2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
Size

1.8MB
MD5

8e80db20fa8233802a57f8cf67f12317
SHA1

45b1d2a0af28d4c8b1ef0308e8aa1551328c59f2
SHA256

2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186
SHA512

0e0170f88bfa31cb6e6c20c1ff8d40de7f96207d735d2bcab8d22f132f099a1df13e59ce4c16584f1de4b0e3714baeed0c0a274df7a8d67cd019c60697440fe7
SSDEEP

49152:hx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAyaB0zj0yjoB2:hvbjVkjjCAzJAB2Yyjl

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3748	alg.exe
3112	DiagnosticsHub.StandardCollector.Service.exe
1736	fxssvc.exe
1888	elevation_service.exe
4064	elevation_service.exe
3088	maintenanceservice.exe
3152	msdtc.exe
2460	OSE.EXE
4760	PerceptionSimulationService.exe
1996	perfhost.exe
4420	locator.exe
3448	SensorDataService.exe
872	snmptrap.exe
4084	spectrum.exe
4424	ssh-agent.exe
1492	TieringEngineService.exe
2052	AgentService.exe
456	vds.exe
368	vssvc.exe
4292	wbengine.exe
1684	WmiApSrv.exe
3576	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1c8dccfe240c1bce.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Windows\System32\vds.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Windows\system32\locator.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM538A.tmp\GoogleCrashHandler64.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM538A.tmp\goopdateres_sw.dll	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91656\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM538A.tmp\goopdateres_hr.dll	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM538A.tmp\goopdateres_bn.dll	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM538A.tmp\GoogleUpdateBroker.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM538A.tmp\GoogleUpdateSetup.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM538A.tmp\GoogleUpdateCore.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File created	C:\Program Files (x86)\Google\Temp\GUM538A.tmp\goopdateres_et.dll	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM538A.tmp\goopdateres_vi.dll	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a750d145a0adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003432be195a0adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000bb9241a5a0adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d3037185a0adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000508d5b1a5a0adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000086d050165a0adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e29c14145a0adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3112	DiagnosticsHub.StandardCollector.Service.exe
3112	DiagnosticsHub.StandardCollector.Service.exe
3112	DiagnosticsHub.StandardCollector.Service.exe
3112	DiagnosticsHub.StandardCollector.Service.exe
3112	DiagnosticsHub.StandardCollector.Service.exe
3112	DiagnosticsHub.StandardCollector.Service.exe
3112	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2036	2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
Token: SeAuditPrivilege	1736	fxssvc.exe
Token: SeRestorePrivilege	1492	TieringEngineService.exe
Token: SeManageVolumePrivilege	1492	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2052	AgentService.exe
Token: SeBackupPrivilege	368	vssvc.exe
Token: SeRestorePrivilege	368	vssvc.exe
Token: SeAuditPrivilege	368	vssvc.exe
Token: SeBackupPrivilege	4292	wbengine.exe
Token: SeRestorePrivilege	4292	wbengine.exe
Token: SeSecurityPrivilege	4292	wbengine.exe
Token: 33	3576	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeDebugPrivilege	3748	alg.exe
Token: SeDebugPrivilege	3748	alg.exe
Token: SeDebugPrivilege	3748	alg.exe
Token: SeDebugPrivilege	3112	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 5448	3576	SearchIndexer.exe	115
PID 3576 wrote to memory of 5448	3576	SearchIndexer.exe	115
PID 3576 wrote to memory of 5520	3576	SearchIndexer.exe	117
PID 3576 wrote to memory of 5520	3576	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe
"C:\Users\Admin\AppData\Local\Temp\2ac7e92ad6a260d4c73a650d6fe50a6e38191dcc6064f45268a3464d2602b186.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2500

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1888

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4064

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3088

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3152

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2460

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4760

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1996

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3448

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:872

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4084

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4424

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1648

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:456

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:368

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1684

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5448
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1284,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:8
1⤵
PID:5244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe

Filesize
2.2MB

MD5
bfb9edfe87c05d47b3c8429177767cf7

SHA1
16c67fa2846415930b895e62f1ece7f682f75281

SHA256
8dbcc27f90deddff9ad26614d34c33f021ef3ff86296cbc2485b36dcd42b8385

SHA512
05526405dbda95d8e74b31d0d27e4a768e7525e3fae1ccdf61be0378e30b4c9b3f60670b7746a9b8bf529b4f5a083cadb3372945deb454d6a8bff2261fa6a8ae

