3d58

SHA512
30a41ad1b42ad23dd03b97a844f58072458f053d0f6a03d2837e1d632fbec814c176e4c79e109056e69ecbcb5041bf04794401cbdbf543a122380f06c984212b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
1a62ded579d2e760084f239cb1ad80aa

SHA1
cb76f9058b32d4511a5dd10599484b06e1a162ec

SHA256
e70bc8aa52e242f761f469cf1e35104c470bbf772dc513e1cb060488ebe2ed8e

SHA512
1113b9c9bb0936a60b9db0fc1619b036fd6e5be7d08961eec6651d07755cc2a0db5b92a05e01c499ff83e06b2ae49ce8c7ed3d1bad7799eef3f38af21dc98e52

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
6aebe296b40a6eb05ee2efd022bdd9f7

SHA1
5d174d05a6730ca876e7ebd429d242f22998925a

SHA256
09865583b2365d26e8fbf65cbecdc61b5e81bdedf45d34911d6c8e7d8e5cf179

SHA512
e4470b6c7d89f186a3644fe8ece58e5eef6125a8c46fdf66b8faab72803c6036e3fe7fef5b092e16990668702ad3543e53c4f86b77678bf8761a521fd8a2b2d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
6d4e229a064cbac1baaaafa11cc73ae7

SHA1
43cf5d3bba8d60549f73624d1884185238eb2e3f

SHA256
400db5d7df5beed8737ff6219204c5d216ed721264f93db7358ec8aa676f5b74

SHA512
6398fa9ae4c9d4c646f39e0ccf8dcbfdd15c1b1223865addfa34de3c2431d3eafb9b38ae9f4f5106ff6b0258ca41a521d5c757211fcc8ceea43b463b8872fcd5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
a28ef9e9125fc6c2590b861b46c13d35

SHA1
97eac8fbc22ff065a9cbe57db74e07b304c13bfc

SHA256
e2badbd47fa04193c5cf94eff49722ff8f239e463a95c0f09c76e8619fddab9d

SHA512
f78bd550f11b72e2ed755d857343e3af8a8605005ec59d90b0c7401f42fde7210da06bd52e69ea4a63ba1bf86305b26304ed814faa2c4394f6acdf40752417da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
d90bfec2a878f8ccb3fda6b7710ce5ad

SHA1
56cd36c61261e68f794257cdff0aa5e46a592d40

SHA256
b349faf5aad68e9d8d1ac8c841373f4a955d901c1f85fddc0a36bfb3563734f6

SHA512
2d88600e09b87558a70e0ba1f1ff228eb283b8c1e382296b921523489fa484fd01b4ae7dfc1b260c78d235627f9a0eb4b789bfc5c84214d296b7b69e46106683

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
5522abe9667cacddbb541f672cba3aa4

SHA1
9c3b30d680da3581aea5a02d30c1cd1027ce56bc

SHA256
a1b12b6a72ea1b9dad185c0ae5e9edfc97beb9632587fe72c784e4e82e8e1c4b

SHA512
1a17decc20acedb042eebbff8b107ac77e72cfe89146ad5e44d327a29d9713ca64c6ac58a5f294884d3202ad41ef217c92f36703c33b963d8cc532694668c364

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
6d9514001c5db828032b5bdd2e6ed9d6

SHA1
b2d797d9ca4b4b13e0e0fde7c9cc0e55d46d8032

SHA256
7e03ec0cd7c67b5965378b0ddd6883204d615cce8521f4a0fd117b3f12a9aaea

SHA512
4f12ffad9359823c8074ddb8a8ca23c1702e81e04593c14e9997b4fb5b7720e853a863bc037bbb1697518a96d69f2e60b2cc44fd3515241f4b9a955e271aabac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
fcb84d2d1f2741b1fe648555245456e5

SHA1
8acef59de12444531961f7ce057003edc145aad5

SHA256
78d988f59850dc029037908f68a1fe5d34b182c07a00a1e884d3392db761336b

SHA512
01e0474cad4d140e426d2727d1cc62213624fabb874839a215633231b9817438f6453204efe5e0494f63d1cde808667edec4f4e2a5a62635f3371b8f6ded7e07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
c6fec82c12ad0cab3c313ce5aff1158e

