19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/08/2024, 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
Size

1.8MB
MD5

0839164afa937d3dc0a23991e114c0b1
SHA1

c6cea1cca0108a879fa803f480418c4b3b3440e3
SHA256

19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d
SHA512

652831232a807b2d1325aabfe879af6d97737dd8b1fce84ef8070fb74d827161d3508107221053371573bfbe4a8c204337c795a607b32852f1f9ca13d94ba587
SSDEEP

49152:Cx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAX/snji6attJM:CvbjVkjjCAzJOEnW6at

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3576	alg.exe
812	DiagnosticsHub.StandardCollector.Service.exe
1464	fxssvc.exe
4552	elevation_service.exe
4008	elevation_service.exe
4892	maintenanceservice.exe
3700	msdtc.exe
1128	OSE.EXE
2300	PerceptionSimulationService.exe
680	perfhost.exe
2408	locator.exe
4320	SensorDataService.exe
3556	snmptrap.exe
4344	spectrum.exe
1452	ssh-agent.exe
4580	TieringEngineService.exe
3136	AgentService.exe
2992	vds.exe
3692	vssvc.exe
1476	wbengine.exe
3188	WmiApSrv.exe
3388	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Windows\system32\AgentService.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Windows\system32\spectrum.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Windows\System32\msdtc.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Windows\system32\wbengine.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Windows\system32\vssvc.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4e8efe29696f5a03.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Windows\System32\vds.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUMA6A0.tmp\goopdateres_de.dll	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86171\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86171\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA6A0.tmp\goopdateres_en.dll	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA6A0.tmp\goopdateres_no.dll	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86171\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA6A0.tmp\goopdateres_sv.dll	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA6A0.tmp\goopdateres_bn.dll	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA6A0.tmp\goopdateres_zh-TW.dll	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA6A0.tmp\goopdateres_ja.dll	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA6A0.tmp\goopdateres_hr.dll	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA6A0.tmp\GoogleUpdateBroker.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA6A0.tmp\psmachine.dll	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA6A0.tmp\goopdateres_th.dll	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db4e40fc50e5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000956234fc50e5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000199c4efc50e5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037d749fc50e5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000784f21fc50e5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000353a4cfc50e5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000572f25fd50e5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000301426fc50e5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac0f83fc50e5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a02558fc50e5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000213b2dfc50e5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025d668fc50e5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
812	DiagnosticsHub.StandardCollector.Service.exe
812	DiagnosticsHub.StandardCollector.Service.exe
812	DiagnosticsHub.StandardCollector.Service.exe
812	DiagnosticsHub.StandardCollector.Service.exe
812	DiagnosticsHub.StandardCollector.Service.exe
812	DiagnosticsHub.StandardCollector.Service.exe
812	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4340	19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
Token: SeAuditPrivilege	1464	fxssvc.exe
Token: SeRestorePrivilege	4580	TieringEngineService.exe
Token: SeManageVolumePrivilege	4580	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3136	AgentService.exe
Token: SeBackupPrivilege	3692	vssvc.exe
Token: SeRestorePrivilege	3692	vssvc.exe
Token: SeAuditPrivilege	3692	vssvc.exe
Token: SeBackupPrivilege	1476	wbengine.exe
Token: SeRestorePrivilege	1476	wbengine.exe
Token: SeSecurityPrivilege	1476	wbengine.exe
Token: 33	3388	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeDebugPrivilege	3576	alg.exe
Token: SeDebugPrivilege	3576	alg.exe
Token: SeDebugPrivilege	3576	alg.exe
Token: SeDebugPrivilege	812	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 4816	3388	SearchIndexer.exe	110
PID 3388 wrote to memory of 4816	3388	SearchIndexer.exe	110
PID 3388 wrote to memory of 2292	3388	SearchIndexer.exe	111
PID 3388 wrote to memory of 2292	3388	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe
"C:\Users\Admin\AppData\Local\Temp\19f3d37ae4b0dde2cd2f5bfb898dc58d12739f8b2141531a84a832c137425d9d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2600

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4008

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4892

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3700

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1128

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2300

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:680

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2408

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4320

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3556

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4344

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1956

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3188

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4816
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
dcf935e6473dde2f00697d195fbda557

