25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
Size

1.2MB
MD5

a210b365dd3c78d83c073713c8b73870
SHA1

e628721f705a883826527ee805105a0fb9d028c8
SHA256

25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1
SHA512

6256e863eeff690b8e9a02d1ace56bb2492fa0f534edc9fd42ec987bd8ec156ebdc3116be3ecc50596132c50f517e6c2557fa78f5c0c1ab2cbd8d20580365922
SSDEEP

12288:NdBMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:HaSkQ/7Gb8NLEbeZ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1612	alg.exe
3536	DiagnosticsHub.StandardCollector.Service.exe
2244	fxssvc.exe
3644	elevation_service.exe
2912	elevation_service.exe
1428	maintenanceservice.exe
4872	msdtc.exe
2204	OSE.EXE
2304	PerceptionSimulationService.exe
4540	perfhost.exe
4960	locator.exe
3396	SensorDataService.exe
1296	snmptrap.exe
696	spectrum.exe
2272	ssh-agent.exe
3724	TieringEngineService.exe
4804	AgentService.exe
3080	vds.exe
1596	vssvc.exe
2708	wbengine.exe
3216	WmiApSrv.exe
4088	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\locator.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2fe2b55d26e8edb0.bin	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84546\java.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84546\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b497b7876d0adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2e5c5876d0adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6db9e886d0adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000075738886d0adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c21c1876d0adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ed755876d0adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079f48f866d0adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048c09f876d0adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050bfbe876d0adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3536	DiagnosticsHub.StandardCollector.Service.exe
3536	DiagnosticsHub.StandardCollector.Service.exe
3536	DiagnosticsHub.StandardCollector.Service.exe
3536	DiagnosticsHub.StandardCollector.Service.exe
3536	DiagnosticsHub.StandardCollector.Service.exe
3536	DiagnosticsHub.StandardCollector.Service.exe
3536	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5024	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
Token: SeAuditPrivilege	2244	fxssvc.exe
Token: SeRestorePrivilege	3724	TieringEngineService.exe
Token: SeManageVolumePrivilege	3724	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4804	AgentService.exe
Token: SeBackupPrivilege	1596	vssvc.exe
Token: SeRestorePrivilege	1596	vssvc.exe
Token: SeAuditPrivilege	1596	vssvc.exe
Token: SeBackupPrivilege	2708	wbengine.exe
Token: SeRestorePrivilege	2708	wbengine.exe
Token: SeSecurityPrivilege	2708	wbengine.exe
Token: 33	4088	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeDebugPrivilege	1612	alg.exe
Token: SeDebugPrivilege	1612	alg.exe
Token: SeDebugPrivilege	1612	alg.exe
Token: SeDebugPrivilege	3536	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 3120	4088	SearchIndexer.exe	108
PID 4088 wrote to memory of 3120	4088	SearchIndexer.exe	108
PID 4088 wrote to memory of 2688	4088	SearchIndexer.exe	109
PID 4088 wrote to memory of 2688	4088	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
"C:\Users\Admin\AppData\Local\Temp\25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3708

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3644

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2912

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1428

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4872

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2204

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2304

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4540

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3396

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1296

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:696

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3588

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3080

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3216

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3120
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4acc28e0718d2bc9634b40db0eddb261

SHA1
ed8f37b78507fefca388451f0c52edfa159b7dc4

SHA256
fe94623df81416f2875d5b62c14464635a3cf59515641294fc9b9ac86101a476

SHA512
39fa68e8cfcc9bb8c2e0e308a6f8aa0e68e83cdda73002572fefd4b35a2b11c0e28c7b897950951f0f0dfe0d92938b09613a9789dda6656a643351ca9cb31f22

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
cb6f8284a6455f44b4746c115f3bc5d2

SHA1
9000caad4b6109ac89d450390e77cf2bbd65aa6d

SHA256
8603b418e88c39fa7d56aefe5d05bdbe28ea97f302c65a25be0b138c640646b9

SHA512
423e47b5d866b180e2be37568b08d5d10a76122dc185a272ce5642f14cb92d15a1f9d3592cec61624403fcc86f8c90b07f9b6b180ac3abe2fcd6741771293771

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
8c00f737bcd44a9830899e978c0557f9

