f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f

Analysis

max time kernel
148s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 22:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
Size

1.8MB
MD5

1afe0ebf057aa6b2be63557fc08055ba
SHA1

f0316ed23bc3994ba27569fd115da236009220ec
SHA256

f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f
SHA512

953a0cf7d88213552e57f0f695d1b39c98e0a617fc174027f97458c5186e3408795145012ba3ea3e95d38a3a22cb99908b09724d4e70dccbff9abb9f18c4c234
SSDEEP

49152:QM9QPdxwfE7WlFwKAfzuTiDFUFkyaB0zj0yjoB2:Q1PdVQFwKZCFgcB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2068	alg.exe
5112	DiagnosticsHub.StandardCollector.Service.exe
2128	fxssvc.exe
3252	elevation_service.exe
2376	elevation_service.exe
2180	maintenanceservice.exe
1716	msdtc.exe
4828	OSE.EXE
1940	PerceptionSimulationService.exe
4748	perfhost.exe
808	locator.exe
1372	SensorDataService.exe
1016	snmptrap.exe
3616	spectrum.exe
3196	ssh-agent.exe
2604	TieringEngineService.exe
2244	AgentService.exe
1572	vds.exe
1948	vssvc.exe
4736	wbengine.exe
4408	WmiApSrv.exe
2708	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\df9234dc979ad35.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Windows\system32\locator.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Windows\System32\vds.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Windows\system32\vssvc.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Windows\system32\wbengine.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Windows\system32\spectrum.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM956A.tmp\goopdateres_en.dll	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM956A.tmp\goopdateres_zh-TW.dll	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM956A.tmp\GoogleUpdateSetup.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM956A.tmp\goopdateres_pt-PT.dll	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM956A.tmp\goopdateres_te.dll	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM956A.tmp\GoogleCrashHandler64.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM956A.tmp\goopdateres_ko.dll	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM956A.tmp\goopdateres_pt-BR.dll	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM956A.tmp\GoogleUpdateSetup.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM956A.tmp\goopdateres_ja.dll	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM956A.tmp\goopdateres_ar.dll	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{04733A16-1E1C-4429-8CB3-9E461F0CABA4}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM956A.tmp\GoogleCrashHandler.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM956A.tmp\GoogleUpdateBroker.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM956A.tmp\goopdateres_fil.dll	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a36d644784dcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000994db64984dcda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f978b84984dcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c6c834784dcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037edec4984dcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1d9524884dcda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3738e4884dcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5112	DiagnosticsHub.StandardCollector.Service.exe
5112	DiagnosticsHub.StandardCollector.Service.exe
5112	DiagnosticsHub.StandardCollector.Service.exe
5112	DiagnosticsHub.StandardCollector.Service.exe
5112	DiagnosticsHub.StandardCollector.Service.exe
5112	DiagnosticsHub.StandardCollector.Service.exe
5112	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4948	f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
Token: SeAuditPrivilege	2128	fxssvc.exe
Token: SeRestorePrivilege	2604	TieringEngineService.exe
Token: SeManageVolumePrivilege	2604	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2244	AgentService.exe
Token: SeBackupPrivilege	1948	vssvc.exe
Token: SeRestorePrivilege	1948	vssvc.exe
Token: SeAuditPrivilege	1948	vssvc.exe
Token: SeBackupPrivilege	4736	wbengine.exe
Token: SeRestorePrivilege	4736	wbengine.exe
Token: SeSecurityPrivilege	4736	wbengine.exe
Token: 33	2708	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeDebugPrivilege	2068	alg.exe
Token: SeDebugPrivilege	2068	alg.exe
Token: SeDebugPrivilege	2068	alg.exe
Token: SeDebugPrivilege	5112	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 3716	2708	SearchIndexer.exe	113
PID 2708 wrote to memory of 3716	2708	SearchIndexer.exe	113
PID 2708 wrote to memory of 512	2708	SearchIndexer.exe	114
PID 2708 wrote to memory of 512	2708	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe
"C:\Users\Admin\AppData\Local\Temp\f2c7671a4c3bb12cc1ae4a0da1b8b9888779fe5a6d990104921a1368ba62b28f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4932

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3252

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2376

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2180

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1716

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4828

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1940

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4748

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:808

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1372

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1016

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3616

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:436

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1572

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4408

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3716
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
768110ffe49d6b983486e81fdb85f393