SHA1
53bd8d656cc1ba354c008b53f41b67625ca6578d

SHA256
eaee513ca6924a1e46263281062118e3665c893fe0aa8938a3e66ba3f13f5ec3

SHA512
bbdc91f0746d4c318e2461223712a54c0e6e1be2a43ba4c1dc7b448d7643002ed6c69173a35b358d9ca75f607ef009eb637f7fce6629360e698e168f6ede3bf9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
67231eeb3d916773b86544170a091568

SHA1
4742c037f6f920bdc9d68d4982803d928fa2322e

SHA256
f0e14d485b825277d9f40e70eba0e280c8c3500dbb0859f34164169f73d2c077

SHA512
5ec836c0321a510ba61a243bfa378448bedacc8827e1726a05826d443d00678cad7db1a6371c766ad5d529c839a78e033d333e8d3415be7934c256fbcbfa7731

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
528dce3875f4e6ba3b8c0f4be60cdc81

SHA1
afaa002b0ee8b5dd00dcb0400d3b2036d4171d77

SHA256
0a2d9fe09bbf94f6fed4d8b7770a95a5a7b63634d83a822ef8f6017c97cceca8

SHA512
6eb93bd3350f1153c7c4f7e1729f7067de3839abdc28e9552277f0926f37b19bfc28bc01f1e2f5f12c92726c0e94ae9c606f9d6aa3c427d7e8c33f4c1dbbcbd2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
adf0aed8c1e6788a2cd5193c9d945508

SHA1
127296d24c2f1db2346258fe9ed0f04b22bbb5b8

SHA256
d89afc236fa107a0982df205b478d1138370ca055540a94a9082062d36bab4f7

SHA512
d824ec0f99d0b6cac54ce3c559cf5d3f705535905a2d2d7a9ed9f9b5fa98bb9af4d3abb0a06a37d044932791db7dce15fe684c200cce37723a070cb573851786

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
b4744e3926b611a05e29e6bf241e2d52

SHA1
af5b19b4d531af1ad65d279dfb88a1e3e09deccd

SHA256
37a1020ba6970c9d80aef2f5ad9fd770fe8c7467c8c95e726ba356f3232e8c88

SHA512
fdc0cfffdb758d4f787f8d16d639680bc04512b1309fc901a2ab08402164fa1160d820334f37742b5857fa18b8fae2048a7a78b16cfc9e1fb058cbde3339db6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
aac4beee5e5f6bdb2e1558cfc0c7275f

SHA1
3c84e83a49de218f7f17a07c59860dec0dcae273

SHA256
9620ef3421f0aa9bf13d7161ab52ed4b772c8d87ed82e06bb5896f260a4667cf

SHA512
79c15c5092713ed240390f00fabd922029c7ac3ddc6e668657bfbfadbdf5be7710393c2e4d71c011dd098ec6fd8a9a050b9ae285a4cf759b1042da2b4c211487

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
b085f38200e31dce68db216df424e916

SHA1
d071d777c2a7669b26fdfc3f6fb8f9373459d07c

SHA256
a8f318f9a9a8f0e0a0635a2943c975b998e5c263eba32c9fdb3153bf90e18e68

SHA512
7a16753016c63d40c090da5c5e71bcb17dab9ce979fffe93c58fc6823217d1557a7073c2613a760e31575a8610afb62d2f20101893ccc5c553ec26f0065dc54e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
61abec18187258cfcb175a74b63aeade

SHA1
86f6dde11bd7b292298022540e7787d1a3fa0ae7

SHA256
e7a74900a35922a2ece256e0b05bf7639ccf3dcf56e792ad32314f87c1bacfe1

SHA512
ce86de9548cc9f39e8099ddb1d393d06fd3271026f44ab8535d6442797d00ed6d0ff785c5fcc01932b13ddb8fa95a307db70dbe88bd80dae389d4ff693df9c8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
42737a7299cc8da993bc595a7ae505dd

SHA1
6984ff97b08b75c69312eb9f7f8d013298937d19

SHA256
b7b00a4c8735a79e23bdac73e24dfb835b309f00ccd4684f4b3bbcf0c72c7cc1

SHA512
63d49ddd10924ddd204cf405c477af9c4b95d4742580512802ea0936e91f3a651d58110269143714261221ed05bd1b1e711e2c92f354e5fa7f0f8451ca7dbd27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
6a028692ee6b945b5deefa370cfc9e6c

