647b396fe931c059aa6c4d170e1d3aca915327662a93962e5665a5bc217fe3cf

Analysis

max time kernel
120s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2024, 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21d51819cefab4b4d0ff4ba18e105480N.exe
Size

1.3MB
MD5

21d51819cefab4b4d0ff4ba18e105480
SHA1

83bd019fca7972dfa4377d086d6744900bebc991
SHA256

647b396fe931c059aa6c4d170e1d3aca915327662a93962e5665a5bc217fe3cf
SHA512

0eaea8ce9790bd818f15afeb10d8c86bcaff6ed7fce4b390eb4cef65fd4b6b60bcf0db39c22a695357393b9a109e8e5df94ca1c8d66ac33b158860580929e74c
SSDEEP

24576:tvIBwtW/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:tvILLNiXicJFFRGNzj3

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
744	alg.exe
3676	DiagnosticsHub.StandardCollector.Service.exe
1272	fxssvc.exe
4812	elevation_service.exe
4300	elevation_service.exe
3756	maintenanceservice.exe
3284	msdtc.exe
3388	OSE.EXE
1556	PerceptionSimulationService.exe
228	perfhost.exe
4716	locator.exe
4004	SensorDataService.exe
1216	snmptrap.exe
1404	spectrum.exe
1152	ssh-agent.exe
1204	TieringEngineService.exe
456	AgentService.exe
1596	vds.exe
4552	vssvc.exe
4436	wbengine.exe
4968	WmiApSrv.exe
4000	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\locator.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2ea79839ef3e7fe4.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95421\javaws.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21d51819cefab4b4d0ff4ba18e105480N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e11d92bb6ee4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f41e73bb6ee4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d3548bb6ee4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe6ba0bb6ee4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002477a8ba6ee4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016e81abb6ee4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070f94cbb6ee4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e28b9ba6ee4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
3676	DiagnosticsHub.StandardCollector.Service.exe
3676	DiagnosticsHub.StandardCollector.Service.exe
3676	DiagnosticsHub.StandardCollector.Service.exe
3676	DiagnosticsHub.StandardCollector.Service.exe
3676	DiagnosticsHub.StandardCollector.Service.exe
3676	DiagnosticsHub.StandardCollector.Service.exe
3676	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1032	21d51819cefab4b4d0ff4ba18e105480N.exe
Token: SeAuditPrivilege	1272	fxssvc.exe
Token: SeRestorePrivilege	1204	TieringEngineService.exe
Token: SeManageVolumePrivilege	1204	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	456	AgentService.exe
Token: SeBackupPrivilege	4552	vssvc.exe
Token: SeRestorePrivilege	4552	vssvc.exe
Token: SeAuditPrivilege	4552	vssvc.exe
Token: SeBackupPrivilege	4436	wbengine.exe
Token: SeRestorePrivilege	4436	wbengine.exe
Token: SeSecurityPrivilege	4436	wbengine.exe
Token: 33	4000	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeDebugPrivilege	1032	21d51819cefab4b4d0ff4ba18e105480N.exe
Token: SeDebugPrivilege	1032	21d51819cefab4b4d0ff4ba18e105480N.exe
Token: SeDebugPrivilege	1032	21d51819cefab4b4d0ff4ba18e105480N.exe
Token: SeDebugPrivilege	1032	21d51819cefab4b4d0ff4ba18e105480N.exe
Token: SeDebugPrivilege	1032	21d51819cefab4b4d0ff4ba18e105480N.exe
Token: SeDebugPrivilege	3676	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1032	21d51819cefab4b4d0ff4ba18e105480N.exe
1032	21d51819cefab4b4d0ff4ba18e105480N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 4816	4000	SearchIndexer.exe	112
PID 4000 wrote to memory of 4816	4000	SearchIndexer.exe	112
PID 4000 wrote to memory of 4072	4000	SearchIndexer.exe	113
PID 4000 wrote to memory of 4072	4000	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\21d51819cefab4b4d0ff4ba18e105480N.exe
"C:\Users\Admin\AppData\Local\Temp\21d51819cefab4b4d0ff4ba18e105480N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1032

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:744

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3992

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4300

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3756

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3284

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3388

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1556

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:228

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4716

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4004

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1216

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1404

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:836

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1596

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4968

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4816
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8909a3559dddd1f6a1b068bf2f720185