SHA1
58407759a4b0e6c7a025992169cc946ee602f69b

SHA256
785f8adc8fc4545e7b48be4f9e7a4a52a8e217fe8630c9f75743a8e7e0f99f6f

SHA512
5f65c0c512034228ecf4f64a898897bbf273e509127a08d7ad4eeb02c0fc5fc928df62954f353f22d63b691577ee810f8a7a2ae1892755ec8b3961185b5b805a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
eb6895f695fdc4a81d0c17386d85bf1c

SHA1
fb20348c12ae537b3589cb8846c4fa8d828aeb63

SHA256
cee845894fd357d9fe5cd6614461b252046139c38a69a43d7e74c8493bfad7a4

SHA512
e83881ebf47418e7c47e63fad4c8f6123e253485b720a58d864f440ceeac81f4a12eb8544e7b5a41624a49bbf848b349bd6308b1372303527a5e2ad69efb3625

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
73307932cc4640dea71f7a59c0cc8567

SHA1
be41569f4f136a463baaab96541967829f9cd9b7

SHA256
ddc01ffb2b54a958b54796983794666c6d638aa299fcc980c0aab2f9e6b82226

SHA512
c243f3dd40d8cd77b01b8ca5cdbb695a59e73094efbac7f7ddb5824f6659dfb603f07377500b37ba03625a7a503a3308af3fd83a0b94a64b696cca00fc7265c7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
28ead9ab8efecf5a0d56a5d87e226a42

SHA1
66c07d5db868cce2a602ff8f3a40c371337b5717

SHA256
066d1ffc2898be5595916cb0d5b85379281cc5e62ecf5ca7ad3975160dbf8944

SHA512
1e08135a0fb1faa3936e0f9f7b7461159788197175fd749d91bbd82e14e6b73f8bb025491b133d1e8b762c8f938c62578ecc382f47976e924237cb6b1d232fdd

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1edf3601f7d1350ba205c91f4796d1f1

SHA1
ea92ab6a2460ad8c6560513bf2ce90f4f8f420dc

SHA256
bae4f59c2ddcfec80e6f5fea64dd31a6bc1048d21cfd93ab579c119b26014105

SHA512
73f1002e8179001f84671c1c436cf47072327d556160e03a56e8c3a809fc900538f94e39406bd656770bcb2b8b7324a5663f6240cb9a4ba4eb7d61fc17c56d75

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
b89fbeb6aba559749acad50febe633ad

SHA1
15fa8020db7f1e3f81378dfbf5edd85901bb410c

SHA256
57950aa66d61147cf897daecb9af0251455ee81300c7a75dda935c650878f3bb

SHA512
a72b31a83c8a166fe1ed8b9498e2dd2c2a33f905ac6e57979e171bffe510759404c7d3ae674452d4d4d2b13c6b298479942a9227ef10f67823144e369045c4a1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
ae2a41b5f8990da18ca1a5fc1e57fed1

SHA1
9f52cc35accc210d3c2cabc8bb7ec23f8f90dfcd

SHA256
b89be54c094aeffff93918884db8c503d02d5416f93c91c71b0910f0a9a1dde9

SHA512
4354b9bd0ae9a63850a61fa294bc1f07c9bc22f088d08f67f668dfd5da1b53dcd85a4dc577b870f6037232dbda6e312d6823c5f2cd88338db87afa43d3154d60

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c314d56f06f19321458d84611bbf6fed

SHA1
0f8f7047637daffbbb27002fa851adcb736f5a01

SHA256
291bde2663432f847db9dbca183e1f5391132af3845c2b3cddce05a6fb8257f1

SHA512
9906a32874c7aadba8616a022bcc51d52a7ba713cefe160d374fa5f1e25134b4bf8e42d7b5e7918e465d8c9b901f161987f8ff4e06fa537bf915347a74da907c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
7b8f1a785fe60c4d5391e703afb09182

SHA1
b5c15b975fb99eedac530240786253b01e6bd88f

SHA256
8408c38336f5550d93f40dfb7e0bc126f655a9eff3ce9da9cec6d4601bc3f59c

SHA512
d8233470d452d6e6a5db16345b6f0c5fc87d5f2777c528dec62ec6dfa48ab915117beb994be1fd2000f7853fbb12dc6e7a6a48fda13102507a95aaad1f344887