SHA1
70ec64e4bd8a8f3bc9e8d2d88dc89df6b2153f1d

SHA256
f08cbac1130105ab30bbdacce8aca3f793b095d910ea200f4243d8c3b3cd290f

SHA512
30553393a6ece90a7397aecce67215b923a2112d7ac834e447ff0a67c92c298b2c81d68d9140681d3f898a21f8df33ce045aefd1ee8cd120ba0564d07e3134c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
23513207acc28d703c8bec1bb02e4194

SHA1
b7123c4c42d2a5533c9ca84b20f1c037446ec5e8

SHA256
ee94afee81e955d2b1cd64872d092aac051f4c01da8add95636c9d937f11c831

SHA512
61981a4c88e22d32ccc5a587a54ff04b8d2d4f7f681499c6abc735952034f16b7a5bf063f73fd160e8cdf95f08038a798d446a39757f699c36c967fa0fbb529d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c26b98936ad0e00b0c7562cc56ef70aa

SHA1
ed3e7f743c15e96eae6ebfabd78f55e2d533101f

SHA256
f857818e5df1ef6477d757d48ffe9243c7eb2a5da3d30a347150a3efd795afb2

SHA512
038ab90702e9088c766678bc199232456938c5b86a3de6a7ce375bb751dc9e1239e5d649724dfbfef95e96cd4b6ed356cd7273033518bc4473b33f22afab9df5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
578700150c3528e8c04f4c8f3230d330

SHA1
89d9173acae9d47fdf26623520b04511d08f56b6

SHA256
91f910434ad332e8540cd4e6b50f084915bd6a6c12a93cb3e5981dac074548be

SHA512
53498c7ba6a05a35e5a1db4330b5ce27a5cafd0fc2be75a33006106019dfbf59bf9d347319365bad2f80d943479940254b19ea9d6e83ba71bf2826f6a3ea0fec

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
cddd1205b095acc251f2865af5779c22

SHA1
704ea55024e9b1fc34b8ecf67c4f99865527d2cc

SHA256
c43bae62bc3522f1b2784eb7cf6f396c6533d8bb2d898ae700b68ec332cdd61d

SHA512
c57368e88ea04a5fa875739e372a1c17119b36e71853ff742356d5993cf3504af99ecd70e00420d695ec6281f3c29c3100ada5952c90ff0640b55c02c59aad37

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
221116293183d702a57fd8d87457d6d2

SHA1
23bb9f44188704d257c592af5d5624a9f31804dc

SHA256
9b35fb4acd4aecb85a0787eb1accc1ac1f5cd468e881df4d9f7a8fa0e17017de

SHA512
446ebed3018bc9944716ddcc246430193bb9230b9ec0a98b0eed7bc7b318a4a2f882e04318293ed7d7f329b8ff353594a2c62d2471674a48cdcc4745f349e09c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
8ada2c7f065f23e6ced0f9f34504d379

SHA1
6028441c3361a2bec9db240177510c554fbf7ed9

SHA256
905774709cd564923198fcb95630494c26122eca7a850b2a93be0b2e3f641465

SHA512
e6740d92cea0594338be2e25f96fe358649d73e3c14ae23b6e1a83e334f1fba5dde1e5e3b6000dfbb534d1787e28e13a07cd5b5db33217aa6f621ee19f013728

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
bb597f8fdad4ad4cc208487d4a205d1f

SHA1
e76b581ac026f96ba042788ee17c8528eae34034

SHA256
5ce7586641f1a1b68e1295ade580e4caf0df6c9ca0d9bd147ec44b066233cd1c

SHA512
61acaf6acce83e91c38a6351b2552a1aeb4970a85d666a12831c5c621a2ab7caa5cc47f0014326599b519bba54c70bef529733cd59d91d6f63e564ecdef3ec46

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
8e16ba4392536bb5913c6db8f420741d

SHA1
dc99ac4719ee9d57a6232db291fc7270e3d85cd4

SHA256
ec6f9e61fed8d113d99e8d9e3ca55706c7ed9767243599c1a84b449c1f9f23c5

SHA512
3d831ec96ab83499201d17d287dce28c6616db2200f2be070fcff76afcb4fd11cfd7c2d0e7d4b189f8c9c8b7811a77d8aefe1b1c0fdded9bd0ea2ada6b35c40d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
5ce1ec86907ca24327ca2d5dd8cc1e3b