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
18268126c14cae36fab12ffab6d3d474

SHA1
c2af5972fd70b68f6527bd1563c98da8fa921762

SHA256
4ac555d57c053265c1d0a53dfc40e0d283e718d10196cd2b0951a64ebee285e8

SHA512
20c9cce09eeddd113b393ba5ede50a15a1b6b27170eccf5586ca045817f385569bb1c4a84a47d332c4313b01ac106048c7442881d12316470a2e8fec18c4f9a3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
9249aeedf3d844e586d5fed4987f9129

SHA1
92530c6efa2c1d9e4b881559a9b527ac958f366d

SHA256
010fcdf5a608f6b9f61e48dbdf0a33adcfdf21c22f7055ea82c9fefd8fee969d

SHA512
8d47c135810f9c19d4853a15ece6f7818bcdc295e3226fdab6db5bf89db47315322ca6144646e3a8cbd00074c176d4a2e981406633c98a9a19e21f7f6de6587d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
112e18a162751e66a9226573724aaaaa

SHA1
dadf9eb371e0126ee16bd824561e0ad54348338d

SHA256
c9d55d3e1a13adb99feaf412996e775b46514dbe65ac3703f5596d55e4b412d9

SHA512
d85fa00c3c28d1a970706c16167866671604052efe6a7559dadeb84edb9a761005566a45073e5dc0090328ae9dd217a37daff2b042fcf347bd2334e5166eeb35

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
eca40ee0338fc76bc0aac83cefa535a6

SHA1
e1ffa9da64c8532f918db544dabf9a1522965daa

SHA256
ed162c688ca6e0430507d74e955aca9215a9cf321c02755927de91dc44aca26e

SHA512
73c7af0c726f3c221a69caa41bd51bd75ef5f4770d6bc677aaf5836ea5eda5712837dc4b5b4ee6747493bc7bb316b28773c7c115c173f2834f83091799e1a44d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
98091f32c5eed2cbcc822bb2255433b7

SHA1
a118d18d56caaf087aa22ff7ad75371fc3c91675

SHA256
576270f19a5a7e8ed3163319a9c471a14d9cc0ab55bf7bcf91b1178a587b85ca

SHA512
55cbf7036a900f5b63788fa436f16912557f89a0e2b6fcb51740923a0a6804cd14d101505001dd90fb600aed58565230a79ea94bde49fe6058322e1e706037a3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
6fe408215944f78042573f1a337ce293

SHA1
d303b896a7d4df4f61ecea8e9fd0325a9d20dcc7

SHA256
8e162084bb70a520ab99da6a2f0e2d62c90e6f50d6a87ab2ad697a055aea5716

SHA512
e47cb3963eedf05f526ddc8352b50f506f0746d58f5fe574efeead2d4dcb7891b7620571f8a730ef0a0f9c800bf200dc7fd40f790c9f2eddaad6ec20ddb1e39d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3aac0a8ff038d3f7c542330c81602a87

SHA1
c68978d70fcc02a00caebf3a9966354ab6687375

SHA256
5f4961532daf0b6f8b0e386642046d67ff5df6a884a89a5e6e53fefebb3e7588

SHA512
629321e5f091b57efc30e74d33a9a2f92c6200bf66f69a47f2ce09938e9552b346b283afb14761e1b3f50b55fb904a77d13633edf2e5f43aee84fb9a74a10491

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
f05712725dfe48bf0c7d854f88692e68

SHA1
459e36cfd092df909ba50934de39ccf74557677a

SHA256
c428aea559afb2504ff75017788c000d186ab78bafe19bcf6da87480f4379238

SHA512
dfd20251ee60296eccca0e3448278980542848e2fd43fcf3ca3f35ad7c28fc8a00c90ce45ac750b170f6d19fcb9ed34d8d407b857421f0bab60e7f2fffb93052

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
92307925992778e99dbcf0a108ecb5aa