SHA1
b3225509024cebf81bc0c30a681769babfe140f7

SHA256
a87e43405eb4335cde5256b888dc97fb24ccaf511ba5d669f4656ecd30b72710

SHA512
6a184cf0d48e1faf1759c4cb31b2c507d808c5ded87936142e41944bc78927c36cfb2cb029f6f0475d3460d2fe1f8994cc7151702481b8668c87da7e3ebd8c2a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
750d2991e51f754ffff5e4ffa0054581

SHA1
3fef80e9c5733e0f822f6f4215d6409bbfc43d92

SHA256
319afb856da399caf92aab92683bbfeccf23df6c0d6b66dcb0a04f567e96d31c

SHA512
4d10627e39439a28c29e6ea397d6fc51aeab2a3dd306a483a5df1a20ac141fa6b19de78f3d145c6fd1f216a47949b9e9ee184af471145921c59151b84be8ea1a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
0e8dcbbc9a29cf7cfe47e52b1ee66168

SHA1
f3b1f2c5c2f5cc958a940cd990a79c73150836a7

SHA256
43df31262615644ad46a06a02d1ab0e55550c538b2714140da33a0e9843228ff

SHA512
ffbdd7a253e82af29bb4ef6eca4a1e969c5a59f9778e2181436f0da51020107da0e98c41d95bf287efe16d078d330111828351c17f7c81e1ce121caa540aff70

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
83dbabab569769e67b2f76617a2b9391

SHA1
824b8bdb8d04cb4e062a5f1fa84bfc84f4cbedea

SHA256
78fd78ee9941554101e169b92711625162760ecec6811a1d64977ce1f13d706b

SHA512
29e48225aac54cfa24bbf4a559996fac04d6a7d77050699b5109182c614ebd87b0363c55859487a9fb11dcf083890efad8343bf7d8b99d22e836071a9f7dcfd5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a300ff79fc1df1df0f8b6668b95b782d

SHA1
29690e7f3338f273bf06befcf47d31606d5f29b2

SHA256
b4369476983040c134d971fede0fb504cfc862aeabf13d57e4f8c3695056ac0f

SHA512
9e73534a8948caa800da46897ef9e07bce5ae2ca002f9fc412575ec005d582a69118ebc0b71aea605de33f664124e7c2a013ded13b1b09bc119ba55531bace11

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
d0ad72aa3daaf2605b461725aa029eab

SHA1
e736f6445e58ceb2506e15afa794e6ce952d0bf4

SHA256
9f3281e61aca5396e091e3c6d0a0a9f6f9c00243b3078834a51c72d298a75667

SHA512
780eb067e4e6384a0a6c98d3c584acf0a9e8529da52b82b4f13cad018414a83ae2a8bf8a04b7837b3454d7bc90bd38454785652639c23e6d67ca4c11d3493d2b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
8cf6936d526eeb0b5c0172fd0f02d58b

SHA1
975e4b3fe62bd5b9f7391935c5802b9b01079679

SHA256
e86c5f6faad1f100e2595c47d88fd447cd967d30dca935035fb1c0bf0157f18b

SHA512
cef87ed4384b4850f84060ca474a6e02a152776dead5037618195a3e15554b9b826446831da2d84556268aa905ffe6de9cd6b1240425d69f809d0fd714d140f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
26fa9239bf57ac15a7a1af8ca12f2368

SHA1
58425abea339f6ce997dcfd80bec8ee5ec2e757d

SHA256
0dba1b083f5f0780b6c6176b20d5d7b7e52b94cbaba53b9dbe7168f945f90e54

SHA512
4df0e4a798fd2012d6eca82d9284a7f838c5309f37a3dd708a11fad221d877a174c78d1828fbc92b03d2c25ad737d850a09ca73c98fdb917336f791893e1ba25

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
5d35d6c3439a1d052fb518b9d81e4b5a

SHA1
ab5b2117f4bbb4ec3f4fc403303ba210ac56b3e6

SHA256
4ca74a7c8c2a8e35fe908ea29a892e6ac4a4012b7d56f84336d9999d34612518

SHA512
9db84087f857e7bee60db0e5b7edcecd63f2954eaa0321561170865f1e73967e6484cac4ea1b9f9bf6df5e002f6070a407518f32453a4a34da7c1fcae8338d12

