2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
Size

1.8MB
MD5

3a3448e01fc90daab3478882630e39fb
SHA1

5bcfebffa9c74243751d15f877ff5d9fce713044
SHA256

2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6
SHA512

c14181b0c1a658813c5e09fce7b23eb012a5a2aacb2a19c77d4221658237797d48ef42c876f0410423fa39decc1fa027e90ea59a3c9f12937f81d00cb12f1d63
SSDEEP

49152:xM9QPdxwfE7WlFwKAfzuTiDFUFk4/snji6attJM:x1PdVQFwKZCFgJEnW6at

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5048	alg.exe
4780	DiagnosticsHub.StandardCollector.Service.exe
1488	fxssvc.exe
1184	elevation_service.exe
5032	elevation_service.exe
4092	maintenanceservice.exe
3264	msdtc.exe
412	OSE.EXE
1800	PerceptionSimulationService.exe
3688	perfhost.exe
4644	locator.exe
316	SensorDataService.exe
4868	snmptrap.exe
5072	spectrum.exe
2236	ssh-agent.exe
4532	TieringEngineService.exe
2200	AgentService.exe
3376	vds.exe
4400	vssvc.exe
4720	wbengine.exe
968	WmiApSrv.exe
924	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Windows\system32\locator.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Windows\System32\vds.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8cbf8deea29f13f8.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Temp\GUTC67D.tmp	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_82468\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{D9F0045F-21F2-4700-8EFC-E6B49ABA2A8A}\chrome_installer.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC67C.tmp\GoogleUpdate.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC67C.tmp\goopdateres_ru.dll	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC67C.tmp\goopdateres_is.dll	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC67C.tmp\goopdateres_bg.dll	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC67C.tmp\goopdateres_kn.dll	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000581de93c4cf6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048414d3d4cf6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007764923d4cf6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031a8d33c4cf6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000846cd83c4cf6da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1a6f23c4cf6da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e44f03c4cf6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad6f9a3c4cf6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4780	DiagnosticsHub.StandardCollector.Service.exe
4780	DiagnosticsHub.StandardCollector.Service.exe
4780	DiagnosticsHub.StandardCollector.Service.exe
4780	DiagnosticsHub.StandardCollector.Service.exe
4780	DiagnosticsHub.StandardCollector.Service.exe
4780	DiagnosticsHub.StandardCollector.Service.exe
4780	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1180	2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
Token: SeAuditPrivilege	1488	fxssvc.exe
Token: SeRestorePrivilege	4532	TieringEngineService.exe
Token: SeManageVolumePrivilege	4532	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2200	AgentService.exe
Token: SeBackupPrivilege	4400	vssvc.exe
Token: SeRestorePrivilege	4400	vssvc.exe
Token: SeAuditPrivilege	4400	vssvc.exe
Token: SeBackupPrivilege	4720	wbengine.exe
Token: SeRestorePrivilege	4720	wbengine.exe
Token: SeSecurityPrivilege	4720	wbengine.exe
Token: 33	924	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeDebugPrivilege	5048	alg.exe
Token: SeDebugPrivilege	5048	alg.exe
Token: SeDebugPrivilege	5048	alg.exe
Token: SeDebugPrivilege	4780	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 4092	924	SearchIndexer.exe	112
PID 924 wrote to memory of 4092	924	SearchIndexer.exe	112
PID 924 wrote to memory of 3156	924	SearchIndexer.exe	113
PID 924 wrote to memory of 3156	924	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe
"C:\Users\Admin\AppData\Local\Temp\2d89f09f282b1fa88516b2f3bf0ec18049474789013b01d8cdbed803fa58dad6.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5000

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1184

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5032

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4092

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3264

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:412

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1800

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3688

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4644

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:316

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4868

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5072

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4860

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3376

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:968

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4092
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
540a6c4ba77e813c6a0c54b8725484f7

SHA1
5663747bdece8c0c300943a7faeeb74fbf253f69

SHA256
1857bc186f4948bcb6f117f14c07faf6e17baada49d18e615fb0c9a4197f5612

SHA512
a13d2027567c1776366871d837df4da978fed8e467528124c690a2f24355049333301c0356556813e13dd4912792b049f4785a97dd149a1d97cef26ebaa648ca