SHA1
e1c2332b680cfcde6ac3343160d1f4eb98f53d3d

SHA256
2f5eabe251a1e05ef450d922b65b3ad1ce5df3cb5a9dee97f7436403eac131fc

SHA512
ea42dcdf61d5f5e92271194b3fe4c74eba4dbbcf362133e308757e4815f738b8369c507f11c1911355605c73ee209d0ddae8c8bbe262075c31d78af86784f1a7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2e97b821da77c631724bbee23d9514fa

SHA1
0a57a7152b20e3d3220118260199142349b2195a

SHA256
ddbdb7120d5844c0268bfccbc9d05abd84c7719467f77664323131d47bf1fb58

SHA512
b7364134bcc724f181d20602414ef0db8da587c4d0dc93bea769df7ebee342f0c14c4998104b81b995562be5f54c8a33b671feb8b840ba409dacef1f2f6cdb5a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
abc409d038041b51dab83cf8a62f2b58

SHA1
fd349bc640dfcce54eb2fe82c8f4c573d506b279

SHA256
b58ca0e397f3003bafab30908567b29775ec7eaa9b191a2ff5bdb4e9a501ceec

SHA512
e903be6f5edb059603a1c8aecfe424a421b47915cad24d2850c96003d832bf38aab2c65bc3182a74e704c135185e34cd36a8ea4d9b91e20df4cead223e08224a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
e90ee2326574b70320439358bbf3ae15

SHA1
a14cb130df8158b1be2ff49b2f4abec2fd87ab0b

SHA256
4b5323761d58ce79f4e7caaaccb2e2c72cd21bd23ae18529c366d39b5c2894f6

SHA512
b8150cadd7aa3f78633a071345983626673fea04d053ac7a20e7b9253fba9c1c3a3141b7e08866ecd192780ac43d5525bfc886612eb22d92724cbf347fd5b01b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
f2d403f01d9d9107dc3d96be496d598c

SHA1
ae617b4147df4fa00862a584482f3fba41667a33

SHA256
3a0459cb5d9f963962b3ac51ab550e13480cf7a53d56f2de2d3af7be4be7679b

SHA512
ba412b9a7bcab2482635d751e02e179b4540fbea08f21fbe1c0a10733031eeaa88b89afa1bbe010e81465717b45e219f3bec505baa31300f6ca38f71b4f104d4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
764e8606feb0503c8ed7ad7f26e20020

SHA1
9e83a3fcff84f431cb81344e8db208059a3d22d4

SHA256
4310d9661d0d5aea7ae6e15d7ce8c7c5793f2a92f291870fc2a9cfc4aa9135b8

SHA512
dfb4cd1c5d68a565e2b5fab092093aaa3f933b027da3858d5df27ab8007057218cf884eb02a84972a3f91cd5f4dceeb3190469a3b935d507ef53fe96d28f0656

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
232fdb3f44aed6548478c06d5b897502

SHA1
91c4c906d87d0f312fd8d030edba7d34dae9c925

SHA256
03dd167da2b034da51e47907c999832569b99ae6d722053959a8857a21b85bb6

SHA512
15d193144e1e97c08eee0d176817f4f59d2f22181ef5cc13a709998310f5d0c6888e1d20751f856fd19755262f1873bae8251b298df0819ededcd95a548db177

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
b3939b391a50c51db812cfc4b41ad771

SHA1
58fd3c674d7a3ce61543857039d7fcb0080048d6

SHA256
b2bc03861d1f011641cd10e7c59e1a16ddc74425ab5b12e59cbcb5b87139976b

SHA512
e40c38a92ec4e6f85952b1abddcb086ce599c075cb198f62e0159f76df9a30023e2dd1cffa9b2be47831158fd94a887145c4d65fff269a98fc355061f652e614

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
7ef396e20ad7a756376fe9a0983ab7e5

SHA1
b489033ae1605d44a3ecc741a6d232be1ca04070

SHA256
457020050c1f8c8d2c747112c74516e688a858e1d67d798e4364ff5b19042ff1

SHA512
d36a02bd673de4063cc94f758375b7c5637893065b9a241ed78d056d0e8776bfac561a20affe4df3c2749b6bd622f6b80dd8e133e8c436ed3d574db241a802e2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
e063f78cbfeb5e085ed2285d6e33faee