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a533b021c9b772fd6e175a7460b9ed26

SHA1
ab06027190c464af0ea5bfede2d40ab7e77c5ccc

SHA256
c797f146c793736e03207d158903437f5fde6900f9e7be5fd56518d6cfa4aed9

SHA512
d05e38dd9b102bf95d6bd79280bf1b7bb0ddfea5737c615d5500c3cda551b1ed7d163d35819eb4f4011e6c5c83a507bc54725b87cd9446efd7c22146b68a07cc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3fdb0bbe280c431c27e5f24f27158ac9

SHA1
194093edd5becbb6600212eb4206947e26884a85

SHA256
71fb0d23b213573f8406521b01e2f8e706dd6d9b020261cc6719f138bf62b9e8

SHA512
48261d9ca17573dae119e789fff11f149fff9602a1620959583aefdba2c880af3ee0c470cc73abbe155af702004148ef0ac9bd1927de24bf12a7f3778cc23ae4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
173c907cd14c4a197b83687dc496828b

SHA1
7aaeedc19a0b9e3738faa9f2815d6a85d088eaeb

SHA256
e4dee857b6d5e4131872a84b17fbd78323b141530d7ce36a1253b2b6b4dcf87f

SHA512
939a6a920ce9b4330a2d5b82702bca62e20fadaa417f77f9b72753f1e5b8ff756d774feded37055881b0705649227d9dfa87df0e2dab99656ccdae2f9c112d29

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
9bbb32f2fd2161daf7bfb92b64955772

SHA1
53d20ceaa267918ddff52472cad6b0283468e249

SHA256
d36eebdb2b845678e7880f4f8be42869077c30b5d0de8eb1260cf764d3464b80

SHA512
3c2976dc42ef21e93c43117d3aa6153d7d955c3dd7498424fac603f972d6e3b8b5850e535633d9e6c775f16e6d68a1a522d3a4ef3309257dc8686df967abc1dc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
aabe3f1cbb5f88ce1d3a11ef09f53900

SHA1
1deabf0df9af5754c17b7d76a188ec4f2f7d3972

SHA256
1b0b86ae501640ae9f05122abdf04de4eb5ad7e8e225064b3b9f7a6e684bff81

SHA512
b98daabbe6fa609ce65411edbdbe7da8b6fb1750ee3fceb5775cee69ad2ce195c1d64ee2c34165733d1ba1195df1f3b69224195d0a185c95e3e01317a2094a37

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
4ee2b66b0d85c32e95cf1967a290ca7d

SHA1
3e27a5689adae48a11f2b3a4e80cd821c3ae2542

SHA256
97a64bb51a4769034a64ab0b2e0a74b2236d8daec9c144701e40a2eed8324128

SHA512
86e7ad7d9fa767ada3e4a20970d7cca8326882def0fab67b82567a9bc77ac04ce89975bc848d793aca5ec30904d5be87c4c767405b500fffe39d5538acb98b6a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
6932d7ad1cfc9119dd6371f58e7f170d

SHA1
43e5712cf10b57bbf768a0280b126d763b077ef4

SHA256
f939975bed45ba57aef600fef188d5749c1f502c4178d4531b2baad1954916f2

SHA512
d0f884f8f73dbb43f302f78cad9713d5b99058c5cd39f53d2ecee348657a1e8a59c0d1328f4bbbc996cee68e9411d04f7fb9f3c96f7e3046412c914e55acfc9e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
6fd1cfdd2085daa87e71f1f8094e2d08

SHA1
b664b4694e38f25824637fe9f15dcbbe3c736f07

SHA256
03184371457924a40f413255258498f2527cd770a699d7ad3363be442d0c750b

SHA512
73fece87f1a4e893ea91e2e333111c9b9b77a513610de8432b09e2f308b914ea322ad01230af7260602943f477b7620a9c22f9e1188e80acdc6eac11bdd19c49

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
dd28f0dadd63aaaae83e3ab1fac3f868

SHA1
1cfa027619b3e70370e918bb770ccdd29ae5bab2

SHA256
a27b64de6a1d6463e437e25bb8982820fa8dc157f7729da4e9376b0940681797

SHA512
d500f5f9bb765439095781fd24c2a77366dd147abe6c51818b5506a427938f44212b8e112fc3a3bf58741f2f755ce19274bbc2da7f09669c4f6010f828f7de83