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
27ce3eace7ced91fb26c8170de981151

SHA1
4ab20d2b507f3a5da7bf838316c17aa00e9cc9fd

SHA256
d3b0abcefe949e1d7fbf637621c42110ca40c4f7e64b7dd67d594c0031ce3907

SHA512
c06838f3c641ce5cb11dbbaa082f1809801e822b0bfbac66736b356a263aa43459b1f74f942b82f3dbc4eb91c289545d26a608dfe80d1ac6ea073b2d892f33ac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7a4ba25aa8318cfb4f3aae1858d1f1b3

SHA1
246807a520a7bd689b325846da26141b9eb95512

SHA256
5735378c98a2532fda5d539b2a72b033267f252582d9b3cc83f083a840a9133a

SHA512
d684a48c8f8279e55d46b722e4df9abb3c10bb52ffe31b266e90a9663abc9279ecea74be1b822877829077eaf5d0cabfc6c106942b6aca9621063af775bd99d8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
90a9b3d55a64aae3b4b940667ca7596f

SHA1
065348350e5e285a7c91537918bb9352d028a696

SHA256
e0fa9bf21c27555465c53fc50da8b03f24bd21cd741b10eebdb30e4522e4adfb

SHA512
90fe86ad3902686a16ab3d5912375e2a450a4913189d1e0c862ccabf93b4859d4e2a6563cd5ed19e38389090b8b7ae9bc1c13b9022e90d87de4d117f28d633e3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
8960c2f4880cfd65d7c323dfde75808a

SHA1
a914ddaad65bbd8949dea133e16db4663d2ae74a

SHA256
272493df3570e0eaaf0557dfebd2001212e6073eac2255a585ccfafa87b175bf

SHA512
e7e4695091107bb72cfb6247ac2e458d438296a2b9fcdc27b9c39fa7c54d3c17b03ef15f57d56793d9ff4babe6ff5e0f4867d047cef2b5c15fffa26f0bf1eb39

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
a1a229854bdf9f484b468a86e7c97958

SHA1
0974ca215e8df61c21e277733ff66191fa6ddc3c

SHA256
dadf5e9dd3999d5f390cba9f5b680ffd0d3c73167682869c5801003a74e5e6b6

SHA512
d1aed2e182dc032532b88efa1cb429bf774474744239565b24aa7f0ac3bb7f614a2f665a6d09441709f9c79ff19edaf6efd1fba366c9147b26efe106aefa1944

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
ff6fb096b8f66adfd6e536d6a2371726

SHA1
cab69318f58c23cad0de46b13f0c5d623ebf1042

SHA256
244769e1e1d969a217cd49c9390900d01999b0a199f2d512bda6c53d81ffd0ee

SHA512
c6293c856de00c1039ce3453b8758c29a2a4f5cc2d453a337c7270a7cfe15f70150aac82e700e0fc8efb8914f807dc51f4b33494976cb3ace1898ff5607a7721

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
1a1cb53dd0e043ab6e8a4df03d1d4ef6

SHA1
0eacdb060086df0b697f306d2f9f48c993a773d2

SHA256
f00b14d120062ec6aa54704c6635cf5efaa15acf154090434e2ed0251f90c231

SHA512
843482438c9ebf4a15d0b6001aba13c89381e0d14cd9afdc9b06c47f0f43e61803024739738f1d7f3c9e999706412a471953a9a2ec7725a005de9907141d5fbc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
3b3e80d0aff7719577e77e09a196464f

SHA1
f1df9913a820d7614ec5b62aa85e370c55c8016b

SHA256
9fa86f9157cef9c6e15a61663cc138345f9e6f4a674210236206d5de047e6a7e

SHA512
398960c7dc3519daef819bde2e1372a3007db83174e1a653fe7c45de3bacc01ab37f9193e92f93993ee5fa212031ae65f1b5d62ad97e0fe1da5c40e710a0a348

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
cd6226d2e84e8837f1ed82e124bf80eb

SHA1
8b97b6e3f535b1306dd800fb5d42ccc1b1a8d631

SHA256
2d601f3de1b646d14f615e5e01f3e2142e29a39849c98444acee3a2d0b8a06a8

SHA512
97ac44f3ce515ee5ae469cc9b2497e4ccf07a4bfcb54e238260d62dde9a2b5f0053e09e4b2fb4fe08404e52e355a0148a5862645c98e34753a28be8f2147a135

