c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
Size

1.8MB
MD5

cf4cc4baf1be7a3fc780de85b390b7db
SHA1

bad149c0bb4c0e2e1b7405c6b83a25713a3bd5a4
SHA256

c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a
SHA512

c8f8b082accdf87985914504bfd6e6499cab9b7c3cf332eb4e62978bec8323f51b1abbe1e05a562f6384457534de2ac022f7a046a68a9e7583efee32556a8534
SSDEEP

49152:vx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAIgDUYmvFur31yAipQCtXxc0H:vvbjVkjjCAzJiU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 19 IoCs

pid	Process
4052	alg.exe
924	DiagnosticsHub.StandardCollector.Service.exe
1648	fxssvc.exe
2024	elevation_service.exe
1416	elevation_service.exe
1736	maintenanceservice.exe
3828	msdtc.exe
4156	OSE.EXE
2320	PerceptionSimulationService.exe
1408	perfhost.exe
2776	locator.exe
2164	SensorDataService.exe
2968	snmptrap.exe
1940	spectrum.exe
452	TieringEngineService.exe
4964	vds.exe
4500	vssvc.exe
3040	WmiApSrv.exe
3172	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4fad23d971c363d.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\system32\spectrum.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\system32\vssvc.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\system32\wbengine.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\system32\AgentService.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\system32\locator.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{7FE75A3C-1671-4F2D-BB09-D1F7E053C0C9}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA884.tmp\goopdateres_am.dll	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA884.tmp\goopdateres_nl.dll	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA884.tmp\goopdateres_et.dll	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA884.tmp\GoogleUpdateCore.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA884.tmp\goopdateres_ta.dll	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA884.tmp\goopdateres_ja.dll	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a987ae314bd5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b498c1314bd5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a987ae314bd5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001179e4324bd5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	628	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
Token: SeAuditPrivilege	1648	fxssvc.exe
Token: SeRestorePrivilege	452	TieringEngineService.exe
Token: SeManageVolumePrivilege	452	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4304	AgentService.exe
Token: SeBackupPrivilege	4500	vssvc.exe
Token: SeRestorePrivilege	4500	vssvc.exe
Token: SeAuditPrivilege	4500	vssvc.exe
Token: SeBackupPrivilege	4760	wbengine.exe
Token: SeRestorePrivilege	4760	wbengine.exe
Token: SeSecurityPrivilege	4760	wbengine.exe
Token: 33	3172	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3172	SearchIndexer.exe
Token: 33	184	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	184	wmpnetwk.exe
Token: SeDebugPrivilege	4052	alg.exe
Token: SeDebugPrivilege	4052	alg.exe
Token: SeDebugPrivilege	4052	alg.exe
Token: SeDebugPrivilege	924	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 4640	3172	SearchIndexer.exe	113
PID 3172 wrote to memory of 4640	3172	SearchIndexer.exe	113
PID 3172 wrote to memory of 2108	3172	SearchIndexer.exe	114
PID 3172 wrote to memory of 2108	3172	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
"C:\Users\Admin\AppData\Local\Temp\c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1084

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2024

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1416

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1736

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3828

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4156

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1408

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2776

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2164

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2968

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1940

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
PID:4528

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3408

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3040

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4640
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2108

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe

Filesize
1.7MB

MD5
33cbcccb8798afbca99b145d6052321c

SHA1
a4fe76e734229d27939d7f3598b96404334362c2

SHA256
3ebf0f48ba78d103405812e22e046e78f15cafe8e55fe39442c55cdcf41f1eca

SHA512
2c60c29ee565f0236e3531418ca0a9b77f04847f3dd3750713f0b3e5aaa88d333dd2e0cd85d2226d905e4960b505f7f4c1641e00f7a8f05bb7163ba70c966288

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe

Filesize
25.4MB

MD5
52cc22c915afb7ce80c638899dd27784

SHA1
685c7e33135935fab929915201698cedcaeb2d9a

SHA256
8f82674657a360d7226255e64bf8aaaa74cdcc2790dbc4dd80260129ce0f68ba

SHA512
48b8043893bf9787e46dfd5e165cfccb6944043d31fe2dd6a5249d5bbb59b97795acfd6d4f4198895f4688c63aa5f9a6a2a312749ce1ca68b0193c94aacd90ea

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e976165a0008f9c0bc220171ec13ac48