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
e3a3ed87151e99c7a68074eabe5ef3b4

SHA1
f5493b14b378b5e8779efedb28c6ba3dbe6f5cda

SHA256
abfc462b03d0d0de612f6ee4ebec7260a994700c8791cbbc161b287fd8b0d077

SHA512
872c7536a44ec77a1dcd1c852123afe0b3053321da19676023911963001676b78b8a7e9b5daea071a5282ff384b4b0332673ef93dbdee229f6e3558676fc79b9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
ef7a88be868d5347f16ef63dc2700ab1

SHA1
63ee43eb7de85fc6590c49b3ada244307f505057

SHA256
82f85b37ace7d0a1d8d667e8fb448371f79f20b658c5adcce346382afb0df7ad

SHA512
e1a42f765c6fa5f2bc4d0418a71f5ee7e9f78c60bcd3cdf89aefa4fbb1c44640a391660328dbec4160d6dbe180030738aa93b9608afc71dea80baf474cf51397

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
c6ea8393412dca0ffb1398c9fd25fdb0

SHA1
74ab47d1e36c3737fe16eaa152672f14b88e8d7a

SHA256
f3277e853f79413f74d189095a77e06ac379528738986da49508fe376ad2e50a

SHA512
a0248818c3ac7f2a0f9c88a891bc2dcdb2515cce3f0e4f28d24e2804566e5a24034b0cd4cf695e87312fd95ae14afd81b032e7c36c494989c262e7e76235cf07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
52a19b6ce6971ce6dc791203214a6f7e

SHA1
834f1f5f8ac9cae6f23f6950c754782f64712978

SHA256
52e1ceb035073fe7b9f467d07f2795b436309acf6ef30c4e8dd7d90f6348273b

SHA512
569c59775a99154c902811a325f603f223af29c078a472d6a83331bd32b80338a767c2eeba11134c1dfa17e780e8942f13cdb3371a0fecc0f1fd4e5f46e26c3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
6c7ed087b07fcc0422738ff0a2e8ba1f

SHA1
712596a26f7f1e24d6f7a68ef6f100cdd168728a

SHA256
0d9c51093c7eff92581886fef17a707e685a76785bbfa1fa91cf8d7b6e1b9d9f

SHA512
2cf96cc952d23b8a537636c922832efbae36666a3823c72880d2d9779a0a7ca7f6ac99c7513cdb1e41eab9c2480b4636468e33c1c35f84cd042399994b676cc0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
be550ab11cc7ce6d4b3d181819667a01

SHA1
7f04d323e164c595e233dbedd2c50c263dd02070

SHA256
dd23f4dc701c1ad47d0960be0ba39cdb371473ef13dfd225cd87346958fa4567

SHA512
cadf16624707299721e707522291327a686b54166b58b95913da9dcbf431961c6e46dff76a6fd6609d524da7ba6dec2e64afa13b9ba1bd92a7cba11dcd2b8b7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
389a627f2d4f119fda14497623a0563d

SHA1
01a1ff078a2e7b6daae225fba458bfa5c3cb52ff

SHA256
97fe264f506b326aa5682fbfea93f5d2e4716715c4b2cf4595b133b44a977d91

SHA512
799303c4026706da24fc2177a28b58e83229615eb54fcd5df7cfe4cef835ae615dc7d1221cf6d60d806546e1e264a0e0e438c0459a14a0f39eca270e43cd788d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
aadbef81ee27c9ed8abcabfdf6422513

SHA1
65f03f49ce5fb3e9c4ac7e23e53b0b0e37bf52d2

SHA256
bf9500e3e864fe308c3a8689fa547dc30b9b01ae30b6cc58c684d1bf8e7c2e02

SHA512
2310ce11de3700703d66f392ebc89d7f2a1d3108a3ee228b03a0abc3d316a53eedf9caea64f44e970a6e6595bccccf61ef34f5ee03af39454b8dc03d94685bae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
24ce3a7a47b62477cf54839e282b3c09