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
44d72f76c718879694319aae01ae64ce

SHA1
2d2fe757762815432c9887c29908f84f7ac236df

SHA256
f768a8713106f1ba0cb4640994d38f9df564fa9abece35f1c19230e03f0ceb65

SHA512
9e0b5767f5fd0545ceb7c11ec1ab68514849b258b4a2ff0058f80de9150778990d90e0db1149d1f60dd9dce68c5e25e6ce1a27f31bfd1b9e63d37c98e92ee19c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
d83e9e418c86f01caec52dc46d972e2a

SHA1
f61a7d339ea13127c9a2d91a669709606889bc7b

SHA256
b9317b5a78b58fc0182dc25f3c43f436df381ccc6ac8f390f79df7381a97e91b

SHA512
7454501107a7f2fd8e5e46b7e4882c39860da054ab62ed0c58c23ef9a7cd9ea55e51ccc2f4710f3cb93731c1b6179fe0a9fab61e0ab545af0efac9836ead270b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
4905c0c22337895c09504e105289ccd2

SHA1
3d51a511e3929fafd4d672459997bef4bf88495a

SHA256
10ce8bebf8761772851d46c380dc699270d6f9c68bb84e1299e99b5fdf3edb5c

SHA512
84e0255477a288d6c4737b4d782809c1e6fead895b55d104cc337a84fc3617f97abb3e8f35b8e34088d51cbe37e23d787ac7e3343009095bdfc5d03d4073acb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
d2b833f0fcd684bcbc318797fa016a81

SHA1
71ef567edd4d8bbc6480380f829de75378484034

SHA256
e8e7082f9d91179d42969466c1e9e96fd56fc3dae8545d3226547d07ea5862e5

SHA512
12919fcf3a0f59b3a7fff17c2a312fd717a4269c86e839d6b1861b260db2b88de372c2207e4a459495cae88c04a6ff83a3cf453bfca70e106fa94374bba6214d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
0814332751efc6a055072e66de1bdb54

SHA1
71315a19dfe2da0a0724174a8293eab943a41eec

SHA256
1947fd557664f129990ec6d74f790bf82c5e5b17654a18d631345adfe6ecea60

SHA512
5b949d40077fce8918eb730b65279b24cebad585ff0a8abbb218b93db5d5170fcb0f9ce9432c7db8a24a3e2ef9445d74c951077acfae5f03b3db11072d4dd199

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
079ce4f422a64159d7698534724e0379

SHA1
6cfba5cb97f8cf6c3fde40a69ed532355b5bdcfc

SHA256
1714aa9f1e4c56312691bfc0bb704c4959af46b01b7d75d85156009e608a686f

SHA512
376352d586cbc231f056e9f980aaa7a678529a6a07e5a770865421303ceac5442e70bc870da9ef57a9be0cff1a723e670c9d7c5f422a93c8b811f467f2ee5840

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
cadefe0e41e5274d6468c7cdf2cdcb88

SHA1
7206a319b4a9cf846666155537ce23e7a2103559

SHA256
d5077965fab5e794c538cdc71b4ecc967c8c76c632d48eb35aae2631be387aa6

SHA512
bae48df311897cfa5ca5b7a9cc115b13a9b6e70b27fc28c9bc242fb76b5b93e21d5730f8e6ba9ae34fcaa4b88cc50a7deb99aa8c6edb4d74f8909b9ca5585eb5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
ecd6ca862228b6592a213063a61c9b39

SHA1
bd0fecb8fa83965b8654ed59ba0e7ac4d7436cf2

SHA256
8112228ed1ed5332c0d65e4becc4781f9f3d1731a8f61d06d9b8bf73f044cab4

SHA512
72ea9cc0b95198716a6d82de15f43d4853448b8be8a07d65f1b65803f25dfd53e714333f17cd16a6931e0fbba061ba44071ba43c045a308f810fd28635f0cb9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
b8b027371a02d04a8a424f7b4bf04a8e

