ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
Size

1.8MB
MD5

eb2de324b8fd0370bc05f2ca48e542d5
SHA1

05465fefd29fc47a7483815acb74b76e045382a3
SHA256

ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace
SHA512

90a711784b74dfcbed614cc9cf85c25c737ff5ae0cc7f8ea9245db7fe073cf9c9ff5159f52bed727f832572cf9d8cbd10571c4029c6464f46c928d44ae228c9c
SSDEEP

49152:Wx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA+/snji6attJM:WvbjVkjjCAzJXEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
968	alg.exe
616	DiagnosticsHub.StandardCollector.Service.exe
4964	fxssvc.exe
3812	elevation_service.exe
808	elevation_service.exe
2548	maintenanceservice.exe
432	msdtc.exe
4512	OSE.EXE
3036	PerceptionSimulationService.exe
3136	perfhost.exe
2992	locator.exe
2816	SensorDataService.exe
5072	snmptrap.exe
4696	spectrum.exe
3512	ssh-agent.exe
2024	TieringEngineService.exe
3252	AgentService.exe
2548	vds.exe
2012	vssvc.exe
1468	wbengine.exe
3076	WmiApSrv.exe
1048	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Windows\system32\locator.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Windows\System32\vds.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d4c301c1c979ad35.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Windows\system32\AgentService.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E2B.tmp\goopdateres_ca.dll	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E2B.tmp\goopdateres_no.dll	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E2B.tmp\goopdateres_hi.dll	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E2B.tmp\psuser_64.dll	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E2B.tmp\goopdateres_sv.dll	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E2B.tmp\goopdateres_ja.dll	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E2B.tmp\goopdateres_pl.dll	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E2B.tmp\goopdateres_sr.dll	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E2B.tmp\goopdateres_ar.dll	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E2B.tmp\goopdateres_pt-BR.dll	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cbc4df82f2dbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b3223f83f2dbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a7f5280f2dbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c852283f2dbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e617cc80f2dbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006eefe380f2dbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
616	DiagnosticsHub.StandardCollector.Service.exe
616	DiagnosticsHub.StandardCollector.Service.exe
616	DiagnosticsHub.StandardCollector.Service.exe
616	DiagnosticsHub.StandardCollector.Service.exe
616	DiagnosticsHub.StandardCollector.Service.exe
616	DiagnosticsHub.StandardCollector.Service.exe
616	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2904	ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
Token: SeAuditPrivilege	4964	fxssvc.exe
Token: SeRestorePrivilege	2024	TieringEngineService.exe
Token: SeManageVolumePrivilege	2024	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3252	AgentService.exe
Token: SeBackupPrivilege	2012	vssvc.exe
Token: SeRestorePrivilege	2012	vssvc.exe
Token: SeAuditPrivilege	2012	vssvc.exe
Token: SeBackupPrivilege	1468	wbengine.exe
Token: SeRestorePrivilege	1468	wbengine.exe
Token: SeSecurityPrivilege	1468	wbengine.exe
Token: 33	1048	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeDebugPrivilege	968	alg.exe
Token: SeDebugPrivilege	968	alg.exe
Token: SeDebugPrivilege	968	alg.exe
Token: SeDebugPrivilege	616	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2264	1048	SearchIndexer.exe	113
PID 1048 wrote to memory of 2264	1048	SearchIndexer.exe	113
PID 1048 wrote to memory of 1216	1048	SearchIndexer.exe	115
PID 1048 wrote to memory of 1216	1048	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe
"C:\Users\Admin\AppData\Local\Temp\ebeb45563360ab2fbb8ff0f340b44fd69a767b058afaf2a0ebb27d8e816c6ace.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4204

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3812

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:808

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2548

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:432

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4512

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3136

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2992

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2816

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3308

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3512

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3252

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2548

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3076

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2264
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b36f02a8462074944a539859cf245670

SHA1
e1f8940ab47f87837120940cf48fadc5d89bc03c

SHA256
8f01ea19fc59c9370f7bdf489872a2ea1dd29e7642cf0ae70dfeaca2747de113

SHA512
808100f8cfa98e33ad9373087d32dfe46f712333dd14b170ddef9cfad3f089e8cbfe733b0ebc403afa5f667c7513e1b0ce19202ab36da701502938125e97ba29