SHA1
ef49f7918c580897f8ab518a1787275938b1fb80

SHA256
0765f7cef888c63f90e4689e445dc2ff1fc954355eaa38abf0c75ab8a9a483b0

SHA512
cbbc6e703560ffd534f5969ecb7865cc582371b60372afa5a7d107e8dab96554c0a6403b06627a8e4a76970fcfb1b65bf1fd35e3c7fa7b3a3f933cfb5e5f453d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
6379dc0b6f11d1942808ddfb8ff04eff

SHA1
522cc5835a9cd040f84b5832e6fd3ecd91bf023b

SHA256
e2b9c8aff0c51344d30c960fac156f543774683eb964dae844616d3d18d8778a

SHA512
32ec5ebe6425819ac945ef1ab4e67e7fe42c079b3e2b47b2dab0f2aa9ee9c5144ae82aeeed07ec7bf24a6e7707009525c463993b6775fb07c726e05d56dda347

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
52a0fccf344741c4d40d5be73279b966

SHA1
7f7796eb88f4a46d3c974ab59d23e6ac480f4e1d

SHA256
b59a5193da6194a342221ed8dfd4c8c6187d26108121c6900d3346d6640feb1e

SHA512
9256257c97d413c2438bc68e7baf5dc81c0f8e19f891bd5c9ffe5d93cb7cfeb87b3440b0ba2d51677b7af2142218d749e83987293ada4fc20ee09826792a30e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
fb7af213cc318389fff0042b0fcd9b01

SHA1
7c4a31c990994d5a52b89047cb88cdba52c18ad8

SHA256
d073fab25f964ee1ae1211720aa8bc46f9d6712e741b0478b2b456fd32d02a73

SHA512
1fd9ad5f872f8e2ec87f6c4a087b93ea2fc4a23791d5f69ada238ada9cb3a0696fc2ca4666c1effdfe96bc3d1634f1d2d3f7bae6e8f65d7a080e0d7206a76085

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
e1b0a56bc56c0148934d61ef00a76bc5

SHA1
d03c8831a25a5615cd8c76f0202e8bbec38ab942

SHA256
f738b2a55706f183d68d6621e363185eda5faf80588ddd63dd2bce27d7a258ed

SHA512
57041d86969de2c1698fec8b02a32504d2fe86870899002f927204e873ca23a9a31f53175f3e43b011ed43a3215160fae07f3e15fc505eef6d1296efcbf2291d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
3047cd2920d6cc0fc66908937b831024

SHA1
b33422a8f43bcb22edf06e1ed68e73d6224d9a8e

SHA256
f8573de8e4190b244b5e7ecabaebd1c3e1adbee047c10acbf103eb8a69f820aa

SHA512
506636ba114a353e5311ba45c9e8d669210607634e731342cae31fa728c6c7c5ef55b247c7123f316ee4916c155615e76c32b86b01a062b6fe98a3f7c585c954

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
4fb5ac150ba5605c9469b11a24427d61

SHA1
33b860189bccc71523f7517e2343ec82cae9cb08

SHA256
110f29bde2c58c89892861c3a84f194ece6f73f658d7146d1e0d6252c5fdbea7

SHA512
616134fc162fc0edaa52f56cd066eebfa581a08dcb002ec46be7426d3e91fdf408985bfc69c3ec36d52e4f9935183434d42dbbb0d02f3a278a1138839ce72957

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
ea3301ec83292a038ab6d08c1435ec13

SHA1
456328f4e85b09c6d2f8c516a49d0f35bec56566

SHA256
0e7f34bec2d3231ac5c53d09a0f587af7a50c6cfa8c5255cd93aa3049b412535

SHA512
7db6c0b53711dfefc7f3ee39bc71b54d22e7d5a2eb08b7b94ddac435c07134192961721d445ee6ad06a9430df392368b3a4769a00ce7c6ce4c181bf5f17a207e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
6a84d06724792de5818e9b6c02ddcf38

SHA1
ad3d53658396719253ab59a4678a974ecb9c7f68

SHA256
d3d74fe5c2a7460a608b23702b8d05e69ede8aede944e13279048d20a7cbb4e5

SHA512
63d9cf7b932819fa5742d41882c90456606eb05d0a179786747bf8c1774bee55b0d574fa7ab8e45477dc768d2e402dbfd82a61905b442ee617825448d471f687

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
a3dd850020fb90787b4378ee69beb570