SHA1
5587108e8255341e2a6e320ac703c4cb28e08fdb

SHA256
ce7c4412e3f18a4878089cb46b8b1cc99fd53ab1a2273d62223122e740e5f2c7

SHA512
b0cb55e9909302431443b10f98ba9917349a68ef5144ba6e8705e3045d940fa419a194be455c8c4fdd3c2237f71d8626e462968eb2cdf72745e1ffad03a7b0a3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
eb1747c8b7380caa60f5240f2d378268

SHA1
bf1436f7cd573af1995adebed66b92e94afc52ce

SHA256
c46b175b0ac8eb2ec00390d932f7183f910c8bf195f4ee17fe15400aa7f378b5

SHA512
ff8154050768d93cd9db57f843fe0372c3dbeaea7af62ec9ce8abdce1ac5ffd3e1a41b5a09e2cb4af85da47900ecd656eed735cfb93aa3c7d9ecf52631a33970

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
85759d8ec873e70cae74c619057c5a75

SHA1
baf45bd830420828f2ea8e0bb6c5783428ed195b

SHA256
a2c8561c60ebe2e1b1fd19fadce08ea2cdd485565f51fc126f781017ccc370ec

SHA512
b84ab02ff0310444d25a668e2b9bb894e1b8fcaa5d249926bbd4e50646fba48a5c64093a134695b45ee786063d571835460bfbdd2c8c1dd5e6e22fddd2a52152

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
d72cf3b823ad72f2f7fbee9d08d627a9

SHA1
1e99a3d89d35e0e4b0007c0412e7c29d46217a52

SHA256
171f4af4f89a19b521ef98eb84483f7f64f80cfef65f8737d055d00cc2fa6a3c

SHA512
352698baeaaa6ac3fe8b510fcdfbaea3d9f0e21be73a38f58607f6ddb90988587b256b1ee2abe8fd5f0fe0577c9d65e1030568554bff7a2a3d65f1382ed2d281

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
d4ad26ae502e0d90b21d688fd0a50284

SHA1
ce98a536d128821a60b4d62ff66b8c4ad01f7735

SHA256
56fc3b4f45cbf20895632b7da42061e84a57ec2165d4b49b55ffd5118714c38d

SHA512
3c88eb6a5a5ddf4e854511eb3ad4108ab34af00f609176b61662ed1fca2140c742a682440233f3cbef0979eb0000f6642eb772b75fe936218055d6a4f23eba15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
0c95696713e076894c1967d340cf92b2

SHA1
90c43f83d66e63e1e8509883d100b5eecce621be

SHA256
b415ceeb1547fc278c1450aebfa0c2f6eb0ba8720b07d3a305e2a92478f3b19d

SHA512
703696b046a6ad5fd398060cd60f542668882913271caf9046662451e23d73bea7befa88cf4f29e9a44111739a5204272dbe89be5e90b7dab7c708933a628fec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
12892ed651ecbfbab64351d4b5b6635a

SHA1
19698f08cc79ad8861581e99f009633b66fd7d77

SHA256
d000580132ab8cf48f2e79a7fd714635b02179ba1521d2ecbea1eaffb1eaefc2

SHA512
c8ffc542aff8ca417bc7411f3c9dd33538ae245963d8596174e2794274945ba2674905fad7737e8f0d724e7cc67868eb10334a61201d78d8d3bf8022c0b0caad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
1efc0338388bf44d9505ab1a8802ceb9

SHA1
a31f4eecc7fc5674a2b9cc2ed880a0c3af88f023

SHA256
32b8072ff0dfc0c11e3fecfe2a525ea2f0cdcc38de28dd3634b272ba1a4c4e4f

SHA512
cdcc98d121f9d5babc5506a47d33e41e27c496317ce461e4a377e8284a4d376d8e66be0e76d51b20ca4643aa1eb7774cf126c2ce37393c0821599b099bc07bae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
a62a47a1b8a59a31f1cc1634bb5f32c2

SHA1
ae13aad3e82c36fb3c501cfd693ae0f8dd2cdc4c

SHA256
0b0164ceae4ea2023d3a427ad22614d1ab6c1fb2828e70de1d840c631d64f83c

SHA512
42b1abf15a731671cc6120e0849dd5bbaa2e920c4bde1f9e79383912f21f68f420019696f91ba355d44c852238407191b3b432095d8adc12dec46a222522e664

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
2be1acdb88e954698d9399b31c3ad1d8