SHA1
d93cab4c126d885f289d767e9c5d7c1b0a9b5148

SHA256
bbd6f288f325b75ec85b211e3d28f0c2327e81e5061f86a0e07e7c5372503e8e

SHA512
e2b9f78e92cc4bf404f0e47ef1b05eaf98e6a31c7d1a3327291d84b99501b55d07db8f5ff22b8b5bace762873fb2e48e74478cc3fd69df072588c5ed35422286

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
b87e2ab330ef079c3a2fffd2a29befbc

SHA1
799fa4a127dfcbf42e912d864e9f37148665f532

SHA256
901677cad3d3b5c35b173b3e479cf4d2d4e47aa77c7a69fab935fcb89492015f

SHA512
d8d5b56fe380d6861da339bf040d380f72104f1d58cb2ef64b2af7240f3a93a3ceb7d61d0c1b77bb80a201c6276fc8e6926a3882f635a779feea449173f9b5be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
2d2e2cdea56af7079dbe91cb3c2c33ea

SHA1
aae3b4da86a8809bd1adcbf774b1b865c5b8d700

SHA256
d26f857e9cb09372f87c63602daad134f18b045adb22ca8050dcf4de75428f7b

SHA512
27b8d5ba2a1556ec93fd79c17ff4bdae00ea168fac1906ac3b0ebb951b411252f02c2901156bbcb2c70f2c9b8fb174655dfd41eaac12b2ac92ed9ba139f1d831

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
690c5a45ebf2ab15b6df7a5353ad5e0e

SHA1
617370010f741fa31580c07946d0fe817327605d

SHA256
cbf0489001031ddaeda098d2c7f90f78ba563d9c92c39cd735533cfb19ed6b9c

SHA512
7e6e3b8bfa2a5569eef641a04519500bc854e083f5ff014bc7e7f3d54cda42b15a15fe2769ead9563163e077463e089443753b95e662e472027d8296c3614a06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
64facfc71f1efbfc7864c21d9dba878e

SHA1
bd3e5b479fcfcedb0b61c4242c83df56e307dfe2

SHA256
53488cc8c6c10f69c9ed4776a0998ab0c0a49b0507effa644a328ba85f57774c

SHA512
9cb990cf51d2b78ae7162b8a949d6fb538ff07dff34a395231a4e2f03602ed76ab17cab5fd0dfeedf379f9fc7375ac6f95b4f74dbd8ef03eb997adbddb461c2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
fc65b122b7f38e933017e238c6567f66

SHA1
aa12235d2fb4cb8e436f9af3e8fb735848807c55

SHA256
fd828a52b4d5ef20972beb66b2a9654509ad80a1455d1b96ef6397913a1a20f6

SHA512
70539e3b9a57db5e3f87dbcf00b442f51a8dddb1cc3f5963c678dbfdb628ec465e63689d848cb49df1e4e8c4df9b3c8f1d8c89cefb1114c0fb5e6af84917e744

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
91adafb638bf0753f902efc2539fc40b

SHA1
b6ecd02107c56682a05f3ab9a7c6cfb3038110e4

SHA256
6a254e593533448993775b4255a1cdcf04828d75aa35832da75070f04bf047f7

SHA512
b496295a031c21748a6bd55eca2e12a38700b5f756031b314d71c206738c90a2b3d80b4aa9ca8d0ff697941fdabfb845b11680a06791f786ae5175a7493b82ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
d812a8d2872ac98a8f3b129594ab426b

SHA1
8c1923537191a4ef52e4129806f40afd9dbae0ed

SHA256
8624e480df91bc1faa90a08b65771daf390c98a3b9218a51b7379e14f4ac9fb4

SHA512
c67117fe1995411c69d1c1013604008888421db800261a93a804f3ef07f669957b56f60ac192ecd6b852e64ed28b60d496d0f310ee25c9e68b9689e35df681f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
5f4091a5e72937c936481f804d28d472

SHA1
8dda536f43dc95499125dda5d37637aabc80ad7e

SHA256
c0f05b47262eb6591ee44070be33b96b23815531764b80da352e157a7dc32d55

SHA512
cb8f865305a1b26774e4ce15ea1f1ae61686273fbda160be95692e775b5f2f82af72e5c7fc3060e7224f60b731a5fd0b26d6e87fd820c8bdd2e906db76f88b0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
298adf9457785592f61c4a13993f6187