SHA1
0f764e048abbb3d36b8e1de84968a3cdade82da6

SHA256
f1d57a15601d59eb4e1ce6d242314173ad1b7c099374b4881c64f3a797d95204

SHA512
9641b778dee8bbc92e4cdb64fbe457f7dc75ac2a6573590a85e3949f03fc59f5120387f5dd2d768cbec09316bdbb924ee7d1901800061d18c1e996332c5826d1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
f4b1d69eadbe4385cd5f6580ddb7c085

SHA1
3ee5e649475ef050b8896a1658ea27392fda5a28

SHA256
36894e5e11a6c9348570468a79d3031e77027b1b11ba32dd8f9f9c193fd22742

SHA512
6440fd72a97fc5a2612b06dbe7a52b4d9a4ad4ec8cfd886e564a8d876554ce37d4a2b2e151e47c109452931d034022a3c1f32e7cee867a12cc2089547a23e22b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
3cd00afa629286e3b6cb7ba8b3ff78e2

SHA1
42bbfe7100362f6505cc7b6da2f08d8f971ab3f6

SHA256
3c7fe3045b7eaa927f6c6c7039461e1c6bf2e62081548e01ad89b915c7d7afd5

SHA512
d4e21c33246ec9d5a3e67bc8df2140ca9705de5f3afedc30196a9492afaba24c1b1f243f283deac3333d1bdc33e1a12f8f6217f359cd0850124d3e7b188228bb

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0560c80bbc676c21ce9ea30c2d426338

SHA1
028cb34865283bae8f0e218a5fe9b805f8f8921b

SHA256
bc26d0ab30825634898991541eaf245243ff4298500c0793fb301bedf13bad94

SHA512
2d066e600e1d74f9f452d0fda11165b38506ea7d72fc0b7935808f5b42e0508786081cc6fe26b557aab3cc8e028403ea39a055e7d3c45ba52cd2434a3c3a8660

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4e00859758359e4f54be949f26d7da1d

SHA1
5769a7fe01bfac0f5c0a587f2df4829f2a4029dd

SHA256
417db68c8e81e3a9c0b5ac080593162bad9f4078c10f0f553023eb3b343ab2a6

SHA512
74cd645236c4d19f0a76c234faca3792caa3be843b5269f5ad594cfc277d315bdb78992b71f4ae7b765400821cc2177a3abf62e2ca6fbb2c340046b3f016533d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
7feba7fa5b0ea979f610e114e37cb9a6

SHA1
4b83313f3e80a373c03afbf11ff8510a3f29ec44

SHA256
bbb9a8e1dbb835cd6a10edf478c50c66526d929b0f04fa2f4ce4d113eb0a4cb7

SHA512
6c52994547e2778b0ba32f5f1233d76dbdae2404c02f45b78d7beebadaa6054a6023a985657d0fa732d7f6553c4ed4048dd040c348e6403ee71b070dbf1de2d4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
c6458fed9996ef3adafb6f915e061cef

SHA1
d598754923b93d4b6650832df19f734ee618591f

SHA256
da14b95f4b5e8df8f5e5d2fe82f916e36a750ebb0a66a0bd2601441de5455859

SHA512
15a8ec0844d6b448b286f34a1df0d1acee78fe9542bfef7bda28497f2bd3f487ae8e45390540d498952f279b751ede347d7a27a6aed165f90fcbd72c4e73e190

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1adb0f45a4797ad55f5b4b2b09cd4eb8

SHA1
11ed2cf033047410a5145a190e71c398b3a651c1

SHA256
752c68ae06b3404539612ea35b6b9dc250aedb3b918b1babe3bc42c087fb7857

SHA512
d7e565ed3554bd079158154586d619286bdd0af3fbdd581d34485e9750279b33822e8461361af45e6e5b8656f4f4940c3040611ccb9cdd336737a8103e6602e9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
371a6ef30707fa7b1fe6452665b0269e

SHA1
341e108588ed90b99ddce69d8a688e7c88b6118f

SHA256
afabbc978d10c25dedd74f55412a3518badf8157e8bc2e9df4746d7a83376dae

SHA512
a66291f4fda9ad41439d056f0568099c06fa1b98632144d043709b5a1dc21334924ecd7c7ba2b719f389c17c0d7b21dc29134d7ab19fde4860fcc0815e9a3ae5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1ad793714e1e204f596b5ba6d668d40c