SHA1
417b077d5048d3238bb0e1a15d8db4c76e040042

SHA256
cc9b87c7451ab46be97ee4ff65600e40ba6148f566eca5dc44d5031606c574ef

SHA512
c5035636feeee18999e3f46042d22dfd1f967606fd305ff826026be9832be9637cc16f3f291599e1fe974a0c756a4a19839e826a5830428673a721151cb5c3d5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
8257e0ba5e5b51077bec937bb4268d27

SHA1
5f8fc4cca814b91d2a42b06e871ca3251eeaf17a

SHA256
4c462ff35df75d236de4548d060c6cebf97c098b6e9486780ee37bc10471932a

SHA512
498972bee661ed9488d1b1af775174361e58edd57dde617f68bf825cfb2a020e4ad02c39a0ea74e39cc6a0246c6b362bf95fbe076d5f3df6c6e059e75bbcd3cf

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
85fdb2c21fc6b37a731272ba4fda8235

SHA1
60c8e4db5c999dd8219f4a7c49b945b6ccabfb9d

SHA256
614831526bdb4429979a3318bab45c1bc5e97559b9c86e2c01800ec55b04213c

SHA512
06347edf1e86283c24a022ea3d0350130ae02947f791eeb742fbce8497c2839efea44addaa608510a280310a05f16fb52ed12714d482504075a9367ff14d14f3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1f35b8000923256d04ba51de28189d10

SHA1
7021b34e586bc710c81d87cbd698aeb2b791f075

SHA256
8fc4884f84ba2680331f5ad27c1702baf5e077121b86904a726a64774f2d7cef

SHA512
505645854e08759294955bd7d2ee0eb265f48bc4d1e5286404b09cbeff9aad1437f32832dc93288a019503aef35326711ec9618b3861a14577e9caffbef2f7f2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8b6b9b148f79716a290d642da09f3bf5

SHA1
d83bb118c340c73cc1328305cfd7e052cda0323c

SHA256
a01325e2e09e1e17e1d0c9992e083567ec2da88e8ed9b32d16c97f02c9d6814f

SHA512
31e8344b659486b093de1ddc6721874f3fe7e7932cf615a20591fa02bcb5f0fb638387143cd2a42794727558baca8e33189dd0ac08b08d448d40d2f12326a027

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
0a6385d8cfebd3e1d1ebe92ace3203ef

SHA1
c3e5f7c254ed0c2654d2cec3b4bbb7dbe229a539

SHA256
cea500cc3243802b5ad18d06d8c515e53f634efa50336bb2fc678918c284fa03

SHA512
80296c3db4e898c893a81c7bf2568390a726f0b9f71f848c4f77c7bb481c8ffdc333cb2a5f3082632c5464a79ca34362c8044833caf8436a4bcb4690a69678e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
cf11069f45fad9bac1c144320c5f1aeb

SHA1
b30a5405e9b3091ad8944c72960b9aab517ffaa6

SHA256
c9ef960f120923624560b87b916bde9b2545ce6dbaf333296c573bd3ddb6ea50

SHA512
456db96067958559530e57e8d3d4fde2aee5f33ac7d5ed5231c0234a1978401a672e2cbb254dcb79aeac7ebc3a1634d0ae8b740269e26a53c44eb9d8e564dcf9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ff752d35bbd22eeeab70334e52424ef9

SHA1
4bcf62b6bab7115ad34a1e6724a7eceb58eba90b

SHA256
6e19461dda1623e9ae5e98c66b3784c795edead7b6b37a18a8e14a2e72d5faa1

SHA512
2ecca510986b99bd0cdff3447514623978841a5ee148b4c0f1ce5daaae653cb2bc844a8f3c6712de65695cf22ae76be29e0c2bf018b7e9e248e72b9645924531

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
bbc285031a15f42bf2b875d2f47bf995

SHA1
526218d102feb5f2a35e4df21c9484deee71d449

SHA256
313ebc40e207d359d64d53c684516a13b32758e30ef2ad85da2efc6bde3db497

SHA512
2450792a8e11ccee737b2867f7132d1da15b1f256da558b54d1cb4e57ec6accd0b8efadfa5edc16d23dcf513058d9c48e340ce8bbb6888cccf3ba394bc952d75

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
fb18c3e7bc6e076b9a263057bb71e587