SHA1
4d3862ea4e6ceed2d2c705e7fe2c0a880d80c1c6

SHA256
5b76fed9a227e81e38298380a1de30fa511b53a8a9405bb8fb10510a234e4bef

SHA512
f10b6ba0838d6a85b86d4d7a19a9accaa9ac0ba28d8e7b4bcec1c9adf7acf80f6b0f96bd16996e133334beb8c90bb780516c992f91dc25abec9d065ab2cde662

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
14b9170508b22cdea7ef494de3855176

SHA1
75ee150f8176f1add01effa4de9c5ebd647c5971

SHA256
5f3d07ac7fe45dc1b3bdb08cd8e59083723409aa155546d59c5afa104b3bbd78

SHA512
cee3da7bc715a0e6609ebb49482aa6080c44f7c072d7c09d461e4f4954da8153a3ff741e76ce63aae2e9145e04a6a8100ec9d92260ecddcf4e1e9b934a781453

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
afb544e366cd2d0c9ead6d696942d316

SHA1
3e05c3790e72f5a4d5f9440f73384e6885ee232a

SHA256
80b985d177a00b774fbb116408d0299305859cb7c5173937f78c223b54588746

SHA512
8d265e9cc10e245075b66cb1b4fb1b25dd09c5041dc2c247934774c37a21b3eda80d0a7e0b6827b24769872e2ae4d841d7fd401eb67453878c47aff3d2b7a423

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
1e5831c7820bc744f88373bd372539d4

SHA1
7a1b0560918684b17bb241004a722984efb2ec2e

SHA256
6f502ac0904bebb191b9ec6246f92d1807d375ebdb7536883c37eaeb7b4036ac

SHA512
cee059c366869f5460823724b5708f9925412aaa554c07437299303569888ab12a2451a16c43c92f73f60dfef7335c027187e671ee257bdcd5edcab48ee2fdd0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ae8f0c709730c198ea9c5c332b811868

SHA1
87de7a659b0680503eab31bc723b65273346e10a

SHA256
6e2a27dba1949461cdea6397ad00bc0b89e50ac562ff55ecd3e6491c458389a2

SHA512
dd6cddaa48b74eb77d5ba600b04c8a97c69dc0e32213e60d472b8c08139760891831e936e49344fd76cbb7d4990196a97124f271d1ea422e2b19cc5bbde86cfb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
30b8ed17f8c1b1c84d6a8f3840565c49

SHA1
d3e3ef4c0e8b23c45e48dac3ccf2062f020890b2

SHA256
8ab759b844321af27669976ddd03463460a505633841c37698c6e7a217586881

SHA512
8113dd231917f1eceaea0090aba1df68295b4ee52a0b869532251aa66d46bbcca0ce7dab8cb8780af3be1c1f968876b53aedc8282d8b128388138c71b696af17

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
254093c1285ce959142a80dd0862fa80

SHA1
687bd6f94ab3cf65dbdc5a77d404d31527874542

SHA256
c3e14c59c781b3e87ce8393ee74e747e84af8007a14aa183dbfd7f59584b84ea

SHA512
e0e68774448540ed510291c81e1cf3152d3739199ab0ff113d6f62db0ed105f81fff1413551e8a6ddfd55938e975c820ea26044204c652385fe700761eb743f8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e3302e258a4d9f71598b7bfe0fddc0b7

SHA1
15f39939907923e7fecefdad2cc4f60417c492d4

SHA256
82dbf981ed37704f55fe825800e44c1aac3e9ffec2583dc19a00a2dc7900bcd7

SHA512
514ffa2a3478badb2f7a030467b09d5a5778becc73d8c88030715bf2d9fe79c34894cfe7eb1b6732f3ed5ea19a1257fcd243a0070fdefecbdb69a26449a4c4e3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
417e19b892c9ffbc0b52c4f0fa30fcaf

SHA1
712112ff90bd69fcda7fed270ccee3037b95f427

SHA256
491100dceb76d25e5e7f856a32e91122c373495db198279009560b5c729d67a9

SHA512
dd45dba2401890013984578451943e686d36ee72de925f80ae8dda100ffe6faf234b449386a69b222cd4de5584f204a68c3555d87aaaf5a91a2da1c797478a7f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
1825a735e023a50056580b24f1c1ec8c