SHA1
23120ded5250cadc964b75cb5a02a4eef2f02ac8

SHA256
8b48a22c9ab26579b17531eba8fac011c3d4e60a6083338c915278695020fa11

SHA512
05373546801aec282871acdbc2c4dcd12398ad77a27c6ba21818acac2d649e18ba34bc9b2e9dc89af29bface913ccfa790da1ab7e11a960e9927d4e6e345373f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d87f919d5f5c8c86d4b063987e11dada

SHA1
9774fa359f2c516421a0b478c806913a4f0efc71

SHA256
4902b4c9bfcdaa80601eca8aabbdad196829e5921e884d444933afde2aab5402

SHA512
852ccae3201df946c8f5f7cef34ca766114ba3b9dc6505f65147a793ebaf4bff14f5b50b2a71007dcf7929d9076c98b5e7541209394986b93adc2c35241b0376

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
de1dfe6fa51dd5df84259a4a53a6b3b4

SHA1
b6deaeb33cec12ecf35ce39b77cb68f146a86f89

SHA256
42dc35dbddbdfde1a92633d9b1db1180a246bcb55bf34337cb75493aebc49449

SHA512
2ed3eb11b51ce1595904f4a28dddfd3d319a44e39333b46495d67bb2723a7de40d43218f2fdd939c1c7ef7be49f97c0179978117188878269ee3d005e7502691

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
54af452f6290151e0d319fc38572bdbd

SHA1
ca9bb68df49593beeea7d248176d34bd85782c2c

SHA256
51cc5a13a102e2ce355b3274abf6a931d423fd760e87d5b31c9fd82f0a0a11e0

SHA512
d293a1058a1890d2b2cd345b3434b4b6e3524b75cf2fd2961e62ef46505272c1829766326f4412d8501e7cd74d8185a41d7714fcbdc223836048d9fa579965df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
105b8f67d78681d1bc7def6a1b287d39

SHA1
1fb41a19d0f46b99e54feac8f1b422c69fa3c451

SHA256
c5c746ef6fb1dcb856032e16edfe9901b5ce192b2e3ccf8052e62c9f2045cccb

SHA512
5b506418bc548b14dd1ddaa0d2facae72cbd7d8e92b19d75cadb380d79bbbe2fd462484d04828e66d54b5a223f435efad34db6269395ab25b4ebfe0d908fbd2e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
adab2f95d07f0dbe846e4b2f4d0c62c1

SHA1
a027050cdf55f6c9e69546dd464c2c88bdc882f4

SHA256
4852288027651604dbe5c5719f287f15e72efe03a51bd046b66689e89fd11fa5

SHA512
f77a815e9bbea189c077a0495408b8a414c5d62a1ef2d24a477432efbeb7d3b4f18b6ca0551283a8dc0961c7d53bdd286835b00c7ed58b89f3d07f4da050d31a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
a8dada952616c38a0ce485f4ffe89c6b

SHA1
3e447d9424156587cedbe9bdea10de568875fd40

SHA256
5e9968a7056c499b71c4ed2463e3b6d49c6b58014c1bbe24c6ef7c984054acc6

SHA512
554ddcd30edaa4398e67669b798ed0f3e1c81cbde8975bf1366fc266e1b84fcd0d581145ebb366460eec44236e13fc774272776a68a844751b5dabeda4b392b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
49d103fa7a8632c8d4c279282bb73a7f

SHA1
fe7bc18cea99311d6ed81afb44d08ffd6ac6876d

SHA256
220525be03fee3e2b2fd84667548c0c33583605d85433264e3ada06e082c3142

SHA512
b07aa1fceec73558e0e371ec9d3a55812e2d13531efe9d0829c4ef93d407f439142a1cf231c95eba76646bab04178982513e2ebccbf32f4d98efaaf245cdcfc1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
971571a0f7ec7d68b5063737c85c83e8

SHA1
75d699b234137d5fd8e91910cbcee6ebc68db978

SHA256
afedd517e620dafc3df2042c17b384471856aa82aa99a6f8d1fadc5ba18fd02d

SHA512
f4044eb04f3a9ace58dfe22d518709a1f8948f94f05abe88329b28d484f43819a1744644d4453750b20e8830cb6798c191c9689f1a848ebb7a72daaacbfdcff3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c42434e1807cd0d6b4726c678cea4018

SHA1
ad972bf15d7aa96efbc56afa125c08f4868d5f63

SHA256
d1417d562ee929b0707ec5060c76bd6a51a1e991860c55a4588a0bd7ac4dfa54

SHA512
b43a15224fd00a0c3f6cc07b48630c065dc03d74ff0cf7dcb10683bc897302163add0f3f5abf8491c353564cc0cb3c88fb5d45cc061ff210382389557e46c859