SHA1
4e990ddd6cd6700393e1b77ae734387e2409f244

SHA256
21ddc74bc24906ed4f8e29452f730300022dff3c43031a65fe5633fb9742bd7d

SHA512
6eea5bb05d7cff65f86672b88aa6efdec937d8ced76e25a6eeaa0260c0d6f0043a51772a4f29dd097fb3dbb9f1bd7fd7b46fcca456fb5343651294a547c9bcc4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
70d20552dfdc88e1b4a8b9ae32538d1f

SHA1
f2063d5f5b28ed0e1417b5420764846ce98637b2

SHA256
f9ca9fbeac7d172e9f2e67957a1226d4a7cdad2d83f9a8101f079740527cc6a4

SHA512
04da7eca9abaceb3be11be74111baef3f411a400cb0bfd94f546cd7d4bd14ec44bce799c843e0c3c3e60d3ed643749028bf6a5a063cf1b44554ea50f008390f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
5153f3e0d2802ad1384275becda181f2

SHA1
26f3013c403280036a4ccba0c7dab2483f3a0fd1

SHA256
cb4bdffb47fdde85f49f506996996359251728e8843b53f5109f9907d2e56fdd

SHA512
a0f133f96a5ee9d0cde3344662e53902d24cb501bdc57e14d6f8d79fbdf7c8de6e20bf9be4b4b26a4d7d7e2d9dcdfd429fdb9083b3355b62f2600077e02e0437

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
d55f95360583a13cf67ba1d2c768c985

SHA1
d98067bb922c5609e89b20b3ef6294ad2c55dd7e

SHA256
acd52aae72acc6e0338beb7b63504c59bde7f6f96e66e60330a83d1cd6ba9b0c

SHA512
1c69f2ea063f018c0bcdc6f7180a2f0021ac36290faa9cc5f6681db05b5075aa9dd368783813765e4f436082525c5b169343e024906f60ce2ed13d26bc520643

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
91b75961b56710c418f509c52c222405

SHA1
4c9e008c14ab06ab0feda0a9b6f29f9487619191

SHA256
90dab2fe603beda42c9c1843e4114531dbfa45c1e5ab2a54b5ee33c2817f13ed

SHA512
19fff310af9d58f56024e18b11fb57f7c2201b1b698d03b019a6ceb3826153bb9fb9753d2e6c63e7c7468a0df58fa887119d8c2e8dbc5c2a974bbd8cc9b4ea4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
c1a7f42c00f259e8382010107b1b51d3

SHA1
19e608d28c2c99a7805ef91323c7cac6fd7b9ee7

SHA256
70486f267143d1adccd6118750c6886b7de8d4c71603e47fc6292219c18fa55e

SHA512
5b6656341be3eb4ac083ade1d7a743618d4287ac3d48b0da1e540911b7f18b897702b4e6ccfe0ff63081fc1798ada9dc8a1e411bb8936fead9939a3167d8940d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
7e0921dea99a79709dfb28c30d765ac6

SHA1
8eddf39cc0eb651315c29df9f41f63ccab75adc6

SHA256
68f10353f09e7dd2af3ccfb2461df10b40f6328170cb4cc3f98665c4369a91f6

SHA512
b08161db9a0766bf7fc8f83339e2d800b7ab3e3fbecf8afcd4257b65be415e085dd032162c77df206523dafc661449ff788f03b077cc6186332c1334b3a322d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
b54548da5091cacd62802d50795392f3

SHA1
c3353077708a6f770a0867b910ea9fa4e65a64a0

SHA256
15b11aa87501de748311e98ef267b2cff8e0ff36313c1dd3b953177c81162b6a

SHA512
2c92f0579d1f628f470d54a5c5abb9a864c2e19124d615af7590d87bfb9a6fff6908cd078a1ce3048ba1490d521ec584a07627faf387dcdea29c5342d0c98893

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
8a58c620263e1dc7833f9c8a79b55748

SHA1
039e6942f553508daeac8aa5c3254e68ff9120d0

SHA256
c4e096c58e33ae78a7d5052b1c11e536db5dd9c662eb92f23fec95a267eb24a8

SHA512
fac5562fd9e15ddbaaf7ebd00ec89c3b08a403b6c433c866d299dcabf255bf757e08904516d377f04576b363b5ef7a8eb06e2e6a4de586f54863f8de8a117d50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
e68c394d840bebe183ac0e6c5a049f23