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
d4ce5e09a58fcfb64b92530c17283f4d

SHA1
0f69495f4024ee8d83a350a5bc43e08f9a29799f

SHA256
491f96e50d96f136b9d7ab16f1a85fce84729df9b08a76b41b08a8f75396e087

SHA512
7c6c3cd3f97fbc0e51a6d134f043c43954e258f4cf4afc7ede548637a0bb13b66da760163224599b56535de65c4ae855a47f6a3a2591363fb1bd274862d61fab

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
ae925038b509e538e7f97bdc668980c9

SHA1
0eb83fc5b6f8ca7332beece3e81f204fa8195102

SHA256
c2204075fa6763d9aaf95ab551674ee166d0065e2e97dc62e4950d3685537736

SHA512
8138569d85d40b17e15325eb158343cc4a14c2dd93fedf0aa7096bb0602082df45389c4295a1d8f53a0f14e73f22af4c1cc24bd822571fd53654a0738802c40d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ca35cbc3ae1aaebd5b9752afc59c56a4

SHA1
12b106e47ae33c4ce3d249f93dfb7107352a1f2a

SHA256
4915649f68c338ed27338bbffdcf445b63dee227a8e114419bed999eb7a76ed5

SHA512
57de5c4ade3d09489f1da934d24f099d949bc2d1ecd91c8e2dba3f975e0f1becc9b995780788ff7fbc32cfcbd7335f6a2b6ce7b2eeefa9a5be6bc5632ff61964

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
26aa2258d2f17a52d06a56d7aba149da

SHA1
e400dcc13ddba6021c3339fea710ac7f0e71486a

SHA256
b76411ef4026bfa3dd800be56778d7c7d02fe043e3897dc5cdc0771a0817a546

SHA512
d5112fe77d6fb891c0413325e23813b01df1c66090189cc232662ecfda16c2d0ecd517fe1f8b9cecd588a16d3f545f0f50fb78546f9e26d029c3f085d1afd02c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
3653f20db51fcf6da45ba641c98d6cfc

SHA1
6740aae8411cabe3f06d9a4fae369358c9436d34

SHA256
a9f8202d40c32804c799322a4c0fd64e38d8c1492affd6c3dde08e1238804390

SHA512
54460b8c65adc9dfc1867d4962b3651a3a307aeda11bbbae4618db506b7cb3e38be8f09f048b6273876ff582f938da9c5c2c7b66dc41141931807a09e84c6d80

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
19db9c85d89557492e23213567b17334

SHA1
ca95afdab5d96413d3d0b1ab18d39de0d06eb060

SHA256
b6385c490c99be71d119ca85ea6b55b06242eee2ba9d843020edad91676f7b14

SHA512
09e08b17953390ad755520373a8f5c4e2c36340c15d6efe7691776fae552b09c0bad1c243b28ca73ff3ee33d4457165734b1fe7cfb5784ef4a46365957421c5d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
84f7ddbfa58ac7919de6517909dea364

SHA1
b2b27bd3deebc3c0d01ad906ff7f3d48b6d0590b

SHA256
5102693941fd8dd28a631ae46abeb80214a82fa0d5c7ec64030d0b535be2d681

SHA512
c11d53a30cc36a26e4fe642e235369fe95563c6c039777cabc9bea59f0cd95c5939ed7b5946f23c7f155e0dc8ef015a5a7e85ddcf658e154d5aee74183df68f1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
abd2532b494efcfd5b751bda0e24f28e

SHA1
1d8db9fbf455369067bfeb5f851fd1ee9f12de56

SHA256
82a5c0436e3c614e372fb179f9fbfe396f837c763057f2018b64529c1794281d

SHA512
40cd88da83478fb3906b8418986ce2f66933c922fd6dfa0f38731044dc7929ef4256989da7bce11f5bd5ae1ab1a251bafa641d1208504ae66969eb1144dd6f0d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f3a392755bd553df6710ff7fb91695ca

SHA1
ffc098e15a815763814dfbed6885e2cfe6576781

SHA256
ba273cb2db40343c7557500824af358f2b0d2dff2c31e3a5ec2f5fecf441773a

SHA512
78c97aba79a00e467754f34c41d170e41ae29f50cedc32a57427e0a37ff50bd77ca13c65691b36a950072eefec400cb5ca51a9c841091121e949e73428bdcf75