SHA1
4e982ac96db3e2820916b4c9a619871f78b65257

SHA256
5832af90e109d9411a45ba68e8c41cf88450cd368588bcaa2ba31f9e4b5e76cc

SHA512
05ae06cceddadf4710fb8b3e1f7f4f507b7137d68a814421af29d73fadbf18b6876c5203a297c60a37242c2cb956ed6b55c8272054406e4d9357d0b642720422

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ef698d1499fdfdafd34435b7ffb26da3

SHA1
800c71262a1ee311f782275317708662fdf3f52c

SHA256
eccddd365fe72f8214343a2f513bc2cd9b024d8e6b4c7bfd84ab0cc50e60364b

SHA512
635ab9d51727fe7418302654e532c13a029d16ce4816aac2527e5b2bd0cbb9963f1eb0bd880f2c1e438e3690cabd002c6a3b1c0a35cff6be62c66e6cc7aa9423

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
73a858308438c14c09b196fb5d909558

SHA1
ee46a1b980458bbaafb3b9ed288f7c83b6bd7963

SHA256
7c4174643f41a420d3c14900636f987cb59b1607f86a9a6da792954b62252939

SHA512
d93d74f454d37d2885c91c8ad40214673dd4f4b98ef854d921fafa2ef6c5e8e5c789a5c14f7d7ffac7ead7b822e924972a2b0a8fee594cc1d1f42ed4dbde556b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
04048c3424377e91a706a0ce49f31dcd

SHA1
89af9775161dd4a75a7b7a69060cf1e17238dcb4

SHA256
0a51b796fcfbb57598f825e9a0255b01d47e5fe081e66583c089297f6a3c3259

SHA512
34e4a3c3e676645b602b783908e9332395b96124d6664cd6b3501732deb808e3463f586b62be7e0d09df39949de0485eaa26ed3b04fbd007d8260b2e4eb1b2a4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
1e3559636e1d16dd31f6ae9518b41033

SHA1
b600cd854048a122a8706da1b53c29d1d923dec0

SHA256
6374e0fd4b8ba11a8f89ed0df84ce1f79b5a5bc081f95a2918be7dfb2ccd168e

SHA512
63f7965ce3ca0b75cf97701dbf1f61fce66088b170c7b263fed7de6301d46029a93a49aaa94d7e4f4a9aa88298bd191ae45d899c8f33c05e26440cdc2d437329

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
bec70727e953b7bf522d9c3a110a8b81

SHA1
6cb0bc6932b500f65f9888423bcede19b15b5c51

SHA256
3cca34c4094ed7b36b495da066bd094c33339b30ffc7be7b3937962cd17e5967

SHA512
4392684cc5f256850c1e63f8bfbaf435ee340e5d0f2e08c052f5be6838f37c154d34934d9daa4a31c61344c643ed50cd470863c132247f9280bb28eb9bdfb535

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
f2cba5df1ce22415a256348e66c91840

SHA1
1e21aaeeff971f2aedf96effdd0a7eb61c3355d5

SHA256
c20a820a058992d583d718a4ace161db469fa0b46cd74ad60f2052c7b3112536

SHA512
45d855eddef575c70b7137076d9e7516f3df7c778d408f6322486d4a98d9c023f2cf1d1e59b903151ee57adf87a7290a72bde83e0de7d29c1bd0bd47f73c41b6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
de9a0e197915bbb3c4dc16eb7017d1ec

SHA1
64c789b5e5f29f91f303fb88594cfcc5256306eb

SHA256
93f62c00511253a22636d013dcc4e8ae4fc843089022f9ee731c539b192273dc

SHA512
64b1e1a645dea267f415d593f37566ce582e9fe5c18381614e1ea0b187d97dfdf230ac25b2c1ab1e6449a71381bbdbc743a5826af117d43705af5119aed7abcf

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
b9eb00366a295379a83da51eb95a645f

SHA1
233377e50b0d83fd5f5b02345372a7578d310342

SHA256
f481f937f896e65109adf257103817fedf133f15a2b689e9575e8bc5fc352249

SHA512
aed5cf89b11b91fc4aa72092d1ac97a3b2182247b6eabfa85c5b91ac46b346d60b693f069e29c49f894df58b33b8fd48ff20419c86f9086ef7317b994b24b800

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
1a5d15ec5fa93ea57deb7791dd66eb39