SHA1
269de8b7d7676232fafd1b9fa8d02994213ab1b1

SHA256
36c0879b0986557320b1c08ed92eb7f0f58e420a8046cba4cb9cf4a3481c7e48

SHA512
54128a434c1d7cdefb88161ab7225739dd3febc377d201e9fc278e49e9ffa801610b0baade6d46ccbeee4e37488ec01499c772b8e8668986def281edd1196e2a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0f41e79e629f6fc27eaf92b3654ff9d9

SHA1
d01f1d4f20272c05ee1e60e8a9c5392fc0186a61

SHA256
099b4df7ba426d22192f751b1065e51a512b0e5df1576be0e364a20cf30476c7

SHA512
8afd1064ec90ce8919838552f82af1c7a861d0cfdc49738126088b065671450cbb58a5d34987fd4390ff5f7de56a05da53969d70e119947b8421cdb18bebbe13

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
c9ccb74e5b9119d76201ec10a64cea46

SHA1
fee6ef21729f1b5db72b3b01d305a54d4252b3ff

SHA256
cdf8db7da09ff4f600f3d738beca15f0a1886860e710710d679d3d48c9c8932a

SHA512
53ecc825a3c41e6432f56c29fa6b2d9ed2f50790f5a2570718335d02b14b9946196c39056b8437172e8a312927f740793f5356ace85d45381c22a13d3021620b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
fa268e970f44a88df414e9f1e137c5e9

SHA1
8a13fafc52b6c1d04cc8ea68ca4da94370550df4

SHA256
13779fd1ce9761f046470b252cfa69386b768971f301e9a4b31bf6c9b29f9828

SHA512
af470a11ec947b2ee546c3f2e75352ea9283317fdc036f71081b070338468fd25741f552d2d0998546f7d7001ebcddd50e112d6fcc87dfa29304e77f03f0b2d3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
61bc17bad303e080b8fdb8cdbe3982c7

SHA1
5604f26f2a7a4028ea4382785303d4a11627a699

SHA256
96230f1698d299650b7d225b8d348b736dbba38f2289c104517e43e1592329f6

SHA512
92315d1085555c561be702a620f9eaf4d5897891e6f053d3a9256e3bb81d16ba849308f77ad4ba3db0f01fce7cb2120ced7a67c31a054b0440076bd08c75a0ec

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
b5f806768e7c4673d42c2208db706c30

SHA1
d225ab41e12de1fc420c419e34a1ae2d01d787a3

SHA256
6200a7777183f71118fa6091718ea588c7e66720ee60a1f89eb36d2bbad9ae2c

SHA512
71141356ccfa555b16f40eb35966382b1e3290098ed2be3088d22eedf3a7582bfe9c2454a94e030bb9fa4f59820ee06d64d8bb4901d050b57e09f4da31708da1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
63c8de906ba52a17340b84e2f3e504e9

SHA1
128fc38eff6997fdfb92efaa77c980aa0b1e84e7

SHA256
3a98a1fd36bad9ad170c55f61fba9ed4638e56c5c9b73084d6a1f9ca66c5fbc3

SHA512
045f7999dcea8fc18aad21b3748ce2f3719871f4b39370b3d5c124ee0561d2cc4a972d7f72ea89c0fe709ed955d6f3ae06b0cb31a7214bbbb2d3868bf7aa53ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
68225cc474237166637cdceec3284617

SHA1
f4363aa9d6d627dc52450bdba2a31c2d59f3fdce

SHA256
91f487ebe3fd67343aa02c42a2a07e5d5a20657189f44c643e0176c4e10256e6

SHA512
1b57353dbef50aace2592b18d3b54132f4f36fcc7a0c654fcb5b86a5ec228af17eb22aafd26e563e37209914d14398d96718233c4e37e17de0071d765a4ecf31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
34f9a0ef01eb6625cf28621f21c2e519

SHA1
9219b106279b6e6744f4910a886ae3761281e5b3

SHA256
0f4a359d69590aa72c5bad7761bc78cfbed08dce1a92490006139a1519bc0336

SHA512
30748759196b45bd92f0af7640c453928ef9eb1f498046ef138a79c1e28efae45ebc7c2d8900475395a17b242812606be9965919ba2a69facdd850dac0724d4c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
bf7c11d64868b72d94d5b86554014c94