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
326d58ed31f93342e18ae19881514df3

SHA1
db200042145a0edc9af7b0c0a7913b8f007ecacf

SHA256
6ac25c6fd4dd63dba3ffee730bf50171182acda6dfc3f44cd3fe43785fcfdab3

SHA512
050e8053582891390f09a0449c8c76e4884d033c18dda049b11354b356f82418a7101652f08dcfea7d560e243bb12b9e70fab18a7202a0d435c1723bd734e1b2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
696ecf187368de74ca21ff90c6d65fa1

SHA1
8d84ba68490ca0d136c83c445ed62fba76b15aa7

SHA256
6ad9d615173254cbd64f5facc552936816e870f81a855e9f1889d8ea08213975

SHA512
0ed5f552e52d4e31085ef3d7fa6d91b92cf27b8f701cd3dcf73dfc760eebf5afc93ce1d2e71bed122c79fd8a0473a9a11fce4b056b0791918dbaed108a7fdc48

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
d98940b2667cc58adb50a52335dd3198

SHA1
eee930ca3c1349b688db44d59f13afe0f7ce8085

SHA256
d4c786052786ee04859e204bea752657c2753f2b881c8cf1a33c30847d3be299

SHA512
d75a47b512da13695bf2e457407e78bbfc83b251a77cedf58dc708ef3b51a703c4b9d4669ba886825bb48839db5c30b8ba0d890d0d5d58b712ca018484fae121

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
3974120b85b14ceccbc8580402d32380

SHA1
3890de5803076da69c52f6aeec1daa910e1bc2d1

SHA256
f95f04d036374bcacb0f50a1f83548806112f04cb4c18dc7b9710dde31d9f14d

SHA512
abca60380472c9c1638c011c2e8850b87e6ac05d85b9646fdd211cc6f4f407d1e91b4123ef37515dd6fab09c91743520162ad5d6898ab92fb3a599fa0d504e74

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
4e0c6b16ee55d6c063f65aa486d7d875

SHA1
a5219b246de9943326857e37e91874e44f6c6b91

SHA256
0183a0830face8280b71c6ef769d20411f937f568ac12b1f66a5806fa2d90a72

SHA512
b70dedf02a214e0255f2b8acc12012fb54fe27d44c8195e27e073699c78e6a40b5436f415e7b0c3777b4a44e28df94c7187a29aa5be3599a36a17b206ae35860

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
cf5d77430b508128ee1aa3a760f106ea

SHA1
91d99f5103b0af48ec0593ba92ca3710970ea01c

SHA256
fc51fd970232ebd60a1d170ff4b3ccd0366c47508a3a355cb025977989ae1dc5

SHA512
f6623b6320fe104045fc4edfb361e07c4c67a9915e54535b54489ed508a258b4f6bcb13256b8ff6af452ec450bcd4f837b343748ec1628b419a1f0014ff54f45

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
4f696f9052c21a2acb8de4cc8313c290

SHA1
1dbdd74b7b8cf8d002d579d04acb028394f13df4

SHA256
635fea597f89675a67d00b9c563157985140a4ffc768e1c8429487a7844ddf41

SHA512
6d95b803a0f0a3df8430eefa6ebfe6ff7c553d93a7790adcc8d0f01928e579d5ea8a7807630f6b4826fc754c9651c12cd3d1ba2c79139d42f2ba7bc422844bbf

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
ca88a466bf5d5dca251d00baad351834

SHA1
5a68943b93a0ba95d4808522a60b1d39da636642

SHA256
fa3936b9245ef800a61a88d4ca5c592067d459e1c29411fb357133e73553c5c8

SHA512
ed10cff7756e8c1eda7b3732e86eff18bf203517b094c7a6cf72d6a666a6efe04c724224b8707076a9025fa3aff9dea7e1c13f07f28078f2db72d8b107a576cd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
fb26d282740619afa218ce8f8b2b415f

SHA1
1dbf929cf481cd28850ffd215c8c842024536297

SHA256
62e540a792fd00a82a2fa7484dfd2db962f991bcc4ee6b14cbde163c69ee41e2

SHA512
eb32fd3ecb1a678bff1ce78dc8fb6af25c4914c41c09181fed2d9ff4157f3ea9a9d4eea390f55b83da654adeaa5fa44b50e4c01121a1b080c7ffc87ab085a409