SHA1
1ba9a5e9e090bb87d18a939377e669c27705558b

SHA256
0075c6005f1abca6c0e5243ea2570eb1d161323738bdada8393a8f6841b345e9

SHA512
74df36770922aea6930e22031238eecd0e19afb5cd4d5fa08e0ee4bf327d46c193d1a514c69123f93826f966650e882f54192aad728e804ed609d0d6ed761c7f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
091bd713c1fb96cc8108377464ea7d56

SHA1
9c4630fba1d5b22e788a3c317667295a75d917db

SHA256
82b69325be2fb6bd988b3c62b5c60fbe50c51d17494b1be707922acc585f4eda

SHA512
9c787a25e58337cef0694ede0478ee7e030f2377a5b41fb8c6f619a1ea60ca34dd2128d512d9c7d0f444d0f277e6e3069148b951dad9e01068fed9cd21549260

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
7e6207df00aa748df8b6c3f3d8301b7f

SHA1
863fa4ea927df4cb34fd4a4d1f7cd497b30812dd

SHA256
64e65ea1004408ccedf12577267135926763755fec4a40f6f8e21464fe0481b1

SHA512
3d08eba8115e025e79689cdfe48736a7c934fdd0751b8628d975c692665093906440c37582b672a0e7e45187cf0d0d0ab4e8c3ef87721a19c19321cc59302c0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
c96c32bfa6ca5e6bd3acec97dab241f8

SHA1
1bed5123f2fcec8b60ca3e75926e688c7a2b9b86

SHA256
02cfd0b682809ef59d4141222732249ed8b3bb1035e8e707896bd72e336ea26b

SHA512
98c8e3bfd87def856686caf633f9eecb75b0df75d6d8522ddd6bbf0c8e0fbcd8dda0a6d2b058b4644f408ce9b3461333fa6888937d104dbc64edd657107e26fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
b16a07dd23ebd782196f24be339e6821

SHA1
b90944d48becbda91ef9d28948de9eb7ae0581a5

SHA256
b3a947377c988b11e7531dea0c0ccc9dc76ef5e976a5e4d263d539a2e47e7475

SHA512
2e124d76946250d923b45afa6bb034e7760dcbc7ccfa3ae896f2701940cdc9ee954828d40f101cd92ec40d3b26e920eb88f82aaf6ab5f0bafaa45f2d4a2b2273

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
b9ffd0818d7230ded10b5c841af341c6

SHA1
24d16809641f46ece5879acd8294da497ad7ffd8

SHA256
1a18e0d37f95d99e99151c65aad92989501e53ec209fe6f6b3f956e88f07dbd9

SHA512
cbc42a628a32ff2340fd1e5e62f0cda3b825e9f55353c6fc5c4302d38ca39f6076e3816d8ad03bffe8b62f80d576e511ce3ab7ff5f086d360dc1dc67817cd573

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
3a4d86b8b15b8163601ad1ef36868c50

SHA1
c760a8a6614fe800805c724da96bc921a924562c

SHA256
5b46034897670933b959ae71053b18096a834f8d86a32753fa27b7f72ff9ab6b

SHA512
f42d6854a872350b45c47c35a89212ee3d9aba32f94f00317dd52484dbec756a5124ba44eefe7461fcb1f134b2f3f426563220cf86f26b77c694538b21e7c94c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
4986c4fd117ed4669895fdb1ca938240

SHA1
aca534abfe596f5f0c3cc3a85dba0ab617d271c2

SHA256
129379904be8cc470b774e814601f1cd5823395412e5649e8e8ffaeb76e4314e

SHA512
fd64f52986baffd48a237cf1080c3b0b4107d4481d9fdf10354361607a1c347c330c9c43fefea17d74984b1ece216574acb4805df6915316ac2d99f72708633a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
3f5ad56509306a24b299a37b08b5b6de

SHA1
d810c32663cbf7e85fe3a95a693dcf79e2eb281c

SHA256
b0eb0ab1ce8f2e201812e1920c11f3c65990b6a07e5630e9dc14510f9d6456d9

SHA512
63f9c380425ec8ec83424c864d4f409d296f6e7b8fe8f0c6bd4ed95db63df3fafd80f70d83e4f94c6911088cdacb3a108bc40e646e7b8bf1afe89ff8e4a8456c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
5925e1df7999da3c7de359fb57d4b933