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
a0faf2e77d9fbd2804762e7b60fdd62c

SHA1
f6f7cede2173c7b9f4c66e7f541ab6c1054f6ebc

SHA256
dff357736166fac9ab1bebd413689eb047c2e618a1451518e7b3dcd645aee463

SHA512
6d7510ff8eabf6a6431a4f65533c377f0fef8ca4b100ef2c0584b38d1c3d08925ee83c15e021a89faf32ce77828e23f152dd11c90af9b3ecd134830bd1fd1bad

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
0e90a61c5b2866db03878f7a7c01a00e

SHA1
f15f34266ea75a8e7374b657346b0abe0aa10a03

SHA256
996607bcc3e44cbad6ebcc949e10e148dcacabae6e492bf089c1bf7e5f02320a

SHA512
dea33f5415ee3dba60d3acc7ba9911b439cfff353fc2d03c699507e2facc9f981e789280981f6d4785820e363de3f4f7417ddd5087820e5e17563ffc44382a71

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d9bd4efaa068d72ca678534e792af1b2

SHA1
b520eceb76bb120f0c0e1c8f7994f8c189c4c5ab

SHA256
b0ad055e878513ee656efae05749406d1f31b367ca77040e14b3ab4c2f902cba

SHA512
e9ac8457d4c2f096a0fb0335159268045fd9ce17d649e9e6c949d249e53706c65e12ca9625cde48496829a66469c2c891d33c09791389b1e8f2030e05c7df1ae

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a9a726c366e5a83afb989699948d00ab

SHA1
7d891226bf304a347d6eb822d6baef591570483c

SHA256
268c00681f19eebc0e82e6c742b10fd26a962f13abebe9a2cd5a58496f226e20

SHA512
0507148095ea4a07e703ccd4570f463e848b60eea619f67ad7eefb189d00e5bc762ede6f6b8b2ab6efbf0b11bda3ad0da730e84a785c93bbfe819fb871eef66f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
698cb48e0e06ce2a59a2c8c3e456e256

SHA1
834e9f9aae9f511f994391c460fc81984379fbe6

SHA256
049d53a4f4ce699f59089ce33c2970d6e84af18067f078b9e73c11825f969eff

SHA512
d0ff086e838bef2445fed6f51353b61e74be00521b2a67c47aa1c249d913889f26386d40ded1e9f33d6e4b7ef42095acb317076bc5c13162d0998900c184c107

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
43a266ff9755fc6e3f1b48e0ff5bc345

SHA1
64e7a3ce3aedf7486a4d0f5d1a6ddd792c8abf6b

SHA256
b935c14a4a24d59bd43658498e54d76cf47b459bff37eb8b57d43ac279364d17

SHA512
cae964720e0b9a672e6db266670349482b17e095c7284f8ca5ba293b0aa1d182dfd13fd0be62141a1d5365e3edc23591595fd78c019409324d28c8b0d421a601

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
18d9b926934f48148ccd254f06509730

SHA1
97a56dd7dfeec605104c76fdad8d8c67669265ed

SHA256
f9836c7c6f77e0de6790ac8a325199d0d3a058cc855bfae27a257a36845dece8

SHA512
e21fe63e04fba25a6a77dce307ea50e65219f59f2f42c3592f2a09904ed283d54f38919e53b1fb64b444f5baee6a360062a87d2a414ae89b476348a474b9a2c4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
c3830dac50260e4b209a186ca42f56ae

SHA1
bf2c869a866c29f1c0a329df2836c86c1d1bbfa9

SHA256
e388de3909411aaf90e35e6359db60840192f7275f9d35f174aaaf59ede7d16c

SHA512
3bb6809f409594329527eeff92ee165095498e5d2626ade622f922e8188623f38bea2ce819f77c8f379561df8b16d7b41a46036354e1a012ea30fc003dcf1c14

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ef10262b503c7d633bbc9ebc40ea0bbc

SHA1
c71e3d2edc956c4a9ca05820596dc09d4333445d

SHA256
eb9a0ee05a5a34f8415505ea6305814cfcb05920748d6fd3bd4a75b7a9611ea5

SHA512
075d7411104e73487e7d579ac2f457d866e12de476aa6bd07d037092887d09e4b90217e8da6f2b0e260bb33006fc74e654fac5f392141e2c6abe7ba963233390