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
f6bc46336132047cf5355738a2cb7995

SHA1
5ad34c3a78be03609a7d8ffb69f6295a392ec6e6

SHA256
cd772a64955584f65f570200b3ff3428758ce528fc4e7ebe351d70b9ed077764

SHA512
e8b93673e9606c0b1ed10ad88ca36e1f79775dd1d0e8cf117d5794a2b4c21be96dc587c129f61c51015ff814881dd6194143992993dd045fb5218fa8f583e7a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
c291f17da7ad5469b0ec286ca16c808a

SHA1
2ed4fb34717ed2598f8b9e84f88a7e2fd4e9c34c

SHA256
ded75b622a46307e323fbe6ff8110769f0ea4a4549eb10bb52d338e20f03ace3

SHA512
1be904f1e2ff3c5531adb124a6fbbd5bf1e50a58cebf1aa4467e67511a80a021f66b3223ab797436fcef524eb397cb63b13891195dd8cd6c904cd3219a490871

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
3550e26c5f262b95e9fa2b1c5c6fadb5

SHA1
da22440e5ef33f90144d7eca165fbea20007390f

SHA256
f56877fa959fda6e21833483d168535ee9f551c642ef9a747b25b4924a8cff91

SHA512
abe8bf38d01d667e6b9585652f794d487a4af3011b69d8e2929ca91034d5085ce1ad7044dce4db110ee16c4d0e42af8adcff5aaa47c92fcd5f4ddcda9c6284e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
50403cc338d290f6b13440940145dc87

SHA1
a8220f56ccd6edbed8533eece2d943e96a1386a4

SHA256
d30c57a4dbbb1312f98334bf80fc46f5f44aa2804b84e1e2c84b395159b3289c

SHA512
bd0d2b3eaf8a2116839906da253b68902142c4a5be8fb4fe9d25dc24eea2104fc792f04fd0b6f5129d76559ec2734f3c69571b40751b0de9107325d9f0154cee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
e8bd30d796230c3dd8477ba13b31eed0

SHA1
964a4c592337dfd3dc8facf6e40e67a27e6d4db2

SHA256
d23bd4d763f31aeacac34ae28ffbf1f309d984700f22cdc210e73fa142bcbf93

SHA512
cc7a8654065eea7617b4603038d2cdd9db205caa3d61ce02298571e2da240cb95259d880ac0e88856b60780f46afcec1905fbd9c0c0d6131fcaf4be732bb2df2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
9378008bb23d08e93519d27fb491afc8

SHA1
2bebace2405bba0ab6a9e033d4ac44f7d80adb42

SHA256
0cefb6ca76cd93ef66da0f759079d5a30e320588cad63eff8013a78bd0a74243

SHA512
d0b70f13481cc3ea6e8700b33aeccbfa03c540c7bba0e325f70dc4c7229124a6f770b09896e5e00ec4557b21b94e6d4dda2db5888f39f1f057724ef8ac00d00b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
1760aacc1b50099b8af6e2a65cd67e0d

SHA1
fa4f286bda5d71d36ff78457f6f5357b08d8ef9c

SHA256
7efe1acde220eac366a81839dbba8badf49f1d624937c1f996dd6c3cfa6a85a3

SHA512
0114f4fd61a85134f8015b5dfefe35ea1efde6b7c122302f1760612bd7133ff9afee89521a35602e7dcdb28015c6891971ec915d21694589c8413aac33c09793

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
839cb10cf8e30045f792199875b0554e

SHA1
152e46059b515165c5f622d00100e2fa405c29c4

SHA256
81f2c1193e358246f9bb96d33f47562dcd0b492701d314bcaae96108f81eb16c

SHA512
2258a725ece4b5fe980f9840a202411e3fc767a0b41102e36ce7f1e42c0ccb2f30f4744e7f7afc7225ae249cdb36d06a43d560c3c5b300ab951238926549cc46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
b7d8ba042ca1242b94dcb5759726f0a9

SHA1
365cf3c451b697a6f92950952767afffc998d89d

SHA256
7ac5591c0e047ec27fb8718ed45e814110f796a6f9fcd10f6ca881bbe7164ea4

SHA512
cdcbf9326312e890d4a08746c0d05f9607ad940953d8705d7dd3081da4722aa7dd7308ca45690ec8c977354778d6dfbeef111695f91748f7e6717801ebe78680