SHA1
d904cafe39e16369a06dd4ade0b8ff269d8b0a93

SHA256
b734ef6309e39788db39d72fb1b019e735f0a12df621f4dff994f3415fce57df

SHA512
83da63e0089e558e1ff89f9369801662fe443eb455ec1b20cabbca30963c7d1c1aa0fa8be7dba0716542a43f515390d2721c1f7f7e1298c1579a66590229874c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
9452c44532396081c1c4aecce5188aa4

SHA1
b396eaff9c3ffb7292a0e1d99d47affe9d30166b

SHA256
cf8e397630474be279bf0cd9fbcd38b7e34de6a773a62e9c1f08a5d07883c2ca

SHA512
2f4fb7e5000446cce9ecfb5b202a2d71b5aac8b3a71a1035332149072db20248393cee2c6c82ac5f420022d5ccde3caad078238d45e02391fd0e36c5ca6c217e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
8b92ad9591a8502ea50e9a2500e1a632

SHA1
5ed79a7e255d00eb49e85c0c0ddd2b5dfec144b5

SHA256
307b1d127b4120fe5c59f9272278f7e8773cf487c0380e277d9e3bb47bfba217

SHA512
c334aa5de58a0bbe2d2213c1ad1b268b18b0167aa4b9807cbd1c94259ada893b54e44494b76a9b376d5ae46ac15aaf82f437aec6bff0716fc418f746fbeaab5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
839f5c5a891a51a7b775a7bc250fc0c6

SHA1
d7abeb5a5d483e930c5835a2b0a18b18d641a34f

SHA256
a61bcfcb718d13b413ee66fe876884261b9997a45eb518eadb23ac540ff44d24

SHA512
215b47cd56f39f3ab7e631d82ff8d4ab30e3df846e4eea23bcd6a87f1f28bcc759d7249202b006566e138835ae0fbaad62cb34439eb6cb87a4d076ea3f6ba99b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
f46fdfd3fc74b5cee3ae7ba3bf19969c

SHA1
fc7d04bbb972c4e0f92c26e5823f6fb8f797c285

SHA256
26b3375be7bd6b99e07519c25cd512576a6163a5e57760263f176a7c166e488b

SHA512
ac002a851940c06035fb90ac072c301ba3ead2a29dae9b66f226c25c1869228140434ab40e02701a218b5369acc4ad2b4e7fd42832fdc0fb0a74026efe74f8bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
cd55355cae2bbd8747284a8f6d7d522e

SHA1
2fe6bc70bb645e04f4de7a30254dac584fa3e21f

SHA256
6371f47b71826183709df8c74adff1e5ff79e8ae214e93fb13cddc66b4911dc0

SHA512
e4d731ec5135393340c1aef3df60e70896020e4611cd27dd5be846e5cc9a8c500bfed869c3ee725683d0e72cfba8a71c17127f782991887f2d24acc00930c759

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
83d47e39e9a25d084bb371818e3ad1de

SHA1
53f1180e7433e27ee8628c9e1c42b571c3668527

SHA256
407a3d6c583e7bcb2b948d08297093f49439b4eaa13d48aa7b08d5ade77c3860

SHA512
e4ce0079af1e012ab65e3bac143f836f99e631efb7d6d70073cf5fd73f44d44b4d78d108159e8a279cb94c9e7e3b8061ffaf947275e48e145bf6a6cd39cac413

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
9a882ed05aa39283f41ccef1a6a6b874

SHA1
3dfe3d40687867951f76888006f0aae7d49149a4

SHA256
4cc655e1769d19226d5efea36d673726288495038d02b8b333ec1b4cf5de3dea

SHA512
48e89885f99ef7957dfdd1e69453be64ef9f62fe0163baec586ef2a61a5b33ee8d2482db5ed968ddcb9c28b4e36635ccaf6b3d2fb752cc37cb8739ddfe1a2e1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
3a8b14a0000b265f56885a79e235f526

SHA1
bab2f0b3bf2afe2e753955234530975c264fdc5a

SHA256
2aaf7eeebb18edcda786d96e7a28110423e558d6c3e6ac9079c03200386d8635

SHA512
d27de23c3bbafc873b8a55ea1fd21b16d1968797d4783096a8fd30e94fe664912689eaccf34f33cd3e73966254746e4141f7d512ea8bcdc3510d72bf85bcb416