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e2dfb6b6eb09a45f39ad9fd7eb380e90

SHA1
6c2e9a1160c3466d8c7fcf90d7bd52e345c05a44

SHA256
db8119effbe9a1691b7f7643d834532f61d5c136a651cfa325b1bef45325c24e

SHA512
d080c658cf31e2ab3f3e147094cff7f81b1ef038dbab408d2f22f23169c95e78b47b1962e3393b7b174d61844e4a5dc003d8c80b6bfcfedcf2b03e034a47ea84

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
88e550b9df6251991cd06fd7a9a1ea64

SHA1
e54d80aec3f60aa2fa524e03bdd6c79059df09d5

SHA256
e421822cc0aa6cb130c8a124b8169805cb7970d0511e694c1498796b0abc1321

SHA512
8f8a184b628d9f3a95374783ad1e3f65dcbb9ec4aaddcb87bf6f5ba82a885dab86c1d92ea8b848d1f9b573878345faba6c4dfa5968cef88e7f1fe165edf069a0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
e5b4b9946d82ffe9a0d3d3f5a0688881

SHA1
6f732a5ea3e5daa09a26cedf15eb69bb7f1622d2

SHA256
d267166e6a1783c630202b5090112d4522ca9748e28869d5c8ff13550799090e

SHA512
004bd53f87eebcff5a00eccf93710871dedf5ce37ace1ba8f4180c3c278e9cdca776ea4077305f78cd79660a3a17b688f541ef7c16950f0078b22e74c66678cc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
55bb646111ff10f0791c819213f8525a

SHA1
14b9710bbf5df4eab7b7f9ca02991b4cf955a1e6

SHA256
261212a693cb26b991d9adb7edc7b293b6a1d8c0c3c8c41f496748c2b3f3101e

SHA512
b7df14b8eea094843c6aa3299ee88625253b98cd0d251a252fb92c64b6b0f3e4d2f6fc6b27d77fb97b731c5fd95a44f5feb3f823c1da7d4d586ec01a6e7021be

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
b7529a8f650bc6f5ff0fe364408778a6

SHA1
8bff08aeb8b4e2517b88238abf7cc863d55b9f97

SHA256
2d4fb6b8e40fa6b208a3254140fe2a2b27cdf5600211c02e30fa271332331032

SHA512
2666cd11e5ed4e716780fb661fef0e2775a8401116aef8a1c453ddab21563c550158b35a061781a18b3914e15282f6f3cb1ac58d3c6d6d7161303c655403c094

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
0deb3e673cb5dff852fe72597482c4f0

SHA1
e9d5ff2bee7a42a0dc4099bf851d0787308638d4

SHA256
3ae2338b9aa3517a9d3cabce17213593e7f05fefce6e724e9d48008bbf6ac605

SHA512
62791c9f3c78d07c48594ad4a707fdadc948a80bbd440fef40d0b3758cf2748332e024df51b23d42f70ee09200013918ad74113850479568da27de888b4f5ae1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
631bf2f4895e20e2e10343097d1c53ac

SHA1
77ae625745fc4a23f2aac83834be0bde486a4b38

SHA256
00e0051a62d47c473652c49da70e0d7e1e9e046e91e2a36aaecde90d2812e672

SHA512
adbd7e39773bfe8713f1738130f8aeff259f5e9d1b59ea5dd6616235a9ad13690d3352aaed655c3737998d7a5f9864036166f5daab982e7d4301f29984ae89ad

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
49724f8a57b3d79f6672dfbaa2f0b4f8

SHA1
5c48a563ad15e0fafe9cd53aaca0a68325922bcf

SHA256
86c8b459dbcf9b9f5e92eb75bcf87d88646b29d3e6f09f38264da7bb2f07e1f0

SHA512
97872a19b73d4263adff0dd88ed167d90502db48554d7ff096723d40c693b004066d4384f468b4068ddeef4ef99f6eb6bbba53659b8ad574f82971c839674ba6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
f88e7a691e30e25043657f18c774dd80