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
3c16cc8ee4f5c3e0a046aaff69fbefa9

SHA1
5485e7c93c43148245a17cb08d9d300b31dd9656

SHA256
e4d6300a88a1ff72bc17b7442cce68da710a6e99458f74c131f3983806401a3f

SHA512
b2546955618bb012ab3cb8e994b295e7e385c3cee5427ea47cdb4d39f01c09ecc30a32e2505d7ba3a9dafb21037899e0ff3470f23e164dbb506ce924284924dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
a69f74e72d56d927a6b6e66a92bc3052

SHA1
588d23adcbc4c9e5134e6f39fdaa2380cdb05db9

SHA256
7b2bd0fe87715c9b4b0f369c10d66b38c06fbb7db03322cb6f3bcb1173b5cce1

SHA512
126502efd837adcfa7c93f26253da96152e737e3b4ea8f3a0c1e9fafc58b447e9419ed872c760b3e74181ba65fb99b203a9c631144458aaa5d8e7b87ae1a83d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
ae9c11101754b419f5912a9256cf0275

SHA1
c35b5fdcbdc017c40b95709005dfef99da632dc6

SHA256
8c3be5e811f32ceef3c5e57721180be9d997670f1b478aa7c260c9e1c99e9b6a

SHA512
83962787206093cf6d0240176d8105aaf7d970d96a4182d28c20b2bc0f66a317061d1ca00b2aadae353fc12975ddcc928faef8f2ab804eaed475bdaa1b110197

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
0e159d4df50c990c34c8b02b135b7a5b

SHA1
0708e029e2e18fea002a18d17d4d24392ea3da68

SHA256
7c9081a7aa5973a1ca6cab070666b5b92a9c7d91a66b6e883011cc86f77599ef

SHA512
4c7146326c658c8e2a89086d41b00dd8f3b34d6c3467b208187734c0df9493bfed59730dae39d0f1c399807dafc7dd5236b266969d6effdabf4f93f12c6f6f75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
eee7953118266078b9519ff7e52d8e96

SHA1
3547c6b9561f0f80174ee1f655b6d94bb187aca1

SHA256
7286f18174ae15db50cadf22ea8aab1e60f598330913d3e2d7d466832b7c4335

SHA512
2f39a05911e914c051dec3a2a59408c6e020706db8157bf4a26a9419bb640a69f943ae66ece61c79cb2da2f45140c5b3c5d14972aa31f60b7f16df00af9872b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
7babd48f2ac04415eacf9ee970a078c9

SHA1
2dbe1e838bec5a5459436f0995cb926a6998e891

SHA256
f3eadcdd8cbb4548d1c49f4f28b9de1a29a0420b70518601f737f5aef5aff6ed

SHA512
1b3ea844a7e74ee9f55b324fbd8d9f301e9efff04388495e824f0c957ec73797bc265ece7457d8b0f8c3fb7971533f3a9c71a206fe4728fc57fa02f4d6cbffd0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
48ae69dd823788788162ef0961f9b262

SHA1
ec6be7a056777d2479aa28c890936bab9231259b

SHA256
39aaa51ed685fd852dca66cee93f114848edb42019c46e8d02b1c96458b76035

SHA512
ed540e9a94c484f7c240ff2073865367729e99fe77c76a76cf7af8492a8add995a72715ad80ea0af23cd84b56ad1fe1943c2380e7ea024e1e870389ee8b96b1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
f713a631652efd08b27ea816f71c5d1d

SHA1
9e2dad3afd825af915c55580815731047c4e1bc2

SHA256
61b93a07d9c751582d5cdc383b188f3a178f01b0498077712f193151e5e380ca

SHA512
ce0e19f280eb5f958c359a81843b8c5e71bce5b50a2c223491deb60fc424b0b2f85cd1e95b6c34643e0108bb58360cb028ffca5949fa41a58d45a4519b99cb28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
841f3e5f19b9ccb1280d9bb5b17c505f