SHA1
f615a3ca84d0a412df9c6a2a661acc2855c7f1bf

SHA256
569c83892719e68b21496309920972e3d0ec801821753766319be304a9114b0a

SHA512
06bd080004b412cebd3d959bcbb141e5d4e0ece8cccfc161a20d4fa2723178486ef89dfccb30c895fd9fc7d1033f809e23d629233d138ab3c33f3a55c79ce3e4

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9d0d1537c4d0a214646ffac26b95b127

SHA1
f1cebec34d0c1b8c81ae990f5c323ded31974e76

SHA256
816591efef5d6d6964dce9b33f2e06f390259fed17016452bd52423030782f03

SHA512
f7a0d62a684aad3f1f399c97a1c9609c466cba3bc9ce0c9eec9dbe64bef5d235051fc2420499abfee4168c90347af94e49e7254f3152e63ffd33a26cbece5be8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
5cf82b5cb764ef166258e8faf1bc7cb6

SHA1
08a27081be97d8ead5f090648c0424e168ff817c

SHA256
c0b398c0d11b4d9d990be4f9d36cda9517c7262bc9348c664e59948a961bf664

SHA512
c36d738715546a6094adf83f16e20706c86cab61822f7838409a265e0548dd651adab371f9299b627cbe419a3fa18fabffecd75c57f2408b79807b09a9dff1c7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
2fe07341cb71c83b77554d485b2a35c6

SHA1
b618ddf496fe92be897ebb9845f55e1d39b787ae

SHA256
fe3433e82560226abb904282fcd0e2951b6cc7829f4409e59f6349f2a57586c1

SHA512
91d5387881a210e5614b962be5c70be8ae66a05b15d29c014629745e723aa209022facdaf49552168c604f7e5c77095e553019d0cdbdc0ffc10c8174369c9824

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a0c53f810b7ddbb3a00257dfddda53d6

SHA1
1476fe36b3f282b78a3e3802ff9dc98a5155a9d3

SHA256
5d0c1261a7ebc31a18556c26c265d0c2e3a0ae7c1b0553390ea5ee64514618b7

SHA512
f0da8091bd2602d0e1f45b390e6def2172875d1bb5d1a312b96765bd54e2f91f917c15e6560e8c30a5796d8d665c25ab64a305e49e6b537d15e27b922153cc55

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
c5f00eb056fccfdde4761e8c4540607e

SHA1
081bdaf3cc01d15d3c8cf06397deb75a165a4f06

SHA256
fd7b46ab3b3855d6ec79a555ce3f18c54ff6b9adf59063cad6339ffb462ee879

SHA512
06c6c75842f2aed4467f0b20737395fecb6d341b3de2fdb810571493a96359393dfb3df8d9bc89c3e7910911e7ddad1c5c97c473ad1dbb9c65a5463a171fb5cc

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6b61486988fd62215977b8069a97dac5

SHA1
4fa1198570470931b90584b9cde43bc2c9f94d11

SHA256
2d796e48f7fcb77c9931a86ace7bb5b1ed1211600681173aae885d9f79671d28

SHA512
cd218a39088f1e4ba05bbeecf43419e8d307963f0406f28481a830be74c4d3871f602fa0d907c8afbe61b3208178c976a472dab7b670eba47b73fb1e437b668e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
7454d926a72f5a2d58a2199256288243

SHA1
b1ae4dce6bf614ccdb53d50e241a6f4cba49da68

SHA256
2396f580f21eedca2976349a682fd96b8fb7a929ba5f634dced3e1e035c612c4

SHA512
d33c5ba5933025dce82316f465ee98f0a45cd082982863dc07d7a027588c01d5ff77623e6da62f7aa4fe5fb328ea905b55ae80aeff8d774e03d1a347b082c3d3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
f8d5147d93735f89770ceb8b181d1996

SHA1
efcfc404c9772555cb04a7228ddf74d04a5efa0f

SHA256
0b6281fd0f7846e7a9571e66907ea43b267d008add525704c78e00f643e7fe53

SHA512
a488a3fdc48f1522b269b7d910fd253f8e0f86eb2b6a34ed0ca4d066dd27bcc2084f04ea6c69ac7874a38b7f3bad75f3c43ce235da05fe2f0c18066f7eb05ef1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
80ff920787654b6efe1be140985bff70