SHA1
67137c9ac3fac2719b978742529b349af0c90df1

SHA256
fdea68f516977450f758109abe9d98cd9c411f02453940ee9c9cbab4d09db05d

SHA512
d2179a5846319100496f834eb2608e9edb0d3dfc585750112546478e052dbc5f8cbfe6bfb717a9cbe92f586595386e04ff0247d6eccb42c1e5bbff75fd07327a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
6ecaa109c710599af97cc8c985df8c4c

SHA1
2bd4c2386f243078b15da32e26ecb860e265fb8e

SHA256
f381b91779cfd194e8a94b82bbfd0ebca47b0b9429b40edc5d7dbb71efbbdc37

SHA512
3159f5428a5c694de84d9631c668dfa38b8566ee4700d60fe4dfc845302275ad92b8e7107e80bd4955a081ce938b3bff18311016490ccdce7b7ef7edc5522ed3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
068af33139d54eb88e143d69a8b13fcf

SHA1
2344ac7524c4833fbe3c1237f83ced61a9474786

SHA256
0c0a5683e362b5aff137c8d4e065a3c7386d3f29b02a9812a1c29247331289a1

SHA512
1cc4ebcfb425c611caff422844f81c8aff8c096afac8667bb7aa2525c23fd6b3be50113f94533d9b7878ecc5832fe2456bd0c4a5bb91c4a8f035a04e5afd0a2d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
bf2391d60acc5f1fcc18a7ff13897585

SHA1
d5856877261e11c0a137cc8240dbb067e8d7b7b2

SHA256
8eee7519bfc10feb1753c6a3cc85e0085498d79c6fd3fc520f1137d019e15d62

SHA512
8d83dd124c2ff21e3eec78cf7b8efa028cafd0ff808d1bf837f6c06274b5bfe1f20c60da4ff72cd7013262b6d004b4d0a12077dd6f434742933333300bce8b80

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
01afb75de239282a48672eab63d209bc

SHA1
bcc00f36c9a1be1fb5c7a774333c2825c4a54873

SHA256
f14c42e17096898198aa799b3a812475e678573e92de58642e449e6d42947410

SHA512
06dbc2fa71dce7a936dcd99eba247b151626e624257c45fad83bc2578dd6bb7e4b78209488a04d51910d059e84f04cc32920f0496ecf7bce57bb23eb86e45279

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
45972cf1abee565c7c3c7820429d355d

SHA1
f7837d50549a9536650f3989532b6e481c98c612

SHA256
95f124feea131b7674bda44e3ba513e024219bd747b8e82e54c5babde4997023

SHA512
a78a7b2adf48cd1c22ffce7c083cf8a6b0d08a9cec51570d881c8cceeeeb8efa16d3f74402a56c38e900b53ba6e7ef195f2bf5eeb26ef281855bc23ab48a7c63

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6d1a1a1d72f2d56bcad285a22bb7dfd7

SHA1
c43ea0d18686c74040a0ce0a5866ba211113f86f

SHA256
50e662db09b894591c44fde930de61c1d5d836e874e222be051732ff6de1223e

SHA512
f4e76cee2150cc55d7586c3f03a5a67956f3c0b7e4cee17b3222440a7fc2c8ad20242659d460b520c98e07b6d1f81fe92c11478196eb9f098a1060e73b195c55

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
7e85e8a9c4b7ed5ba3d8370dece747df

SHA1
a5b2dc439623a67c8cf00971f01cf5242391c3b6

SHA256
e1549a4534e621c77f6fc8347b88d0bcadbf980e6c2a9e0947896a1294e209a0

SHA512
22352ba28e66fb83d25accda0c903c4fa8d7a8007011c1e6f23cec3b3fecd534d4a430bc33429a2e38b959c2bbb2729dd830f1a4f8e0d18c47a8be598c612f50

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
6eb120406e5a0ab4c0fc6f621e91b1cb

SHA1
3e2ace3c3471ca071f89f00e0d0f375f406759a5

SHA256
5a904a7b9e62b0e840782038914fbb520e1c3879e8023f73719019ac686bc02c

SHA512
b3d7be968fef9c78945256f833b4d2a971b58084abb571c9b3699e0d4745e76ba5ab77f602271c45d3bb0d84da514401520f680236f5ee589ee8c073760176b4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
0fe1870a8f8d46593618f10c6ac3318c