SHA1
1d522c4a60450cbbb68f0919a391b0920e20bbb9

SHA256
c59549e77b3a511a582417d9f24579c4102c2e9b6fdf750c1bb7bba36db86145

SHA512
eb6126e2afdf1ab51e5d3f576bf493e1ad60bccb2a65effdac521fd32a28dc62423b03287b85b911442cde5b8463b8047291587db2d6411ed4dbe7eda9774d50

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d4e614d642d460bc92d9cbe4cbb5b92c

SHA1
6d4bdcdd85e08f5e58a8dd8d004c63b47fe5cf4d

SHA256
3fc17ca312584c11e290abefec9af39cec0e54f0e3b0c685798ab598dfd7e6b2

SHA512
9246e3ad814c36a3a40834e09cdcea320f3937e4eaf1f6ffdbac2a945f0ed0d725648a3e8510f7e70475fa8889abe2d28819319333116a8923522f0a61e27a99

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
6d079fece337376142774e7693f44cd4

SHA1
6c194c756b55bbab9e87ac606dae50e136f6f81a

SHA256
8cc9d3401888b0d2f6f973283f4f5693b831055b1f6a3896a74fe51542541b2d

SHA512
faaf6213321ecda811f8478589839d60b77df56bffb39ea4026dd7d409028ad19e64cdd9f9701d3a9aca6b082bd4593272bfbff253467cb555090a8f5d70ec2c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
6a6cd6fe4c8b9ab9b0944564ec8552f0

SHA1
dd16429855f712e6997536b9d3a8812db9491848

SHA256
3ba5c547e9fa79bdf1b0137df4eb035c87463a3a7dc119fe75fa908e76a95526

SHA512
a56f5ce07008885d1ce99426de69bc743bd21b0f299f71455e4ba4987b69fb4b6750ffa81713d35742fd2c6adde137cb91911db27ff4be8d5b8d648c4d6a4df4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c87909a61123714dfa51a9dd883ace62

SHA1
96553f6422e17850b514140af7f38849b16f2aa0

SHA256
68915b465cf988007d203d287fcf93c9d240e8ca876f6bfd0b24921c169a5d8a

SHA512
74538c65038c263148c615fc9ee327395f97d997c59d0f4c52f6549660597463cdccaad50495b71de9b1c3630696b687d28f11e1a26356ff48292506d07a3a6d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
3beb90de022112d76e7a2d98ef5e0d93

SHA1
3d939c17d17770505c1b019d4d55fafb729fea24

SHA256
09367e65e6c347d73a91dc3516062b51b2524a68961ed458f620f096ee63852d

SHA512
b7ba7b5f837c898c2307479c5b43d7a8a57bebe470915bd2e830b0f8581afda3ac10054a98e86b6d04b926881f552d0c7b8fc26c7426cb6069da6af15e02ed63

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0f068d324afb6e192d7ca8ac5df7c978

SHA1
ea13fb15f69564433706acbc53e2813c0fa2f889

SHA256
80e4c2672a03590df095b14330c49df2a7b89f484ff624343c5b1606e88a3f3d

SHA512
549aafbfde0ce38f580bab51d7998fed01d71eeddc7fb2e16afdc04a440f71e9cffe3fcd3c3fb747c32c77143a20b1651d5cc4c54c8ac42e6ff6349882f14f88

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
966a20e59e1862a315ef433549fa0ad6

SHA1
c6d47ddf1b500965745469379a9d246d78552520

SHA256
ae4113676eb3a4bc68632cf3a50a934ba1b30d27660daa7f4e3e3b81efba944c

SHA512
acc3ecf703f7ae0bc35253cf2d6c3ded8ea62c90749b71cd7417e22bf778f69c82a21550be0a5bc8544c186c47ab2ac1711e287d1cf3ebce234bb427dda081f8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
eb75f2497eaad22a450afc5e58b1b413

SHA1
8774a09a3f1de225d3ecf8b393e14ed9a7e30290

SHA256
1ed66480cd109a1b240f1f7e44ee7f32d5e9f02b43905785833d0f9d044ef31a

SHA512
45fce66fde9ec7b4d7d9eb8766e31ed9463fc1cc320df7c0450dae9c3e78f37589491848e97bcf6a0b7ea356ea5bae7516054a1ecde568f7fa94ed8a89d58c5b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
622520b17ca002833512b25693ed4955