SHA1
6e5ef8a8d00738d89d684b15a8ab3e5f73d692ff

SHA256
94c5c49a4f4812fc809796265d070eaa11be87168f25ec9528b48247e460ddf8

SHA512
76910ef521f227271b4dd967b320024e7a9c56a388073c5a769136e6c62871e38006af53b586a0ffe341b5334e0750b2828c15f968599916b8bf54acdb5b13d7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
d1596583a0a74fa67a680174d8e3233b

SHA1
c09ed6799cca8d79c7b744aebe87fc32c4610730

SHA256
c6d0040b88a288706ecfccae0d2476aa2e7773b96284f4b626c47c413244debf

SHA512
d053dc9d8d906f6622ea3cd85b17f057bcafbb97b2d6510cf9d5d8700861bd56a560f2d5f5baa2a07175369f761a63034f1728f865dbfca5568490eb0eca9dbf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
0af18b4f5b160bce808cbedacfe90cb6

SHA1
93bf48d851afd803c05954f8ed6566eaa0d2803d

SHA256
0e4a50f8fcc3ef000079dfc5478001ab19310650da6338f03d9faa3a4a80cf07

SHA512
e365bdfbcc0c8b53154216b97a041c79ee384ed8a4c96da869c18bc5b82859d7345fbc7cfcb1208a6ead0af7d58c8b0139ea19fe9d42c5c6f79e759124762d44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
4d570b7171d694d442886b134405a425

SHA1
44a251c9b21b243b8ad6d88c46febb47d8245ae8

SHA256
ca5ef625dfd259e5742d5ca41b43171a7bcd2ae4ec7ad19c9598af8216b15932

SHA512
dea0bd252395e6272718252724f01de88ac2dddf1837f57e03bcc4cead20d5bdfa258ce316c996be4de4e62f59eb1ae182fc662e7238a1245c65d696cb59f28f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
e23f088c80c5fb96f849d3aacb2f00df

SHA1
7049883d5bdc91826b5e04d7a4962491b1572832

SHA256
1649be9ca935a68cd0038da062980708d2926cf55efc8731a221af7fd5be137f

SHA512
11aa6c8dba70547949d4c02acbda477581491c3852fc30e74b91a862affa18a4c9a5d4665127532595f0659166ffceb0d976c1b7cceb4418934e7989e701c4a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
4f2c39dd0ef2da0216bcd91c21765bed

SHA1
1e76695d79d0048217de993525613797fd218040

SHA256
5162184dfc257ab838156bb6b090a469a1f816aaa16752e3b139e851ef9785c2

SHA512
39178a9b3fa751fd9ec2a7546ca908d3289881ba51571efe372ea710a32ac971a0fb1e1736627dfd507a653f2495cba9ad05ec9119da79493745a4c8555f1c2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
c9043b6782064718787628e384878bcf

SHA1
a58bfb182ba78ec8cbaee2667c7b0521af43853e

SHA256
1fbce827079c28847331f3db9e4b1710e9de6358231ed2853b097c8a522dcfe0

SHA512
97e27956749ef76596b47ac33579a1ccf267c4fda6442845b958df34cbe91ec96afe3a7ce35d3e914efa28a5b330abb4dd4e8b2df7bdf93d95e151eeed150272

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
1090188f846f79fa9a8ce3b380bac8c2

SHA1
ed775c601337f51219ef1cd3637fdf1baaf9f01b

SHA256
dfed3f8e299c912d4f0910ab285e76dfc4ead1f81e062656c1320063b39f5efb

SHA512
7d495580c71fa086d936d48d79340cfbbca90401df6b8a5ed1f539dece1445dc0ec64e64f1c5f8cf8b5a2dc92d631d5e8d0445f35adb3919d51adaca64bdb6d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
17fa6e590853c328d9ef586a55aa3312

SHA1
3ff0869df4bcf7e75f7529e992e8ad971d4e20f6

SHA256
0489cea1e1204c6e5f2d289631dfabfa40808d476731a6c1eeccc91c0b6d7b3a

SHA512
ae86c9f841c2c78438955d19d38f982df5546237a11c3b847f1dcf9e27aeff08f3940e7fb528d059abda4d3e00e04c766611fd7eb3db5fb39c0de94ad6670235

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
f828f22ad67386bd8ffaa8a336c2a11f