SHA1
4132372a5d1d9b4dc5e7684b3b1dde63b1c6a570

SHA256
b2d1c621685382e3a5d6655f9d6489d4ab7295a8a5513b8fe93a81a4ee90a857

SHA512
7739dd578f262a02a938558a1d929456d61fbcddc7ad3d3ae0f8470238022ffab0853f0869242b4680ca76991d2701bd816cd40c9284906f72586515fc3ddde2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
edf1c8b5612b34b34fc17ea2c8cd7439

SHA1
af8fcbdd3b606cfc634c2e4c1b6c01439046ff26

SHA256
933c9609e317f13256b43d40e753de43a99d2f05d66bbd407cd7b76d341c17ce

SHA512
eda7ea1cc772c67c6e5548479cbedd3eb2acfd0f12b9efdfcb396063a7ed376a4d9731d526efefa11b6e294b5151b2b24c407926653efa7fd7aca34734d2f299

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
ac2a5a42fe4a8ef113d7e8558435f3c8

SHA1
b64c5ae2a63bcbc62f7b7cf487f0f6dc5d0711b1

SHA256
eb1df9a250d370aa7ae07472b9a4763b527600dc993e795087ba503d7f3a327a

SHA512
0b2f73c32cfccf70c2f945d82dee9d44137b78e57863c7fb8f23adc4368508af2782ed119e409f57c58c5c3b69ffd029c6a79f1bba7e9f4c01a00ff81700d706

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe

Filesize
1.4MB

MD5
16053ac305c9b7c6d50430ddcf3661be

SHA1
9c21b2ea0114fe979bbe830b62a93ca7999d0efc

SHA256
e77c4f960d4b17e7b41f2288adb6df3d97f74881928151168f0ccd241145d0cc

SHA512
d4fa9e0176d9bd3888bddff636ddd4c5338de00f8b1b09f0686fdd2278634be94a47d041c4ca1c8d2a5dfd92716511859ab390dbec9782c11ee4df7196f55f4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jstatd.exe

Filesize
1.4MB

MD5
9d93a36041dcc133f89536309f9d7cc1

SHA1
d9284aab95a5b680d1d15467c1335ff3de8c4115

SHA256
b87cafc464663141d760625b4adb652ef2de77788f70bf1c7b02c5ec8e665250

SHA512
222f5bb0156788afb1e2023946965dd19d18034ebf37e6431dbdc03634b3903f166c4938269fabd2a5fdece4e44a4463fc5348e219d4ccf37e54a288c53ac3fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe

Filesize
1.4MB

MD5
24e05eab73e275d342bbb1ffb42d401e

SHA1
cf67d1bc870895ce5f275558d80b55641af67065

SHA256
442ab1294d96fd2a7752c8c03b40a5114582132fad152a5001658370c6246a57

SHA512
b35101d59e5fdddbe3b5e6daab5752a1ab31c2663dd71019befaaee04c8b68f5f1f7145a8e035ca881f258c0d2e26c9af6fb282897b4adb2922f11007daa43e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\rmid.exe

Filesize
1.4MB

MD5
2b74ef416f23c9a327e5fa4b5ee7650b

SHA1
90fdb4e54ba3e02742339358b3b709707ff83269

SHA256
113496876a47b2e0ece51c116077f76296e242a0b9e94600d06292a9e682e06f

SHA512
c5dbab45e7903b51ba00b6f6dd3f4721a5018649b0f3caddb1015fb05967bb0d98ce59081e204441fea7b52ae9b6cdf9673a494da66e52521ea238eaabcb26a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\servertool.exe

Filesize
1.4MB

MD5
8b5df72722da6730a0dc3317e9a2abde

SHA1
5c6170a132020e1611f1ec7f2e748be65492d499

SHA256
838145c0999322b599ced989ebb53922fbbf20698319e8eeb70594cdfb0a5da4

SHA512
688410a7c3ef1ca89e2dc2c0fbd3cd87128c179d60bb69fb27f80590fd102d1ebe7d2318b053c9f87248d1ad499abec5b7cc84861217a14a0f71d48527fedea0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\wsgen.exe

Filesize
1.4MB

MD5
43ccd972b8a46692eddbccf2f34548e0

SHA1
890f0d7d9a86e4ffd0ac27f6138c42f0199b353e

SHA256
e349cc5fd1a8466787fa85bf0e9722638a914e040eeac5f73c7b6b4e0976517e

SHA512
7410e0d81360c797409c37e44741187b2abf3f537e9817f2fbb24430958ca9e967920755a71b11094abbf5c87fb820c200e2b886e1c0ac66beae34447e5a690c