SHA1
4e8903199c1f153b7603de8495407bdec954374b

SHA256
d5ebce05e81c0a181a2513ee26dfcdaabc2b608b5e6fbe7455a9b5d8a20d6de7

SHA512
a120cc3ca6de439511634b351679b82192d8f38ae4fe8231825340835dcbda4f3b27389268a6ac6810124c989920334a8d7670f79e000df4117bbf851a50c0d7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
df52c84c3ac8d067ed49651fc0126025

SHA1
992ecd89f2ebae27ed1af771b3fddc7eee004f4b

SHA256
bbea8104867679d5bbeecf79ddb91693efdb42d83d6814443a4b79e5b2a33de5

SHA512
4d8283d5c8328479c0e3fe8279127eef9f74fd4fb23de9b42555c4b25f47cc8be9208090c6ea1d7707d3732b30852a37f303c0d22026dbfd06864fc0efa6b2b2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1fb1db1df973ca536435e3202cfd2a3f

SHA1
adf133b85f9df705c3c7985d0632fc6d69bf12c5

SHA256
cbddc74907ae4f371f450545bb0b5f0441b75f90dad6d098e0fe40caf5843b90

SHA512
d3e1d48fc75d934744fea04bfb9544fe8eb4a431417de6ed0cc78274fc221e498a0a7102029cbee5686a1ea6c562e62718c0bc2ac3a157cc4bc23fd9dd44debe

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b498831460996256fe9c9c1598752c42

SHA1
cbebbc28886306f761fcb58d799dc10dcaa07c8b

SHA256
0eda5c94a8b65db732075ee0d562c98275926dc2b0f194f962c7122c025ecc74

SHA512
cb4e8a1f24c2c6ea23201482915845d380afbdeb34385d6480d77cf83f5e5591ddf62f2ea4075f73d8dbab76a0e7b287fee6f249b536e16615bb3c1c8ae34d63

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
204a20dd7b26508b906c1cd54ae5ffaf

SHA1
7550f26a9b056fd6e13b5e73f8e825d83f1cf7ae

SHA256
24bbf7348203e70b806e124e9a86e17c61b0d87bb5218711679f5d35889df5a9

SHA512
c07052483e345d4426dcf01206cb7f93086a34783a393ecab472547ee8c36bb91bfe0d1eb7a39d1fe1b239ea1063f0d55c71ee83fb3ae777faecee91c5dcf4b5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b9bf2a9a80889b2224c5989d4e9c9262

SHA1
31fe4e643bdf69a28e29e5a8e6108eddfa539b01

SHA256
96d55e036ac32196d00dd5bf6972338b20278adebc3ab1cc8065301609cd3372

SHA512
312ce316e8952c673c4221e8a33b1710b46309705f9aaf02153f766eb6ae332f1289caa5080931848258cde7c446e0400574b2f6a317700dd21a695b924225c2

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
9182173e9707f6d334a7e65a634001b8

SHA1
bf0f4b7e2ebc3c02fb4c6045bb626d37f837fd89

SHA256
ef6c3631d2dce37c6a06bfb5e381ef0c2325e6fb1b8d571a6704a6347527a944

SHA512
5397521de19b696aa11631907d280fddf63b756c1f9e22978b20e378125373c1cd6ce6da46384671bb7cc10eb525d149fcf570bf6d4c339a6ec7e686cb19a16c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
9703d7100383a57747bd03a1d46158ab

SHA1
11329d6e374744468260992353d6b403d8d73af1

SHA256
e602e4eb8cc6e42ca7f1de5c64fa03c910143cd2ea3f77955ff2636676abaeda

SHA512
1a3b551ce811d14e38d7ed323fda5e8ad43292799872ff29687f4ff7bd81360d40791b2b557a0107cf8df3807a92215a81af8a1b0600cf3aa2f7c50c746cec94

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
844f4c81731e1be4782b756b960ef457

SHA1
fb6dc15121d1cb7288362195209df9ba96d50787

SHA256
b03e122e686e970df04bdcc0efe83a08e4c7544476bd86bcce331c912a7621d7

SHA512
d55addaa7b1040fb552767b8723d6e8cd79ed9833d637b72df61febbc075e6d5cc0341525f0d920fc0ce28b7ddc86a4ce51b72f0dad82877e40350471b8503c1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7a8f418f5412fa57e816cfaa40676686