SHA1
5555b55bc86d3582152864e25c08ef6dc30726e6

SHA256
0a1611bad13787f6d55d3014e7e14f52eda2b12e3f4c68c6c6a568101c787638

SHA512
ade1d9e5314d9d85b22b5ff5645169525853a4628a008e4f1e7880f9a319eb1eb6fd1ea95424381b56d2d08a35ab9eb4a1a4e3f0a337789d27ff1f5655b90708

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
28f6d69ad148df49506a77080ca1f1b8

SHA1
077312b1fa62ff2f454c650e5dc0d87cfcdcf8ef

SHA256
34cd5eebd615ef787c4daeb7b3ea4d76bc7bd5d615d28befcd0bbcc4bc5a64e8

SHA512
6c7307e77f19fceba269b4e023faebf06160bb25aeedd18ac15aac654d1aabb0e9289ba17a4475de49e0b9b01f6a5bea37bce1fe5cf3c08558b0afa03365ebc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c8a240396585f927b259bb6c920e808e

SHA1
9126c4bddf62443612a2f41eb785500b9b9d98b7

SHA256
dbcb09c7e8d87f01b6f7bf03bb598edb61efc189038bb866770f5e9498048783

SHA512
c9d4bd5c9590b4541b848f74e01ad779e4d3f513ac33528fdc337c5c900b1a6a79919ec3548a1025c98fdc62c05be337c22acc5c925996b22260030ab16acd80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
e4f6e1500f38145e5f2e6db5035f6528

SHA1
8aceee2486c5466d86b64e1ae79ce045ab640b97

SHA256
60925ada7922b7dc2537f2be894141efea340164bc5a3b86755bf1d59a8cfc0a

SHA512
cb3cf8566f2e6cb10b93b2b10cd6748f1a756f65b5fce3c9ab424cc9a7ce6de1cff80e1219e59b3be009909a3abba04aff3bbc35eb0a0b418e45f7ae970f7c34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
3fac15c2ac441bd09d3339ab1ab968f4

SHA1
a72869b291f6e50a5eda569d65b3793cd7412a15

SHA256
a975f38ee930766dde04931fd0c5b72fedcbd6af470229d48507aa4659f6c27c

SHA512
05ae1a0851b8222a70111e2379f84c764cb0b113cd9a944cd0b4ed25728a9da13ef800ef967505174cb69f5e1ae56c2d7a39429b4fdb31e7aba2938de8c2f2ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
818a2bc049c7317845d0eb5710cab003

SHA1
991a43ce7747d6537886c11dec1dae28c64ed4dd

SHA256
acb0a8e8bc6286b6209183bfe2c2c96684b4d36bbb675ef9b41b9f935513035f

SHA512
bbd2fe2f42b302ebe15781c153928e99701fa3d8a373fd300aeb551b8fa3e88edfca9956d908b9a7300e11ceebe4e472bc9193776216e17fb16e68d714a2de7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
4f994e9b03d936e62bf8d40a544d3124

SHA1
a9dfadb1f65f820d5075b8d0125cb2ed831a7894

SHA256
72ddbff289d04b4b19a75f22195c67b77dd3f05bfb28f48824e0df434a66288f

SHA512
9472fe406bf6c6ad57125f29e0b7d44bb1e7f56870889153cfaead465ddec23e785aa298e51aeff9fb2b58fd4c0eda7fe53f932600ed127f1a6a56ff1d2cfebb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
321913d53c54bb018f30bf86cc649c86

SHA1
adb56c42cce432d79c50103f4a460ffe50ec655a

SHA256
de8fe56fd33fb549b8a29c4352e0da57212937901ae27797c012a44446f867e6

SHA512
f5f32d8357415e812a4606b11546c5adbe5dc0f253d73c2528c27ee4deb35feb1d042e902286ed775706e4adbef4570bc0a3053cf1530e1d8f337fe1e533ad3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
1c323e0a37f486c36eb576728d974803

SHA1
dda931857b5e9287933729871dfb65ccdf633ef7

SHA256
f8d5fc38648a05661d9eed575c6a588deac7e05f7c665fdd4e6ac1f4ae8cd886

SHA512
b3ef066be2ebe5e245d93ddad5d543f19d07839a87ddd4333d4a783646156773f0762f44cf89f101cfb91fb57b2b4020c1397dfa3f0a6f1116089de6cb0324fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
6480a20d2ff8664741872771bde6c9d6