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe

Filesize
1.5MB

MD5
4edf80e8ac5e25755b241bf608798f18

SHA1
c5509185010124e190ae296656d4aa3d262527ef

SHA256
8e4a509cbab6258f6a99eb15a0d992075bcf3913ff99c08cd6957d334fa6369d

SHA512
914a60037546e39a954e5f124af1b103907b8bf8280994d1c10b35a9c64e4d4205650b1f4d4ae90b511581a0735e0a26b63196638ff43f8e03e86b72e7dc8215

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe

Filesize
1.5MB

MD5
9b682ce2f1331d07b7837055569c6cea

SHA1
653538727ff2fb2a4425efc8c565e289af199220

SHA256
ff280b02f51d32ea38439494ac48530251a99f6aec703b99a4a760e664c58cda

SHA512
42b4436fca213203d2f50602df31bc9e7c8ad9de7c519f2b5540522212e9aeec4a56ea35971b6170651526332f391ee72eea114bd1df2d3be1e57b1927d5a0ea

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe

Filesize
1.9MB

MD5
94692c59f7f9a76e18c5865b3fd848f7

SHA1
93e1e695119f72e78980c416a9815e5353ff58d2

SHA256
6c4d74ad9fe872e831c314ce82890975fafbef6814197c662d52bc6ebc5352ec

SHA512
2351d9e268a9b7266065a7fe605143b94cd615de6b14b508bbbb49f5d0d66250768bfbc1960134525489571332278ccf5b1ab76675704bb24d598eb31d1e9a71

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe

Filesize
1.4MB

MD5
d5497e7b12f193db24e2fd2ad0e200b7

SHA1
cad25325baf2adc2309f3306e464f7e89f8f978a

SHA256
b37249c892572a3f293fd7df306be79f10c6f362da785942003a8e480cdf1317

SHA512
b7be541c329c974d4291cef76d97ef9887621f95d043530822e75ec74b6ddaaed3795c97c47adbfa034596470516f1a6fdf614db45d68ee748c53af82c431cf5

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe

Filesize
1.4MB

MD5
122518ad11294be1c87093a4ce135c1c

SHA1
02e3a0348af98106ff85bae7f4026fc569c8a45d

SHA256
a0b5e0a24c6373c2ff56582884544e5532cbe07330f404e745445e057326d064

SHA512
2f4d44e531d9ad1bef5f897c6aa1629d765dee2af797161006f6780237bc3967c787b8a6c9762473b4db7f28ae1d30f5706e62d24193e70cae66bb9f1b0af405

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe

Filesize
1.4MB

MD5
eaf3e2810aaadbadb7885d5686dcd9d8

SHA1
08b28af14306e7c75f7d87b2e95435b888d5c5a3

SHA256
92b29ffe74e8a124b8c09735a0e0fe6a7db3414d0c1c4444592fee6e13526f0a

SHA512
bcd349b56b2fa22020ef804cb6e3dda719d7ac5c3a325232ed89c07cff6530eb141c2de6d0407b864b63dbb9077936df45b14de66999c76ab58c0ca1388cbcd1

Download Submit
C:\Program Files\Java\jre-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
3aa5dccc00ccf86ff5ed12e55087560c

SHA1
d2961458f7ce40abf2d17a086e5f08707ac0d26f

SHA256
b1ea060f74a5af541ac302560d4349623307f2bcedf7d738b37fc3b64c9028be

SHA512
3baace78c0155798e5d289f54683152fd8ac754f0b1039aa182434e3d4233ad987706fe8bdf1e2328c58a42afff8408eecb14dddcf7720db53d1051609de1c1e

Download Submit
C:\Program Files\Java\jre-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
5a664e89c3cdfe71acd1b7ef39aa08f1

SHA1
6fb7dbc2813570bf6fe3b76858697e2009e7ce72

SHA256
0381667bc0a4d392c630b7fed18c57eed8538e9508102cc193f5b027adf1711c

SHA512
5484b7de62abc6925017c89fb82852c721ba0c225615682f38a595e7b2730403ca9edced5b1cec7fd1bb6374f7c283ca454fe4f646ce94da7f163b09e29791a9