SHA1
c0876cb915fef2fd4344301689ebe9c57aba14d6

SHA256
dc8214691c468cfc3cc41cc1da3d114197a35112a6fed6ee83a7a4f832b74381

SHA512
dece4c28c8f81229643d3e280b7d2a12f105f5e8265dce4deba85b073ca7cc7bffb26e2df2a806659ba409c37affca875ac89d92d9920ccfeea384d9e0519fb0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4fa357ae05103f0a170b17e30ef9b154

SHA1
f706e81c13eebe63b48907af82024f2dc4dc61db

SHA256
c87acdca91896518f941befe9ff4d399931de4b943a87382b1cc08725436a36b

SHA512
6c85da963a575e1cffa2490d7cc2781af4681e50487bb0b9ab879ba8e9686355a0d396dc5fca63014a470a0c387ba263b83b2f61b77c8f4883b9875ce945f48d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
7578cdf27b1d328018dd229fff21fdc5

SHA1
88bb2ef539cfa29d9a783577ad0d46b5b7c89286

SHA256
93744b15d4a7e234c0310e3e975108f2eb3f8eda47885f6c4650683e4fea7eea

SHA512
95c70010ba159bea350d99522ba3d4a6a1dfacecb3c712b73922c6757e1c52e17168abd1f1e4f76f109bd05db97d53d1bef9eb2057369fc2a55656dfcbc55dd0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
226a78197391442853d4ca0f1245e1b5

SHA1
3c9dd94a1c17d88a879286a42f888edcff9bf438

SHA256
984aa665f2f8b6ccafb75bed47eed238956af5d5f9d514f5a613374fd8ed12f1

SHA512
c2ba3e0ae10f6efe835a662eaf9a1c30e19a2ab72d08ad2ddfe4327fe910ac74b330127fea7a25d216c09386f5a10760489a84c2fec4076fe9e54d3474ac62ec

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
652ec840f7b5542e818468b64bd6df65

SHA1
121733df7b69903d6b05933ffad86f9ef30f6bed

SHA256
6d8b82dd61ed4820748f6737fb3bb042fe58b00519a2ecd91402f39b1041aee5

SHA512
3b9f41c185688f4657bc689be301a6b093117bd04c9286958dcf07f649fbb8327d3eefd1329765ebaa83b816e9bf007fece9e13dea28b2f6b503b2f56754762e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
05ca5dd77eba59468f92013dec07d448

SHA1
4d489f3aa82a2494b39d1444a7b9d3ee3979444b

SHA256
0190f20082cdb9398478dc6da1682dc0856c502934d50d08d1ae38d489c535c0

SHA512
6e4975fc164d63cba625aa56a68686a30acafd12f779bd7825e07834602e2a1f44b30eefb5998ad42429ed48803eb023238e229441a1f6a6954daf611cb3711c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
af9ad498dea7d3a4d4543c09dd28fad3

SHA1
71756d51deca3e6866b87a6482dd94bac705b4fe

SHA256
7c6e699910ae9a893cf16b08e728b6ca875681e1eddc348863f2a1c1ee9eede9

SHA512
2c167aa6074dd286422bfebb9c3d49faf19568dd66616a95a992a00e18371d20c51b6b82dd61cebc7b90e46c975eb04fb87fd04a81e9352dbd9c0314a98fef07

Download Submit
memory/428-713-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/428-255-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/736-720-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/736-329-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/896-712-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/896-242-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1004-292-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1004-170-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1048-254-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1048-134-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1048-128-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1048-137-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1400-158-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1400-159-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1400-277-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1692-1-0x0000000002330000-0x0000000002396000-memory.dmp

Filesize
408KB

Download
memory/1692-8-0x0000000002330000-0x0000000002396000-memory.dmp

Filesize
408KB

Download
memory/1692-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1692-190-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1692-613-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2180-714-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2180-266-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2332-305-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2332-718-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2444-719-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2444-317-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2532-316-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2532-196-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2728-123-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2728-125-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2728-117-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2728-241-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2872-350-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2872-721-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3904-304-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3904-193-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4140-349-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4140-711-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4140-218-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4188-290-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4188-278-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4328-103-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4328-94-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4328-102-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4412-522-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4412-230-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4616-153-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4616-139-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4616-155-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4616-145-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4616-150-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4772-206-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4772-12-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4772-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4772-21-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4776-149-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4776-148-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4776-115-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4776-106-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4776-715-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4776-112-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4776-293-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4956-207-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4956-328-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download