SHA1
605bda17ef72aa0750ba4edb8165cdfc5895a7d9

SHA256
2b2ab90ebc6cb8494bbb5d04e5e05257f88f600ad99c15c6125f64e3c8a83657

SHA512
9c1e6a54901505027b53c137be906cc8fc1b46457fa4c0e25e06b839e27957a0273eae8d9b1f39316193d38250850e2064e66b2d0af528327be7da83f3e57878

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
35491d0e05fe4ef4bb5a7166fa11ae6b

SHA1
7dd58aaab7acd85e898fc1cfac69f4c588f1a84e

SHA256
fdca86c3cd8e058cd9d4889d9d8c65ba266b992352eea32c28390c694ea5ce9d

SHA512
5bc8efb352cde26d05a9e45d35e2be21811918632e45e1b86b65174d9c32f41600c685f0686777d8cc60caf647825ae6a7ffcbb8ea9a8697906e71fcc13284fe

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
4956411c4188a96c6e0ecf95f681a765

SHA1
dc2c3930888c985ab28d1a13d1926642f578c7b6

SHA256
809adeeb39581502ccf854fe49dd26d3fb9e559cea79d5a71cd0894b9c156f77

SHA512
0bfac74aaefe30bad5e83dbc205bdb4149fd22c99ac0967b06c6dbe044d3b100a27a676cf487d9767d3913d08c4e64c9ebb10bdb7344edd835afe1cdbdd83c9d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
83a1f40cd3e2734ba24f5f84ede0f893

SHA1
e875c6b811d44bf41b2908f1a422f13a19e1d821

SHA256
11bf96145eb44aa5be93417e977973a182b6e0e44ad678c71d2d9e3000f37961

SHA512
b9dec8f3577e1b24adaf416f5094f71f8954e9f00d87d3caa78cab02178506807a9e55eeeb9891d5eccd68560537d1678aad0947634ae39f2b641583b4bbb5e0

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bba8fa243ad7703ae34a128ea4b5c5fe

SHA1
da980f38f79aee6e08fb58b08716e2e19f38fcb5

SHA256
f6fecf7759a42d64d453d22532c7046f5b5ab68e849d13bcb87abb7853bac590

SHA512
54c777d6e51e96538f6cbad12b7c323569042e0a5eaaa2d193f9bb73ee025b1691291a850a4f82c94ea24715cbb940a104d0a8ee5dd90a5810dac4766d06d856

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
ea60305b4f0d3ac52a3b6b55ae5a135d

SHA1
8be2b2424bc0abd857387d829393aadb88b9cef9

SHA256
1fb8ab638d8efba3ad2bd26d6ff2e30ca600c9e9fa672fd8ae1a54d033420f9f

SHA512
743c4722aa96360c3cc29b4c955409f55906e548b2a8776df8fb107e3298cef72ee034091865d65544fb187e15c2f7314004decaa6be20144c814eb8dcb44863

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d3ce6d97487e95b8f519460919584782

SHA1
4d6898bcbd528901265a7c1dd53ab39f44654462

SHA256
a99cc2a933418ee799b24e03343960daf2087a9fccc3e383fd22b6c3cdfb5437

SHA512
4ae541b2e2295759cdd5f7e554eb4dc815b62346e5a021943e3a48648a62cadc16f95dc86183e1a6759af4512aad3f8dce9917435551cdbfac43b7b3efbbd976

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
e5c6a64df8eed005437dad5ef66b0221

SHA1
8569a6a2021da4e61245d9a0aa9673f1d29826a6

SHA256
2bced9c7a37c38cc3410650aee0c5cd6f826b5edce848d782d9efab39f584746

SHA512
4156a594ba7934c8dd8267abce389bd3f2491fb0fe198d084d3ed202f33661df8f13c89a793a42714e6fb39f914042ee10b483db17c14f7ff7435f93fcb40017

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
25249b01ee9db5d97296ee44a6e2c36e

SHA1
acc08aa7e0a9b4e73c3b22b9f90a95aff885d5d8

SHA256
a816f1fe87424e4193d9abeac9d923ea15159a83ca9e96123ca2ad73094ef18d

SHA512
f62cb10cfe356842c6c4755fcf2623e76d59be1eeacf1bce3591aef2a044883415e5b2493866a40b6e83ab83b871351b84f3b579e64fc05c8c43bf5278ee129a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
cf6069cae9c97cfac266578e1d7b8735