SHA1
ee2032d628cb0ad6fd58017edc0d95e4b1b6f09c

SHA256
3642f7ac6ea648c936549c85d1058b68fdaa7fb8e7453258f3d1b9e42a1ff093

SHA512
2b3022ec59a6c91cf01d64ba97b0797ea5fbca98d46012d60e099563e4095b991e6b2a7602c57d2707950f0e9618fbc16590c9eb3191b1a67ca78c0a63929dd7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
cb6ba7c452aafc5f58d755922ad92f67

SHA1
5fb8a5e894d5c38464b304a60312a201047db415

SHA256
24533aca56510ffd9ff7e535bdd3e32b93032e6dbd5e642b259ecf4747d0469e

SHA512
9f9491fbe9bb7081268e1a8bdf4eab0e9d931ced6be5679ee387242b26c00d89d97a950e7d5aea67361f7758e6205de775d63bf8b5a9ab0b25bd0913590d3993

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
c2dc00644f15a18c93c6813bcf001d49

SHA1
f51d5e38c059dee2fad1c043fc8a0c0fe1f524b9

SHA256
5e6a7c9dc3d88fa4596c75343bcdc5118417d3c6c21982c204fa176b9eaf469d

SHA512
d797a5e79c9fd912b3cb190186e669e5783e2e2ea02b86b22be4a03b8cf57f8e2619958616e685923d45e17ac384f297db39510097366eec53a171e1cb07b233

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f527c52d17875b9e95248dea291e5183

SHA1
ca86f3e49db9e8fa50a964cae5baf0cddc6788cf

SHA256
751a7042a211e52d17af240b7ab90b00390226e6ac125220e85bbeb510a48c4a

SHA512
3a9dd71c5e4cedf116a4af2bc08eb777dcc20eb0efb18819e8cfb4b4c6a4f441c8016517ebcd67eca19b19d4bbe876dd14e427db4bfe817cf57b3d20f25cfaef

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
af1f302de0d0b22628627d1be7cc6d88

SHA1
7b77f21c56ce1e6b42e35d73d6acbf1d81b2a36f

SHA256
b1eb366d1233c0ccbd47c9c455c7397aae476c5e660b5a9b71932fdeb9734b67

SHA512
7f8127467e2e88f87fef94c68d1fc60bb75234265127c0e22013559d4d2654e9cf03144d3ecca838da11f12d12f5053d3653c862e3fddda153580c872a208ffe

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
3143525819d92208329d0e2d64000abd

SHA1
a6e46013984c20f666a064fb046edd1f5791e4a6

SHA256
c26e7c76570bde64461496b530352f42194367db8b1f788d1ba0d13a1d78808d

SHA512
d6c60fd4fb5b6f1bcf8737b33e3b775aeb9b6d687d3cb121dc2907d60273e26b6e5f0a857390f75045a668bcc56a149f0d1ffc6544cfcbf93de9e6955e82ebc3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
597f63334e939bae4fd4c006cc496bed

SHA1
c53038120c5d3143aa673f101a7f95df77bf03b2

SHA256
4b2d4481dc3d7a0d2d5444072737477dc9a156c4818a2086c51eb7c7963db607

SHA512
55fc20349978c84a5c08efbc9795efe4b2492023c1159bbeae9b7b852020023bbfc0cf7060b00539363eb254c6fa295f4a3b225f49c6d1f9d7199f4072b5d2c8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
2e896a9b3eee7684829c693ca0de28a6

SHA1
43103dec1949e63194da300c40d47fe4234e6a6f

SHA256
8a2d366535a715c328ce4066ab78434e9a45de027a48a463c2f24c682f50fdab

SHA512
8bb0325d1e4ad5d4739860614aa0f873a39ac8a0429dd38bd30d8a70ec6a39b279e17750436809461a8e084141ae8f0ac4af54292bf98b6c837f0f3997cd7af8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
e62cbb3dfe73ffb72be06ebeeffd2338