Download Submit
C:\Program Files\Java\jre-1.8\bin\kinit.exe

Filesize
1.4MB

MD5
e6ff7d5d7085c4476e86910800a0d2a3

SHA1
0189fda16f25dad6d8ab2324d0eeb21e5c868d6a

SHA256
9562051ad51018bf529044b1dce0436b46a5af14c5b82e4124da6e91c1c33afa

SHA512
2905c9f55fd13f0a479a5e8c6114c04580e6646e364077010256a085bf43237afdb00bff79585ec1276e96cdc49a9d351c37d63ac85c8e9e5e495c82c487d71a

Download Submit
C:\Program Files\Java\jre-1.8\bin\policytool.exe

Filesize
1.4MB

MD5
2d81f22497db6342b19522bf5b24c88a

SHA1
aecb2249c20053537d82c87be2fb909a62f97a9b

SHA256
f824737386c2463f959cd78bcaf65ee4f0609ddab17702c9431d91243056da6a

SHA512
d1e30555e0d6df0fb07bd467c08281cada4a6f125be67aab72afd7378139a2af36e94e52b06c2748c3aeefd1e85b51fb6fe9f7de8f8ac0573b23c3a13751dbd7

Download Submit
C:\Program Files\Java\jre-1.8\bin\ssvagent.exe

Filesize
1.5MB

MD5
956f59625b17f9a2b39b1c4f1c0aa00a

SHA1
63712969268591e0d8fe1ba61183a6495c01299f

SHA256
0ae1a14c3cf46af4ded9712992b38476bfd71ac5308eea3be8a972c8c3946ec9

SHA512
59052f536c740357219d39e52b599788392ca1f10a9d5876da92ef647ea04ca410a92175ec1631797fc1946b25f22ba5693cb5952e5b7172078421b2a0a89f8e

Download Submit
C:\Program Files\Mozilla Firefox\default-browser-agent.exe

Filesize
1.5MB

MD5
c60ad0ebc4fb27b286bc826b465cc7ae

SHA1
a86a284baf527f9102b94552c70324c8ef05fea0

SHA256
d99160d3c2b7779e4a60bb0be0cd1c7f6661f58333aa6c823b6ffe65918dc84a

SHA512
072e6731532abb87fa8b075f953a8df8a6bb8c5a58d855dcb30574661a60028c0fcc27467990bfe578e285b4f35da67229968109805a28a000ddad6bde004fa9

Download Submit
C:\Program Files\Mozilla Firefox\minidump-analyzer.exe

Filesize
1.3MB

MD5
2d3ac7a7400e09fa9f3af1e679b4dd42

SHA1
2a4a0ff1104af4fe6ec72c16d9e9f818b2353e38

SHA256
3722aa3048e4fd79a6eb3cd1946f798a99939ae6f002440206f478b5185e7c32

SHA512
8b48e131c5e145439f4531ce5eb08f0b03785d075f90a0751f92305160047bdab4efc18cbe59afcb63ad3feb37d2b6eae6f671197ea4581e9e26a89cf3a6041e

Download Submit
C:\Program Files\Mozilla Firefox\private_browsing.exe

Filesize
1.5MB

MD5
45b31dd42a6b497f0da9a41abe984c59

SHA1
40ca4e3cdd84c6973aad73861139b29c2e4868e9

SHA256
cbbb2144430d054fcaaaa5b95dfe0a7f17e31f4559d7241b9a6ba48a6c363dee

SHA512
cca2799ee292b3cd2373370b6cfe0b3f9f80c93ced22e77f95ebfc35279937f8b22ee62604ee2ec0e4d2fb8ea017813e8a83704fee385a9f73a0ca630296dcbf

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
892c6c155b6c1ed2e6c3bc69cbec17f8

SHA1
373874905b00913cc9fc01c401f374de4789f408

SHA256
31f54f5f69107db1deb3030407a37af65536f50cda09ccd7043d452c426f33d4

SHA512
a3dce00c05e7a1cce2b27a0d6c2828ebe5807021b82448dbfcffe99e65ef8d2986c2c69ed11e64f5e778ca5875b1f5634f0d09e0f4d010e525a6b45656954742

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
4a4e909b2be17f8c4a0c8ea9712e42a4

SHA1
bd16732f1443f422f86bba28a94b455bfc5d2b6a

SHA256
15c252f290b025d5290637f8a4a2ed44426b48a3e5e6e21b579d4ae1b1d1f033

SHA512
cdbf4dcf8be8e92689bf3563a93c45824a8d47f23bc536670bdf09eb9e992d6134ccc2967d7dbae556ebe88986295682cdd77eb5154348f1094337d150e78720