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
dd0859e0ca38ffe62560a1a3056be52a

SHA1
642aba52cf53d7b6c2c9ce158f9ddaf302c87bcf

SHA256
7e9a978776b2780d00494d9b4d25e064431d649e856f73a5b2c8d1da5ea84ebf

SHA512
98d189f6f7bbd8952c2f7f1d0f5b20edbdb972f5e8db42932284d53ae465ffc53e4ff1c7a972c9ed51b7b7f9c016f0d841542d2a9f42140db55e8d7b447aa68c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6c4402be813d275be60cd9efa60c4695

SHA1
5ad38698722e1b483a255e87c4cb64e423987bed

SHA256
55aeb3f7dae55e7c09c44e4d7b1a8f5e736a446b52fd370b086434c200ad5a64

SHA512
43aab071882a3a2448634d0c03ffda3479b93d71f59ecaa76f5f969376e450ca5bffb5be919f21b59e6c89c79542f87b2604b2700bc958b7ffb3a2cc6ef99fbd

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
3eeb4862bba70daf00edd6318e5b1a29

SHA1
cb65c9535fcf63ffc15e5666bffe0bce4e7b51dd

SHA256
22dcfb99079bbe1a4698840eeca706020068acf3f089df8c0140b7e54c014541

SHA512
68e0d3ef65b863ce9d423f533b813f7573f4eb1298707a1a9e644fda2b711db96ee1cbd3a576c2fe45fe5f24b52242ee7de00e1a1f364730e61853ab63d028b3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
a891f32ddb3de66527ae6a5ec77b4ade

SHA1
d90564f0889fc3d65e308934d9394e19b50ca348

SHA256
0d33175794b89cce97d2082a6a0a51763968a3e9153525ef59c7715743e2033c

SHA512
6647cd41bc7c29ca49ff0e451f3b1d2a58643b204d0ab9366a2dd0823760bf0cff2817222171d07d88355e73551f4d8e693368aa31c5177eeffa553468f5aa1e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
26ab42e2b0025bec29750cb4bd32d912

SHA1
4ec69a79247466a9bedbdaa6bfa0df02ede36474

SHA256
df57d805df44886c7212e8f449027348351841c42b9efa12b01fc5b47a88e3cb

SHA512
438560fea83abebf57786d9756014391e826d83d337e6f7f37bd9c5bfa80f3b0472253c7346a4913bd0680caa872019210fa3aafe29235724537df80953e1d86

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
0349dcbd22d5b811dcc2cdb8fb2fc7ca

SHA1
41b7ab72a9801316be651355bed0e7d906e008fe

SHA256
c9a53e8a66e19469a968d88b2f90b27bca567a955734084150d9dac3f9551e31

SHA512
c7eeaf1a4ef4947aa0be249cb08343f0b6bd08dd9df69612376f696d49a822da529f8a54e2b658366969cc9e74b1ab8e61cae2a532e502311c5b085b60f6a8c3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d68b39cd9e9bbcd38f898e17c75b059a

SHA1
55e71be73435e5fd62c4c89397b9e369bba875f6

SHA256
d4ff67075169b7944b96b10057a198f2f0d45aa8b2f6b0741c969c73597233c5

SHA512
cfa83e6a3bfd827423eece57287bf269c912728741a100bc1d15eb896ff171d59e038509eac6b9d317b2840a4f667f367372dc7276ef811ba3be7ea1aa8af71a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
e7c68b96ab024c861678a7de834927cb

SHA1
760666ee1d8592e30c0051caab0f2e2717c1e7d1

SHA256
32a387facf66992bb7a2d35370081db69f35a4d8567843f093fabff20aab8bb6

SHA512
a2f8a009d64bcda77b90b613462e4b5a98799b3bebf989f98a7e32897bf4a7ae619b4a1b9dc7a97e3cdda109a146a1cf5c0926dc5e66b79b37ec0c7b499f7fec

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
65fa054fa07445881bf5079187e8118e

SHA1
8f952815fe135abfb782fd3c49f4523bbdfe0cc5

SHA256
94314a3ca17ed0b6617947436e49260fc8c9075096343f5d5ef958462d338a6f

SHA512
ad178c43bb2e67612f817885bd609bbd6b4aad246157de13889e24cd3cbba4e05a47b2f7991235f3dfcb688ed1e78dfe4f53ee3a2938c9e5c5bff8d6efe1e0ad