SHA1
40e991dc268dfb8141f5fd206c5825cb8c472c7e

SHA256
5c4742bcd699c86497908b32767cf07be815d6cd6d90ec4aae33a7ff8f37da10

SHA512
26978e25819594d77d30ae99ebcc79a90d5bcd41397cd5a14aa0b08371ffa07acfee720419ce3685512d08f0462a37572dcd85c8f7dfa632595645e04ebf86f4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
4115ca68e407bb5da221ef49e5a52b66

SHA1
7537d1104d5d24a89468b97f86dcad24ece315d5

SHA256
278314e8c9493d558e1ebc53b5deb10d36abf73abe0b493a5cede1e98466a53f

SHA512
8a1ae5b925b0bf7ee752fc2ae87c5a98bdb7802f00ad81bf07fc38d58122672a2d96fb041c970460343ad5028956e68daf2b2351b4d38e42de5aa35d16ef49a8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
77ee195e17de07b01a099aebc23b5e02

SHA1
eec775da41232df7fe02692f4313a53365b9269b

SHA256
67e353a1dd759a20073805af959bc82e80ea2451617126b2aef2a2c669d821af

SHA512
9043435600d3ac51ffb6559483810f7bf53549993ddaf38cd06c1715d9f72812778e5d0431abd56ba817e744f1d2aa562c7e455ad89acbc6e1c9c66a72d6339a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
43edfe2f500988016b2e5a8e10ff232d

SHA1
96f69d564856475b999a51aae4f43a806091c25f

SHA256
e87090389aac3e5dc71bb9c8a5685591994afdf6180744d8416e89f88076dcf1

SHA512
4992cb502470dcff2bf664fbaf5c23d6a7e0c5c3268655d15dba2ca7e888e2a5470e795f10697ac9769292be4e2d1c0876c2b0b65c4709ce35b0ae70472aecb9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bea85a6cd8cb75d3111e5ca1616feb3d

SHA1
95fbc78dab6dd9099a18a3255af7b1c4d7f21a81

SHA256
aeeca56af3d9af870dc004dbd036ff4d230a969fc838c7a25ea671abac751993

SHA512
ee809858b43338818946cf81553be0b9e3ccb179ed0f341c94336a07c15154451b2b9b5016df8dd63ab10dbc4034169096334221fbc30c0f25aac42645fb3fcc

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
4e560f6bed0422c85666e0ca2b90b2a3

SHA1
27b0d1ad7a93a35102f4fa296d67f9e265596c12

SHA256
1ad892bf3b7bebc9dabcc400cba007830ede62a8781fbb961b6b71995715893c

SHA512
044396a76318843a93ee49eb331962695ce45ad25d33de8055100bdbf873c1a40aff4c4a5193ebd2ef80ad8f7983325580222c7e52579cc7f70b8ff2775dcc79

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
43ec471eee66a446683284a3f5324968

SHA1
9d4b7aff17a883e69805fd24abe036d0241004c2

SHA256
9da6027b9a9e7283a0f6d7f786d4a0b54dfc7579768d3a466dbb5aeb94f256eb

SHA512
61cc79fff84a80beb31f99178ef3e83c0da32b986eb83aef6e00cbe95e9ac810ae1d611823d83a20a10f8637899372ab1e8fdd9f7780f4d15fe3a335bd163df3

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
a65022cd04739765546f78bc1af4c0ac

SHA1
facbde048fbbf7b9595e8c09f7f009407387e03d

SHA256
7ca2dc512b7040e0684ad53c2c40ec3a2ae48297a0011d73874f0d0d28404f11

SHA512
7bfed7b801698e2eedaf356799aa587432c487ddf49a04372e41bbdadca9d4b5cae7c772be8fd08a827a901d499375b408106ada758d45ccb85bff4c63b7b779

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
26271a56c4403e5d3a31fc060a522642

SHA1
bd5d2b1d8be18bf8744ae247f5809941c5d25a2f

SHA256
66ddc05b1cad8e6c04d1839017b874973ae919a0d9d8ade19f49c055ddc860fb

SHA512
a4d3915e6abf4e4ab22ebcda4ba0b28f619b3b5fa368c5e47ff43d7769395eeea092a7956084a1d9421a82b043633e9543cfea0a24d28b91c82a9b39ea035c22

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
91e4c6a323a96221b0bca930fbe5f8a9