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
bb7ea6a8871417ce6b00aeead88edd88

SHA1
a5d7d699a99b2c6c88e81b6ffa7e66dc468210ed

SHA256
161dd39a80e2027945f4ca4f7819bd743823b5b164d81bd561467443dcb459ab

SHA512
812f2bfddaf032fd3a5e3d31a446e45e9d6ac00d4049794aee528ee688cd86f4d482424ac24c83d43092018ccf2a96d54355c9392eeed4b9a43e1d9f815c5615

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
de279196b5fb742adfe96c3c4cc50557

SHA1
6e167184982fbe8bb5595f6be309fc853423c706

SHA256
a42d72991f8deafa77da5ce3617e1920c6ab65a40e532fbec072c90fae3e1b4a

SHA512
db32b6564bb6aef27d117c7c7b82b4a19200dcdd3854d9a980926b61d4608e9f2d86f318b8ae54ad4bde15fb5fc18c4f49f4e8b9aaa1103e270a7896852f62db

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
b89a235ce47b886b75098b3c5d29d38e

SHA1
6b83bfdb9950649cf4c422e3c03581c0380007a0

SHA256
2933d44f6c739b329c33c124b8c9456e07a809301f9b845c5ff76b7d4037599f

SHA512
fbce3ff41445531a6a794d91b7fca0de8007e53fb311d180439e7ff9ddc51b1166565bb410189335bd885fd9448c64501d83a70eeea4789561a7345f3c2a8269

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
50584b665e266d476596d5ced034b4c2

SHA1
e024260fa8a94ae146c60a7a4c196272e4eded99

SHA256
3093222c12879cf790843ae79ca5803964d570e6703f0bd5c9fad591635cb021

SHA512
6d390896bfed96c1672bcb95892347ae67864e468a2f40ca3b7c992fb5ebf986d66bb727a65047ef1792a08cbcc51ab3069ca190a327d84e3382123a0b487be9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7668c5981c173d10d40d5f7a3c9d4a72

SHA1
ab442f1c4a4bc815c72dda9561d5b72359744058

SHA256
c625d7294e4f3e894bdcfdb685f1c21186c6c5924cdab58203f14e7462a62e4c

SHA512
2981d7a9cc424030b9327cb28edd92d76173520cfa852630425981daec7e281ef96898cdcade2a44fc47b48e2fe97561ae55ccd1d0e3464e8287ecafb90d369a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8e5de1b5d2ab86fab92f0834178f17bb

SHA1
b2d64bda45661a927cced81cbba0f5868f0d2599

SHA256
5a2b849c622a4dfa0cc3e7189dce306ef64afa3de0d535ac89f56bb800543bde

SHA512
18e2fc772c79c9b0e749ec7e18f77fd42f82c3631f4b7defcac7836847199e81bb2897b93e4a3e74cfe84e17b9a0b5e9123f0f80b30224ad37bd7fcb4220599b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
16cc34a3c48d1faf520171cd620748c5

SHA1
3bb8a4e69ad126ccb0095249c1892d8b3c1e4714

SHA256
95385766f278f3e77ead75bc938cedf27bc0ca2228a02b6a5eb705bd2c70e400

SHA512
034655ae6185f5427c7f8f8b699f46103ed314d40aea83939794544e0b3cd1964ebbd91eb77686eb62f6d03c22f11aefe369bd1e9c0c1e682b4492c472f75858

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
181647d62e5ed9a037b3874931cf218a

SHA1
27431138244d3eca272c88bc4a33d082ca00bc2f

SHA256
7f8cd82e0146778a295a4735a3f2be2c0b4d8ea1a11a9e67459888a0be10f0e6

SHA512
1956e472750e75dae14a93f76aab11a3a307922fc4eede59bbac634eab06ec6aa1dbd9cebcdf4781272576c5e84c0f8d9aaa4729d262f3499f3e8535c37f048e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
15db1eeaa2c2f490687c684585217aee

SHA1
ea04a47c3e21184c2e049443ee7d67a4089de948

SHA256
bf7606a42833e9387e181f205e66b4f6d60065bda084dba7c28c886452f8745f

SHA512
28214414ee614cc08c300459d2f2f7cca2d3a5c65ef917f89edd25013f64765264ac0438710ca893584181700e74dd4a1fb9ea55fb07b61f7360af39cdb0982a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
ee453d80a8d191b739405d6ab66d72b5