SHA1
233b80ae616d38f123cf2ff41e30cb01f2d5796b

SHA256
53b0a7d30d735c557e77709885979e4c83840833642d7823b99fabef0f0eefd1

SHA512
1507d7a9ca88b0ec3f4bc3ee1abb2651100458ac80bc688d33f7480587bbb92737215b32ad6681e0d2e0f2dfea6cc73bcd676210c7dcf0bc2f87511213decf7c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5cc4bec8629ddb1a820036ed42c68fd3

SHA1
3dcc0a12eb5eb46af9cb4b901a4cd26b130910f4

SHA256
26ae303b7511de6169110a4dfd9bdee5045f3ec4387e5d37266dca0ccfc0e354

SHA512
dcfbbec1efd20189de3e863374dfb3754a007ff132b8dc916d458bfbc5f7ee90ef149467106bb34613390ffec9cabcb5a4f829a3cda066983a7ed05722e8a8f4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a23a5a65eac17834480e3a539f1a21e1

SHA1
485acbc64c17ac92468fd1b3e64e0f7d11b8e446

SHA256
33b16d515979a5d0ceee63eacf134d9dcf0052252ece55ac24ce01ab2e9fef0a

SHA512
bf5b42fa6cd412e363123f3418fd6ab8e8f8ab02d4a5b50080a584a89be9f951b3fca4066294295f8080a6ac55eefc5da81e99c663b87ab85e2a22ab67bf337e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cfdb845eb03ccc757ef700190f55aef5

SHA1
09a9a7cee638140a399cb64f1f1d4361e9083b64

SHA256
afd29ac956da5740c6b709299bb50d32bba0a48a11da152ea36129b0bc322bca

SHA512
a3fcbc3e219ae36d52256c9886a2acc0d4381bc6085f4a82b4ae9f53bc35d40a120c7707fa2d8bfa80f79f1c7bf32a41f1049553e5d40c01115c16dc18e3a664

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
f64544f54919b20b7db9c1d58539cc43

SHA1
12959310886a8c56c474a26ccd660a8861991396

SHA256
cc6e5fca5bc18f3754f139a3efd5fd95b1be0fe46347cdb24598d7349801c5e2

SHA512
3e0f49d88d9d4a812de9e2a1a89c895da8b4ebf8929189fc73b990b5c42e485834b0c4eb67a25f0e6a3b8ff7f75796b4d1b7adb40779e93579886980266602f0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
669a93c9e4ad3ae021024b02ca222848

SHA1
65aabff49d7145dc451f2f9a0225844b341291ee

SHA256
c216f5652640b477d52d8791d49f26123c9dc775f78186d507d29f39d559bbf0

SHA512
e5d7586076c7a81431aa594aabf2c71f5b27a8135958537938bdda4f42984146a7fcc49c97e89b6005191a73d2567e2d05143ce7c6ec5f8a508eafbf1fe440a4

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
9a1a0b4d15b5eb8972eaeadbdd45a014

SHA1
284433b7d7e5c96c2a646b6101bb4d1ea80ffc9c

SHA256
498b4758438efff3b2eae952f4f8097b42eb47921086ca02c6f3da104d76f21a

SHA512
76167583d504fd002ed6b23b687e64740f80458e049c6d414bf8cee58ea06f0ec68eab0fe47e80ba0292fddf0ce0e8afde12f47d70ded6f946c2c4eeb301993f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
28a244088f84094dd7039bf827a73f61

SHA1
2193f8a38facac8bdb83c635ab45b32e0e75d3ea

SHA256
eeef8df6754bd848eb6ad7e3f028364479737d5f77acfd0a73d63cbb6c86626d

SHA512
3461894e31de8ae175e3951be6054a2ef7f1d276d49a043a6671cec0f91174200e67724ff74b93dc173a6677bc8f94bb1a03c00b9a242e7832d540c5baa41114

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
50955cfed07fa624526744676515ece5

SHA1
253c070960b7b8e2d4c6e60764c7a721e9ad87f0

SHA256
c3d1fd39772c6b1633be39d17b14737132d58bac5de0403e236bcf2448663a72

SHA512
97971343bdd2cd6c044b20dc851767702fde4ad48c0b8ea4bb0b36f234f33b15152b62d75dbdcce191170aaad53d9c0461f35cb1690d296559ddc65fca61a096