SHA1
88a99d84d36db80fe5fc157c59e82b1c28d0322f

SHA256
b40a63576ee5a8a20be476f5c97a8b85ebdbcaa4ac2770d3e0b05c69fa080cf3

SHA512
e0a2fb808fa640cd13155cd7c89447af66f5f39dcf33e8bf946d3b2ed97cf1b33642f714f07c20cf69d2e17f7c3f33ba1a6f6fa2e9aedeeae1f57ebfc2f53ac5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
eaef4d61e5587a5787d5aab35ca6ee25

SHA1
305c9b0445a8fc54eb39ca9c2e05e3fcc2c18d1d

SHA256
040a3339949b1eed01771ab3085974a9f3c96b948a86ff6b83507752ab53b466

SHA512
8c6c0b2cf7d1829cf6a856ff955eea93c34642009a220b87d347322f0f32c1685814e17b45736dc7d2f354df56bac16a896aa798ee9348110d2219e8c4a607f7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
607b10fbcab4e01ad9acc06ade596775

SHA1
4c41d5317ced64dbd84665474804073f67fe8ea5

SHA256
1dfcc9801e0a614f7a47c20dc4c1d33a685f8e06af3e3820af517fa071843bd9

SHA512
6b81e4207f0895c37a8fe3e664349ee58570d270c736c5ded935dc7ccc70f5c8eded5b36496fb5fd36594258be24977501b568c56baf57828d789d43467aa225

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9b2b5ebbf7f5a0336664517e7b1e71da

SHA1
68be25a6df0d354379fd950cfe016ab094922d6b

SHA256
92b9a1988a83fbc2eeab8fd8e840bea06288dd3cef548857d4d89228dcb3675c

SHA512
d97673164d3cc47dbbbc528e2d60642a9bb69255f3309cb6bb4d91a18dc5816ecee060ad882c19489263c46b7c42b03f125871f8ccc4a9efb1696b95c0c82448

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8878e5003bef497bd7aa3e22db06d678

SHA1
399b1f26c059beb1e7da0d0944f1a1e9c9382e06

SHA256
d496d5a10511e91f561518b016995a697b9419b73fe00d7846aa04d677cc926a

SHA512
7c7544bfe96198d9fba6a2be36326bf464502b9c6eddb65fb0e980dd5412e2181f98f36b46b2228675d0a183a9e7f6e41b9018cb3775519a150fce54fb08bc0f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
865d8e002e89615c963eaed58f006490

SHA1
e24cdf8e8de0faefb5de92fbb46833ec3b1d3be1

SHA256
42094bcf16c92d812692588102e86c2e3a413437d68d6fabb7d03c8a8a607917

SHA512
baaf11410a26d47d3e7125d41421263c9592bf32e554cb89fce6ea8e227cfc1ffab54ab4cbccb6ff8c3bbc44c0aa66c137ccf4ffa5099e9b5d4616973c6bab71

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a6f6c68171aa6c071f20872f21c6887b

SHA1
6e01bef12e8afb054d3a56e95f0487a6330af06d

SHA256
2f4667913e3b56b973ed053d1b822b998f867837ddc8f4cfdd97efacf9b8fee8

SHA512
ca86e901838c70748031de4f27baf7a6d82f9c5574b3e36a979c73ad2c5ab7303dede382226b87fe387ba50d215debc18f44540349d06676cd1343fec4f53bbc

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
c89bce8b8e9220dc7f9894073d347dfa

SHA1
4479ae0ef244bf999ac4b3270d98039517d6d66a

SHA256
58c0b4a14242c46b14233e9e27713bcabb85829e98099c48cc39f9c04958da6f

SHA512
7218f6335efc0d5be0ebfcbd9ae6c48186d78ddf85f5abd91c088e3d72fb6dd7d8c3e22dafae412ea81d8f5c66b09ab38f7d359aeb45db476564bfc4f59fd2da

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
6ab0088d730ca78436ae1975604540ce

SHA1
9e485f3ee37f2eff5465433ca4d0c338db7ac522

SHA256
3b69e67d300f4e237c0eba702d97a3f8e1e2c94a062509bc6da723962aba2444

SHA512
867a38baa5bf6b1635a375a4bc9114aaffccf0fcff858372b6c7d9837265ac80cbb5ef37de5c34d930ee81d81812ff6c18b2f6707231885048d7627bdbf42206

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
611ba55ac66e746fd1725f680f16ed2f