SHA1
ffceec1488b5d8a177256d65fefbc09796943f1b

SHA256
8b66f7802ebabf72b559b2f5a42972276863c391d1e423e2412330af67798a13

SHA512
5199da4f9ea80685b749fc41ad61565469056a121abbe39c5611a0618a42b27e49a5740ccc8bf6d24088ce3b4c814a3c1825e1c3ef066ea89ea202fd4fb03327

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
064102ee2fdc310739bc0a07029f8880

SHA1
d4215e835864e13fd9c1840d2b2d0cb9008dd754

SHA256
6521add4a405179dff7f88c94f8ab2a340f638e578df00cdda2a2c39bb7860a5

SHA512
e9dd7910cc970c2f78a77788ca62996d49f34d01c6f385d664b94e3bc3fbeb36244bb9336c9f923be74d03d58cefe365f547ed15f74061ac64f38471d290a189

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
56ea3e73beeefb2a4f0480e4a8c16058

SHA1
deb5edbac0aca17c4122862ef2645f89aa234c8b

SHA256
37e03b416f9b0c40793e70130a65ca8f4e009f5b803b64f5e54126c9db3e4f48

SHA512
5ac209539600c917908061778ecc8a7b029c0779fb7ad03affca6c3b0928aba150e91ff8146e2a3cd6d447a5b9b7a083078bc2b5fdf2b5e60bde8203c9c93a6f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
c9967764fac50e9d8226b50a1d42964c

SHA1
cb542fa83c578bbd8e7e6b42adf8ef401b378b78

SHA256
37beac404c697d137a1a6f39072035c6deec33d77e00c4532bcba52c423abbe5

SHA512
2aa296eb8b2aa219cbcc21fe2124ae55951e2604ce3b211145934ca879969918f6ad3d2697d5ba9f0a8ebe582c4cf1dbdba886676e49e92b9d5512ff2e5cd03c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6d7f872c9e0a1a45db8edb8b9a3220d6

SHA1
540a7240e12a54a175942a33cbce7a7581eaa6a5

SHA256
99339f5037bd2f587c646e87dbc35bd928d84f15133c9d135404f90db9ac446e

SHA512
3495fe38e103f764372356ea878762a247ec83611637fe3f2402e3d718ada0444d282fc1d093ee7db9f1bd87b422675750fd88bb4dbe382b9e23ae32f69d4b21

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
779c0bcf46b1f1c48e7e04da8fb61cc4

SHA1
feab84d246de75eb69572e4dfe39bfc9915fbaba

SHA256
bb5b550bdb87c4b623b525d997b44d240dde5630f79d53bdce650066d8ad5227

SHA512
ed9af2b0675bf6a91975a095ecf5a356cfb8a6a7a071ed7d9bb0b714bed45cdbd6baa4e8efa0f0437a6a4ceff396d68d39de88d388a37c17ec74b44c013c0e20

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
04f170cafc59adef0e5d97065ca9ab4b

SHA1
0c5564a378a8e0f3ecf1256986276dc5e93d54fc

SHA256
9ae501806d5be8a1115e857e4b1d41f911825f60d8f70315d1cecf28fc0030bc

SHA512
fa4074f929ff2ac40113fa6375a72cf1391506cc3924a6dfdfbdbf5b375ffacd6c0d8ead4c7ea822365749aa1b3507428e50774c1b72509f25caac817e2ee01a

Download Submit
memory/184-612-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/184-381-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/452-326-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/628-499-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/628-1-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/628-153-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/628-6-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/628-7-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/628-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/924-104-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/924-77-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/924-539-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/924-95-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1408-227-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1416-139-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1416-142-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1416-133-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1416-605-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1648-122-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1648-107-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1648-114-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1648-113-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1648-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1648-121-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1736-158-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1736-144-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1736-156-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1736-154-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1736-150-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1940-324-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1940-608-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2024-129-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2024-118-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2024-123-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2024-604-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2164-229-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2164-537-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2320-226-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2776-228-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2968-323-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3040-330-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3040-610-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3172-611-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3172-331-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3828-223-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3828-160-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/4052-12-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/4052-20-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/4052-19-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/4052-222-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4052-18-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4156-224-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4304-282-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4500-327-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4500-609-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4528-325-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4760-329-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4964-328-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download