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
315563577cd43e7e1e12697f5c81b4fb

SHA1
5bf87fc1a85d025cbb705a17b100a9e55c0a6c32

SHA256
fe8918d3f8629316523ddf7a9eb4a5acfc6eff366c6ab9c12954a7372833cc36

SHA512
9b6ac6387c23a26096d500eac6ad110de6d9727b8d1276d2c6d5bfd0989cf60af03d88167bcb7c790a3a00081eeebd67dca8df791c06d11250d6c92cf0835868

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ba1582a66f002ea21f6166f36457e2a5

SHA1
e133e7c48c6e9fc060fbcc645f25648f643be3a4

SHA256
5c178c76a7082c458758a358bf418831dad1ac09d1c7470671c0a4179a79aa7a

SHA512
485f24cb07a18b9ac226136b2947f07a9155327ba07a11229192a8ccec51d4fd9848146678c4374b821e8f6a86b8404f213c6a11c958d10aa7ecf9ceaca34c2f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ce8aa0b613dd733cd7982871627a8b29

SHA1
9f91c4f6b9ae847672b50932b2bab1e7f9a5ca9a

SHA256
cc69ed2ef8c5e9c02f2ec3fe16e9d7724d20aad8fdfcbad3e524b69625fba2df

SHA512
ddc1dd2281c29858171ae3036f9694903dc5e865fe84cb40a135f09fc2b6d17f4c2176b9e0b3df3e7e82ef40e914fde9ee6b37e79e1bb659e488d5e3f741d175

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
859b89792b815ac4ec933623d4217e46

SHA1
3de92b84934ae7c57712e39a90cbc1c76089394f

SHA256
84235a43efda3a090fadac82e1c437397c133e47ed6f1310f575d506f71665de

SHA512
3fa92e669e2f3afdf3e6ee48538803c35e54b9695ab9b9c4424b1b41daee7174f739a1ed793e81a35ad3baebde67ac57ab9a0de08e68f208d553d71ab414af5d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
fd9d910e7b2fdccb7cfa22bed8c3a83d

SHA1
de7dbe0f60833a3371118fd83c73bd7d7b5682a7

SHA256
357c4e7d879e50dd2d9dece14b7638839c66656238da1fd56940993f26881bf4

SHA512
b223876d7634c1b664d48fa22e1a0665d5198d0a18aaa74c83fe3c029e344618d4f95898eb500e8fbcb4fc3f5f3d6245f49ce75178a40c2aa028fa0a00243ba5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e223d3f1a06ec971738f2bfe6883ac5e

SHA1
642aedd88de84a46206d9253e7eaba912428b386

SHA256
f7cee76e50e5291bd447d468c3f4cac717e900776210fe4756f5217c56958313

SHA512
66ed343eee37f693ed7779b6d630502b382cc90d12aefaa53df55571d4c7929be6dc472e68ebc4a744a46cc1cc231be181c028b6a50143d6cf067f1fd0c32297

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
2d1b59947c013e2c506881bdfd50a3c9

SHA1
89adfe07c68e3b9f35258992ca016331617e8533

SHA256
fbdd4cddb3ded08c3eb4ca905c27060cddefe7de7390005c5b018cdc8b01ab60

SHA512
805a8f7146239996e44f81be227b5fc5e431c74a3661b95a73527f713f1444c09091e713c4b097e08d45e108d5ef3b21ae1f5e502092e15c665a844f316825e3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
a112ab2fd23103830ded609c41b8142d

SHA1
29fb53683d0955892c405a6f12cbdc64f5e6413a

SHA256
f4ec76dd0cfe582048ab151790f9af489f837bfe2044076c4929eace519a8f2c

SHA512
c993a77c91a31233e65dabfd7ad48655a597f3f37f932a7fe2ca24df2c79905e870668b6a19f693206b43d7a3218ef8f70e563495b0eac163d147a5877dd14fb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
e90308fabacb53a144c22e44693a79a2

SHA1
165060e371a485fc2e724306ad14764c74c66c28

SHA256
d1561b09df56cb0b6eeeac2aff89094f369d54223651d4ba4689325c0e3b151d

SHA512
4e8f2bf2a0649252ae82ff02504a1061f68a7b17ddefdf9d38a313c35bb0ec48cf0e00423aceca288cccef3173e66a8caac4b4fd91d0d31dd42a5696d28e0057