SHA1
310c04a37ac2784ef0708d82f26fada7a1278f80

SHA256
7078c8bd738cb3a9152b28183c93ab58d607b8328ff6c9b037895ffd8f39d38e

SHA512
c093310324cfd0caf43bca5862d8e50bd9ed567d92a63706c2f91d4b3d893d991812b1fe83a9b9b14b7f7cb24b9773a8962df270a06f94fc3487cef6baa3c2c4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8f150f26cfb84c4cca6b0b92c38f2f4f

SHA1
6fe9952deedfc59b3088e6fac6c1d68a85d1a062

SHA256
e5039840b19d2e3c48e0eae9774ab1a1a0b43dfee19c18fafc005afe4ccfa63c

SHA512
dc057423bf51f6b9c4dc7d0cd0d1a745a556eedcef58ce45e1286b4bad7f01e1cde2d25645ca93dafa218baf79841c2d291141bc6185e272c5c9b3040816949e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5b39937901a52e909fb38f41bd2fd00a

SHA1
f7f2b2ba13ac685dec09c8aa60092b68b67548ea

SHA256
8c29a76b45f898079ab174aab07a13cbb7cf03265c89b6009b0b21fe51a677ea

SHA512
3cdb5d420d249231f793a61f1272dffe5f7101a36b659a19f98e3ed1ca887222ea588d5c4d9cd5b59855efe5038e8d0398cb9b7a0d6a77dd952b8860a0c57221

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
32985d90a6ed27beaea8ab4519d40e0d

SHA1
80d62083a5d59126a0e48c8b7b4e981181ef8b87

SHA256
87cf01b57c3d27dbf39d22a8aef193c25987708c18514c12562df2fb9fdf07bd

SHA512
771826591c4db635aa5bc0c6a70afad1fdd9a5d0a9ecfb07c647de8ad0a857000d874357ff6a5049359a601caf1eb02eaf84b6c97091a685ecb86af734a99b67

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
e97f6ee2f4a47ab8e274aa27d3740a51

SHA1
9a17dfe44ccc5dee770e3f43784eae8cd867ef4d

SHA256
9a483dec61dc66336ae54ea280708efc6dfe1ae831ae9b50da6594de65dbafd6

SHA512
058b9f8dbf06be4fe9e6168daa4feaa59a523b173c46262e317f94f9d4868a936a9dad1922eb52e413850c4652db1b620e2bebd70374c5b40683cae6ea964463

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ee771de42fbfe3a8bf0061f504c96ba3

SHA1
c64f73c0b507ba8f201e4a2542ae188f374d81e5

SHA256
5dd6c995e45e8b27088699707c7c5f10f032a237b0f9a37d50bfc52cddcc43e4

SHA512
c9b4117c67c7f1ad5409405d961a9f2c1de3f730a51252e8a142f5fabac32f40a5bae428490de40309701afa1b3f31c5b8f4e62df8c99d3036ec011f5b6d1bd5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
1d0103476e8bc66e38df8a4b6dc19ba8

SHA1
83dd184bc6493999fab3684769cef1c8676bc700

SHA256
26c567b3cbf008707911b2d49a20bad601713fe6c4ed424d1f41e49f801954e6

SHA512
3e79a212dd2ec39e337e455d9b506d1e01fa4eea13b82ab4669eb92999291a40cfac15998b96d80bb1f0a254c80981c5cffef1fa3dff561fd199304501755586

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
766cd30a460f9b10be66cc874d11b39e

SHA1
17e7ad9acecd37663c99f3f2640ad6d1523409d8

SHA256
2eb0de04d631d2cf7dbcbd730f6c07e31acea0a568dda66baff0391d8bea28c6

SHA512
264fa913e17b45e32357e58723f8cf9a332a2449f64ab2337dbe44f444d2790d21f809beccbd6afe3192dff76ccb34880659f7d59483fa4b9d555d282b0baf1b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
039fc663b39836ee6ff68f69da8f06c9

SHA1
fd45e7e36cfd98f521bcbd5f2748ee883c0c2530

SHA256
8eb4cbff1daaf95a49fddc97bb5f8c5210d15db22e05add627334e6aef7fc743

SHA512
4aee4d1b2f40b823ef87416729f6dcfb9a5d567a3595b5170b632a584a33893dbf879d186faec1353f94ab48a6c5643fa513ff52e08f226c737f1450f4ab3dc8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
83f8515d748a3c3b50216f915fc038c8