SHA1
60346cc8625fc233e6c279e33bc984cef478d376

SHA256
9721e1123f3553e463984e43e58feb89d2cc107ee65d4eacd4214b6db3fb0d66

SHA512
edc87b3cccb9001b0a12367f9909bad4d923c3d9aa76176a4daf1029ea0f3de7e934115df83f3b7bdbf088a79618c1af7c1b112c7f74617e22cfed93cec5fb1b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
fabf081e421dccac3cff3f098a8874a8

SHA1
7131a3d52e6bc47f4f466820c0ef46318a22fad0

SHA256
365744f0b569a48e6d54f3b8ee38ad8a0f89cb9d748ebfd2df7952bd645c2f79

SHA512
70e9a8e2c7d3d229417d70a4c9669e4a15cc730b58603e72e0da744aa7f33f0b9bb962c132d2a9d9cd71f260d3b1fd042edd727d54f3d78007a4faf0670b4175

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bf438ebbfbb8434318751c8d23fde72e

SHA1
214fbdcfcb0f00f231a3291d69ba190f3f8f7ced

SHA256
5c9c4a149f1a788da76cf3cc46ff726537f1d6e1f1edb8297358b131fa0a4b2f

SHA512
db6cffe3b4be0a40d2c2ced2abe616dbf014f54c286e1fa27ba00e820ba4be9f95d5cbcf6115a38bd896e724ec0d83ca5ac3d08169bd5447f91e21db4ad38f88

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3c431e6ba039c80e49771eb60e58a14f

SHA1
a4ba42b907a9ec7f760001cb956fc739d390021d

SHA256
0d85c8eddfedbe5faa9fdc757e241e8663da5ff567fd37a8a31b23952f75901d

SHA512
bb38246ea1fe49404ed1b84be446388b9ab02635975ee541129d87d7e428bfc50436a80f7c601dfed956757bb5be7d7028b4b728ab5bd73e42ae97fe4bb220f3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
ffe39029e2ff5ac9fb566518784a9013

SHA1
bc5744fa548a330f1cdd95c472645dbac2f3622b

SHA256
3a4eb4aeeba0217612960954f03566cf8bedc21ba543f2d453e6c2439a92b1c6

SHA512
8c70948c2b40e504325a0e8f8761646fb97971646f481fd3cc55c17f4975672e9b5feef135c12c500f82b8680bcf8fed75bfe042d6a7aca0ed0639e2443f480a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
64da69701f55efa6e7c2bf1b6d2def9a

SHA1
27ff04318e1c247186946390b2539f7d9b0b7d52

SHA256
2501c7fe0ad6fd72b2bc9e16e1971fc29dee1492c3ebb2a04c9762beffe0d5d4

SHA512
9a7457c1ddbf4fc410e70ea1b5e01869f9d3f01e3207d888821820e4f9058c07adcc4d3d477bde7839d85c59950a66748cd21dc350212b5018bdca355ad94f0a

Download Submit
memory/432-167-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/432-157-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/616-101-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/616-84-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/616-99-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/808-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/808-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/808-259-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/808-139-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/968-21-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/968-11-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/968-20-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/968-184-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1048-348-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1048-780-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1468-323-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1468-778-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2012-303-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2012-775-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2024-773-0x0000000140000000-0x00000001401C3000-memory.dmp

Filesize
1.8MB

Download
memory/2024-273-0x0000000140000000-0x00000001401C3000-memory.dmp

Filesize
1.8MB

Download
memory/2548-151-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/2548-154-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2548-299-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2548-142-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2548-774-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2548-165-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/2548-148-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2816-225-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2816-345-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2816-771-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2904-150-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2904-1-0x0000000002460000-0x00000000024C7000-memory.dmp

Filesize
412KB

Download
memory/2904-6-0x0000000002460000-0x00000000024C7000-memory.dmp

Filesize
412KB

Download
memory/2904-632-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2904-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2992-214-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2992-326-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3036-302-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/3036-185-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/3076-335-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/3076-779-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/3136-322-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/3136-201-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/3252-288-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3252-276-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3512-262-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/3512-772-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/3812-240-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3812-119-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3812-126-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3812-127-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4512-290-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4512-178-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4696-241-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4696-765-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4964-113-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4964-112-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4964-104-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4964-125-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4964-118-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/5072-478-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/5072-237-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download