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
344af64907a77178144aacfa8c7932c8

SHA1
6185fc65dd09904fa82abadbc14bd5f86f994000

SHA256
a2dd199fc53b3ab6930df5b1c4202fb7b535dbee0fc9b4ed512bc9715a9ba10b

SHA512
add76ad90ebc67320146561e06ad2dd98f8798ba3e89237fbe52d8b5ffb7dfa5a914f85eea260749acca030676a2c22ddaec964e1938748aaafe6fff6f5afb5d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
f1f24fce95f2e40537065edf5899e26b

SHA1
6f09ff79b5194e96349261ace47cfdc11cd88222

SHA256
cd07d1a9f1da4832cd26fc19665deaa776251b3085c7c93482b78028533544a6

SHA512
d96b37b6152cfe7fef0d75720729b4953b5f2dc065565c8fa7a2164c5390579623078ee2c67485d93d62aedd897612287ab208b2dd7661cf09cd7dd9d806a449

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c165e67ddabc63f932a5b5fa3bab1da2

SHA1
dc9cce5c62d52abe5b9d8554ad634037b63e82c8

SHA256
937b9b65eba6b6f001bd6e13b14ed2bfd6a22d0abeaac0cd9b3d4a4503090ea6

SHA512
94477e2774e11de1c3c536f576ea009310d7b40bd32243111eb9792ae41c0d97d0305f570fb91d6dd2ff2982962e859f589cbef49867a190c28b37a9bfa086a2

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
731404c7822972403b8cc52ca889df1a

SHA1
d77ed3dddec0abc35b9163936c8d77146ef1dc9e

SHA256
1cc3e198420a71ddb445a99155b8829f8a00d3317b0c6aa6ddcdcb8b78ba6fd9

SHA512
55ef8444f9dbd3c878245e228b3fa7d67377f12e4fe46bc15b6f91282ae627f6df35ab760ff6103ee50ca3e04a5b2c0914de947521ca1952ef041f0ccac7262a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
372fbeec15bbe1b5831f23892f20df55

SHA1
5b4d0a4ff33ea35dfc6e600a8d03f983e9398414

SHA256
152acd7379c56b8f6620b8aa6fc5c281ef61221177560b7dc0dc4a09657d2360

SHA512
014a0ce2ec793c4d62f1d91a3d8f84dee109693c68aa2024576288c234880150a3f859970ab125f16f7bd8995de4aacb7a7b6511aab1550c47626c7497205bfd

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
8489a67c54f14ce3e486fed6895544c1

SHA1
782de422bc149adb6f66682cd13c8fe64cd1b63b

SHA256
42f6836bbe136db4a8770b17ebcfbc6f1c4ab526fbdd528920fa6f9848e68f7e

SHA512
2738174c3621d06b8fdc0854237e91266675fcae1a1c65e249bdb134795c24f40f5923e5256fc7224a6f92d7010bae24993f965e74a5322cd8dd1dd5ce4a4298

Download Submit
memory/680-315-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/680-203-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/812-101-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/812-102-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/812-93-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1128-291-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/1128-178-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/1452-254-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/1452-709-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/1464-120-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1464-121-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/1464-111-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/1464-114-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1464-105-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/1476-715-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1476-316-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2300-303-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/2300-184-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/2408-327-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2408-206-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2992-292-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2992-711-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3136-289-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3136-277-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3188-716-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/3188-328-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/3388-717-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3388-349-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3556-229-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3556-681-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3576-12-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3576-195-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3576-19-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3576-13-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3692-304-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3692-714-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3700-276-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/3700-157-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/3700-158-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4008-253-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4008-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4008-139-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4008-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4320-348-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4320-225-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4320-705-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4340-2-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/4340-177-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4340-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4340-8-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/4340-6-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/4340-505-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4344-706-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4344-249-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4552-240-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4552-116-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4552-117-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4552-127-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4580-710-0x0000000140000000-0x00000001401C3000-memory.dmp

Filesize
1.8MB

Download
memory/4580-273-0x0000000140000000-0x00000001401C3000-memory.dmp

Filesize
1.8MB

Download
memory/4892-152-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4892-149-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4892-142-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4892-143-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4892-154-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download