SHA1
88d15fed5b36ea280b724a4331576986eecc4ed7

SHA256
605910a3cfb2068a63d6525f224d4ee6b129f2f5817f1af3dcafcd3d8e8bb332

SHA512
a93f9799a228f432a098aa019362e48620c175fe28b989569d7967502d7deb769104c02541fe94687915d671cfc8cf6bbaa2dd05f1c49e1a3d1c7f614fbc70d5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8d390c6eca4293dfda46e493668c51f6

SHA1
63a2049d94301225340f31b345220d4f681e6bdb

SHA256
d57b1ea486d23677e8d89e3fdc2e73decc4d295e1afd27b56095bd2925ce0d41

SHA512
03bbe98b4b708926518b173ab7425bf2eb0e45eb9c615ef33e122b88a87fbe934f628c028518e707d6f8d91417a73435a54488999a76b28c656b2a56c2f3607b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
57ed7b2a801c85657fe70254bf058ab9

SHA1
2c33f341e3bf644ab2cb683dde3dd7637e355314

SHA256
87aeccec4e7b894bfbdb768120ff928142b831d3f0597798f502cc38044f8e20

SHA512
d7092cbd740522eeb2ef132887ae18f443d69a36e4d228894dc5045f1bbb6bdba0162978a83d8a4904b188e1ee07a93f2573e29904d1347c6b98079dcb4f9323

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bd3af390bd338d70f4da3c65fdafc49d

SHA1
de0906c40b0ce1720f67a9090a2ea7e4a0b9dcce

SHA256
a690fe8c33f20947e0baf71107b13fbdc2f22b21b01566eb2d8945d8acd9c3dc

SHA512
33f11373fe4e50ab75ccf938365bcc09f68c17ea7b981b5f4b3e85800794f775c2721ef7564e61e78f36a88bfc3201d08eb8b54411817c661a702de5ff7ab3af

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
df0b0bffb2e73d0ff304efc4ef4275d5

SHA1
4fa262ec2c0d29c317278c397b56691e35606b6f

SHA256
2539805068f579f0a01a3a194a91511b3442b3015b6c5475de58cb97171788bf

SHA512
17edb0644b1830936e8f37bdb72a43f3b2989305a1a80f903059b2d9e017f5fececa0fc693a02e2103042496dc9753560ab09f5bf6835e197f60291211fd9368

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
71f9e3f6fbfe37d1f9b88a27ce9b0b10

SHA1
720c7bc6fdad4f8b399d6a3363755f88f3e71cb2

SHA256
ec10616f822057b07c3d5b7c20f757dedaf79ed57cd6ec6476df2722097a276a

SHA512
8719e382edef84d6e4d9ecb15a1fc55d87e5b7c794b4f6d37a4b4d060fad8892dabab2c8a32e48fd8f9484cf0064e2be0d60b374f825583fb79b3a625580232d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
777bddc8066d3670603b30537f1be79f

SHA1
3227ef2467a4557cd2b74e1320aa2b1fa728385c

SHA256
5be2525ba9e8342316d413c1ef6837dc60e096ac457efc466ed38b246b7212fe

SHA512
40e4a5ba9b5426a24c40779f96c52648f44c698da217dae7e0d4f60a80a41020a2b1a7630647556161d9f337f6e173dc66a5c3538c849f9fba89ad44aa3b8e7e

Download Submit
memory/316-287-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/316-741-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/412-293-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/924-745-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/924-346-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/968-345-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/968-744-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1180-166-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/1180-0-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/1180-620-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/1180-1-0x0000000002410000-0x0000000002477000-memory.dmp

Filesize
412KB

Download
memory/1180-6-0x0000000002410000-0x0000000002477000-memory.dmp

Filesize
412KB

Download
memory/1184-531-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1184-138-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1184-126-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1184-120-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1488-106-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1488-112-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1488-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1488-116-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1488-117-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1800-262-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2200-277-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2236-291-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3264-261-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3264-156-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3376-295-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3376-743-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3688-263-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4092-148-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4092-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4092-152-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4092-142-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4400-746-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4400-348-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4532-292-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4644-264-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4720-344-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4780-102-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4780-93-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4780-347-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4780-101-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4868-288-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5032-139-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5032-136-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5032-732-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5032-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5048-294-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5048-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5048-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5048-20-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5072-290-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5072-742-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download