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
343afd718a2ce242c21c5e488c0bde3f

SHA1
50c7f3bfc2ad545e6e868b517cee65f518d7a058

SHA256
0805b8c1cf5b3dcd09564ec9f5de5bf71a99330ec828df8ad3e1c4a7cfa2adb8

SHA512
461c0a26c9708e92d3faa588763981d95c14cff4e84db7292f9eb695e342be5a7076d63d573673720b5186f859ca4153cc22d6efa0c322cbd3616b8b0801683f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
8506583db10fdb9eff053963aa9bdcda

SHA1
40641912d9ed956d3b07d6a3caea89ec3eed5d4e

SHA256
71749ac9f54cb65a3fb65cab8fcd92f29f5988d49a2ebe027fc2b9ed19fc076f

SHA512
46b700a31fe227d40baed07f4f2ff22688a7a78609a32c3f05ebc364190efa5ba83902bdff5137a7250f421b2f5e7245b00646d4bbdc99374e99781b9657cbc3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0475d7d7b35797b46f6571d86b098a3b

SHA1
d7e5dac7cde0937ebf405aef2a4b62fd460efed3

SHA256
5c088d35548b9fec1935272f0c04cd1e5e5eda0bf2589cedd9e4b8482c22162b

SHA512
3db5d1991104b6885ed61928840d7fc35fce5fb47f6ca7ac7748e5491c5de68dc37894191e93d03232c6263342d7be29ed2984f7b1c4ca900e33e862b73c577b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6add07062111d7248265d57f189cd32e

SHA1
9abb53a6398badc01c22df84b1dcf1bd833d9dbd

SHA256
9228bb7037e89d2f58f57864440556ec206d02f6c48475c9091fb6f4b094b97f

SHA512
e866d7e9f242fae4892f2eb6d6cd5cb43cb7bc70f57bd26f1877edf516f380246b02b0fda449ec74071199cfd4653ba33bc2a674008c657c5beda34548f9c391

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
5eb81348eee0afa92081aa1d0638567e

SHA1
dfaf21ddbcc24f121a6e964a41bd9a50b5314f4c

SHA256
cca7d004721ba940d127679a8bd3d7b56bcc8b624a6c54775f82f6a9a7663f26

SHA512
3e205f219f5ed279d7cacf42c6b7f86b053f51a4ecabd1478f01fc92a3e660f4e19a59596839b736f0f1de155b13a676c85a84b901c68c0f63950e238b928906

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
a50d812f06bdd8ce9f2c6d3c2bb2d4d9

SHA1
555b368f44d2d0c2a85011a7142ba00dc0e23dba

SHA256
21076935cc4cca57aadd9bddf4e20af014730daedac2eb2d02bdbc0917af6be3

SHA512
fce32aee65d3b248f792ff01ddb1ae2dee9668b848f1263c4ea12a23c5a7951fc9848aa4d2d28feb1ca51453610ddac3ce22c61ca7641c3228ade0780ee4c0f3

Download Submit
memory/368-680-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/368-315-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/456-304-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/456-663-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/872-241-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/872-440-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1492-277-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/1492-515-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/1684-337-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1684-701-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1736-115-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1736-118-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1736-119-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1736-107-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1736-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1888-130-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1888-128-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1888-122-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1888-251-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1996-206-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1996-327-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2036-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2036-8-0x0000000002370000-0x00000000023D7000-memory.dmp

Filesize
412KB

Download
memory/2036-152-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2036-594-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2036-1-0x0000000002370000-0x00000000023D7000-memory.dmp

Filesize
412KB

Download
memory/2052-292-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2052-288-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2460-303-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2460-182-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3088-150-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3088-153-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3088-158-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3088-156-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3088-144-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3112-195-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3112-95-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3112-103-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3112-102-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3152-287-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3152-168-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3152-160-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3448-229-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3448-354-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3448-666-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3576-355-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3576-720-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3748-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3748-13-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3748-12-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3748-181-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/4064-142-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/4064-133-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4064-139-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4064-265-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/4084-252-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4084-445-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4292-328-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4292-699-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4420-218-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4420-336-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4424-266-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4424-487-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4760-314-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4760-196-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download