SHA1
e5163c9d5b19cab377f1d821e4bd5dfe7d521a8e

SHA256
b840da2df1e77bd15ee945b6cf872f525cd26e3d427884ac264507df2f5069c7

SHA512
cc5aa861fa6bce9beefadbfb22b42d2735622e12f4deca055ebb74a5298fe58c7546f23ba8f570269c3c5bf58ab3e8ff2057adccd1624697cbd9483293d7a919

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
3dcf7dd71f02884c56641f48abea3541

SHA1
88d58e3b0dac152e6fe4d26e8e2cfa3e059c9c77

SHA256
e982d0de02ce5d3522253d7475dc1e145cf86f9fc34e5b9a8c033ba873141130

SHA512
80a5edf920bc9b912a461c727bdea5edb9f02daffde7b921c3c142a409a529fc0d18d38c56ac936d8e95ed16fbcf43022162b103fdd59b79283458c6c4e54840

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
954f1de184de688d940124c67ef06f54

SHA1
615b85b8d897a2ee3f377b94537bac4903b7e43d

SHA256
367cbf4582708d7fd171220d782c6516bca895abbf6f4d3420f89c5df675df86

SHA512
732bce3f8f569b0e3be790d2663b9aa3f4be92f41560adbee6b18d7fce3597bb4a83016d5cda08c38202927c4a284c86bbca2de77498d161e6d87df9dffffd43

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
622919185c3edde5bebc1ca7e191f977

SHA1
c961f284a93b054be5fd715bb81d9db43b0e4c8a

SHA256
6816ec95eec74aea88cd4b171ff75dc173eeabbaf5f06c610eec8befc0ae6faa

SHA512
8c9c53eb08fe3976618042037566a41a9cbf6b441b4f2b63a1c765ee3f2782ec670450d024f8b07b712ec97364efec17f89b7cf6dcad5da2a2962e90702865dd

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
57f5214e91dc9fca62b5ccb2ea5a9775

SHA1
14e1eba652508e002da573f2a28b98ad504c306a

SHA256
82251c16dcd5b66c7dd23fe625a2398779845ef2f0f057cca95796741fd210da

SHA512
1a4d4f9498c230a77f5f2b01ae074ab46dc01851b499895f523effa615ba169f9f36f7493b761073bce25faa013b019a5674b79a46ac7fef0efe83d00bb29f6c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
1ea68ea9e094e7ddcbf5fd21074160c1

SHA1
1c489dab23aea2e2659756388365d6eed65f263a

SHA256
19f5624db537be274f2597f4ca8fc6e745cf6cfe76ea26b49364b767d839be6d

SHA512
7e232bdff9056072df48305494408b643e129c0ec274b90f7bf176321153b8ac627ad117e5d716048b4ae4f92ff247f99460ce4b3bb6f29e95dd3b1c0326ff3b

Download Submit
memory/228-408-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/228-101-0x0000000000900000-0x0000000000966000-memory.dmp

Filesize
408KB

Download
memory/228-100-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/228-106-0x0000000000900000-0x0000000000966000-memory.dmp

Filesize
408KB

Download
memory/456-149-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/744-98-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/744-12-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1032-83-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/1032-2-0x00000000024D0000-0x0000000002536000-memory.dmp

Filesize
408KB

Download
memory/1032-0-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/1032-7-0x00000000024D0000-0x0000000002536000-memory.dmp

Filesize
408KB

Download
memory/1152-142-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1204-445-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1204-146-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1216-118-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1272-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1272-27-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1404-141-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1404-444-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1556-406-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1556-94-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1556-88-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1556-87-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1596-163-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3284-68-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3284-319-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3388-81-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/3388-402-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3388-84-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3388-75-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/3676-25-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3676-99-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3676-15-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3676-21-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3756-59-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3756-53-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3756-65-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3756-63-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3756-61-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4000-448-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4000-167-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4004-117-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4004-407-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4300-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4300-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4300-145-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4300-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4436-165-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4552-164-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4552-446-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4716-409-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4716-111-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4812-30-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4812-38-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4812-36-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4812-140-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4968-447-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4968-166-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download