SHA1
e147df5a620979e8fee4296d9fb88e4267dafa9d

SHA256
2ea250af3a555c0b43c90b6827df0b95c1944a0699e09a9b5a5fa781619d310a

SHA512
943a07ba17c554d2ee725ed07b6f7557823f647de3f72b9081c7c18fa13063f695dc120c1edc574feeb930a8c1d176f93261f327d5c1af12f01b48f0df7f014d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5f4d1ec12d90ea96839c3018fb152552

SHA1
5e20b483d21d82f5b1d2d0e6e44cd088843104a2

SHA256
51cbeef2a5889ff9b3862cf8a355b48ac57d071d054c689edaf1cccdb8443a18

SHA512
3c92e2592aa048863c81b20a94bba303ccb37ae2a0b032c2d728ef96f3c966a4c824614ea99e559e0f310e17017e4d2aa37c584b9dcb4f632b6f30009c7216cc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
06dcca43cba304503a748a087e3c19c0

SHA1
5c933537543ed3baa3c44ab84ea36035a3be5f4b

SHA256
060d70ae2c3ec070863265c356af80b3c090cb6f1646181ac2c0589cfaab2ded

SHA512
f9418f23bf94d4095c9b0f8048a72fe2dd2a575c547f8c80fda8cca6db8c5eec856a2d7e394ee58c749fd7e69eb891ac1ea2565816d294d67b6f7855df792d1d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f46069769454009150e2291af23fd52c

SHA1
a974b3e8b8a8a3f2b77dc6b3adddd5baa54913b8

SHA256
bebf1f8ba4b4edae1401b53115592aa07fc6df70b292d63ab8657e1ee0d9550a

SHA512
113a52219497a06b06bc68ed9f2e8be00e020210e35a141b51d016926bb8839c54083290784e837289595f6e920dae32bb7f0bb16ab31ebcac8c0679ca4b2c33

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a08662a996629388cf9ea5507dde34fe

SHA1
cd3f491be62a5813598d819ab3b86ba11534119f

SHA256
4e0764438794843948cee70265749a33920a2ca12b7846d601c910aaefc76721

SHA512
2ea690051911c7cdb3b990398168296977d02754ea1031d5172dd5bdd95ef21cdf00861ad865d62f6084b3e3549005091c3b2c2fbad3222c6d5f4c44fe534a64

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
84e43cd5c4f84990060c68834c2e8ca1

SHA1
b5b51fdc9f11fc1c69570580ee67984a5eefa42c

SHA256
962083efd115813586d8ae04955277def3d7878c5e5dbaef15b5ef1bad192e63

SHA512
aa3fcd717cb613e70c6fdb68d25913b08e4986334946ef143c1c47a91f36c046b2c12ca321bfb0a727ce316a1d30f6f886afdff92b6d29a622eee05284d36b29

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
111a3b92ab3e19835702568cc6df26e0

SHA1
33c77dc2257a22cf94df93e1f5c038fa52fee1e1

SHA256
cad7693ac1d419b439f6d2b1261d3f515a7a7597092a187f237dbc3de07b405a

SHA512
4cd1fbc447886d602ef0c6415f0219fbb0410673292e7b45ca1953236d46cd58d0c852181cb4d075dc2c38e61bcdb4410302339b21a551a97f9c660bc86ce2fb

Download Submit
memory/808-208-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1016-679-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1016-231-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1372-628-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1372-589-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1372-219-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1572-291-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1572-766-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1716-166-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/1940-193-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1940-306-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1948-767-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1948-295-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2068-20-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2068-196-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2068-12-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2068-21-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2128-107-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2128-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2128-113-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2128-120-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2128-118-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2180-153-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2180-164-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/2180-142-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/2180-149-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2180-143-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2244-275-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2244-281-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2376-139-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2376-266-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2376-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2376-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2604-765-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/2604-267-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/2708-339-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2708-772-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3196-722-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3196-255-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3252-253-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3252-117-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3252-121-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3252-127-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3616-254-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3616-721-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4408-771-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/4408-327-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/4736-307-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4736-770-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4748-197-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/4748-319-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/4828-181-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/4828-294-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/4948-0-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/4948-1-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/4948-8-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/4948-525-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/4948-180-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/4948-6-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/5112-103-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/5112-104-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/5112-94-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download