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
8aeb45a7ec05a4ca94adffa4012cef9d

SHA1
7f8408e587e0c1af25960c53b6ef021780334164

SHA256
0214b57e1f3a2166b2b7ed3367c5cb61b319e0b376e0bcaf29b082658162308a

SHA512
5ce5fd9060195be56e3ed961975c73ea2dcf63c9b4bf2e109cad1cd2abe11b39e50dbe4a14ead2d8a3a134995c28ad0b1bbffe9c70786ea622c5774e970535cd

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
0ca68e50931f852077d112d9b541b9ab

SHA1
817e13f56c36f1b34d686f46c15b33d0263d0b66

SHA256
d19627c1930d28f1afff6696578459e3c6a28fb730e54805a4a7da6f8bcdedeb

SHA512
d473a634a9b330d4b47042c0e17ab3e34bb8f40c3f6d32916179debf7c7c9e933bdd3d30995a0a26096b9160bf3bee30b31bf2f966156a867759112e803781f0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
0a742863edb591a5b4ba23609623f922

SHA1
92641a277be76c6cfdf9b9c106024983d1201eab

SHA256
123708c711164d4e63c4e4b8eb7169390f57bddca6416aa3c0e90495c3ba9df1

SHA512
e78c601e4540b462e98df5319f4df29539c2d210a457b17e0a7210ecbcdbfdf3ce40d6102b240e06ac825bd2a3a1bd17e0c88439ea4c0d413f263f680de2e9dd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
21410b775c9065b6e42cf162e0601bc7

SHA1
f72d5a9d62f645a8ddc3614d117798238edc7496

SHA256
d24fa6db587b8f99a1f955ce759e39260ddcfb323e9a5c704ebb6a28d40ea86f

SHA512
3442350c407551f54eb1ec441a0678262a1ce51d3244b6494b10d5f91143515a2dc0304285b70384b887c65517c63a13f9b0420461eb1f7d1038ab7e15fa4d2a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
df83ad04aaefa071da7eb8947f42ef62

SHA1
83a2512a460617d8755838c4226dc5d91a6b423b

SHA256
e78c2476365f18ae8bd3b1fd43b06643b94d357e59d8ea280c61c88f615180e7

SHA512
93cf3857817fc334180c176e79c39b11b320ebe0c6d492c0581d9f0d3afb2809d542042d508ac1d0cd41aed8d97e09bc9d1458736a5ed495beff8a7880665734

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
b9d556fce34d9286f469b5514c6621f2

SHA1
84ffda55de36ebfeab132855ad9bd5ff3b15ab0e

SHA256
8711928dbbfa5dd1ad8fe2c147346e7ca35c9e4f776551ec4c79e5f233180fc5

SHA512
b99acf95842b11b27bbc288089c3866c9426a1c327401ce3d1b423928641fbb7b6bd089b096655c65d8230e88078223892b9c73d5de8b30c6f682f7a257c54b0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
c39d342041547d978435c62551c9e4ab

SHA1
3d5f57d471f5a0dfae981951f4461389ffb8b369

SHA256
166acdc1dd7e22de0c3cafde93421a096aaade857a11e8adade5d426535e4cc6

SHA512
b65821242b2cd1410287851fc8b4d2c71b0aab511954546da1e82fca28a2a42a8ebd01f3ed2c0c260caebe425885b92abc56b250cb41f74523d0bd0e01fed782

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
3d8547801a077a4524a69c8b71edbd40

SHA1
b94d12eaf2c4784cf93a293ae50eb1777f1602fd

SHA256
48d6b7e4f034f9a9a9bad2ea9edd22667dcd47690f5d7afb3960a517c2108da1

SHA512
56e35259f40173f736f4dbfb1fe86ed0ddceec45ece7ae45daf5335ec583b286e4d20711a2cebc65c3e4f5725193487baa9ad0e62a53a9187648ae6cb2b88ea5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
249e079501c485da5d17f609ba9cee84

SHA1
6e9c37d2770380814dbedaae0bc18bde4cf31fb8

SHA256
97557b75c66331b6310d336dad487fbac2a437ed310406042f589a172885f9e5

SHA512
3fb6af00f7cebf637096c6d89dc9163d7f261afbd8e0858d994be86bd03618f9fe09ef26a066a1156a4b0c0c0ad937171f87de0e43ad8a248ee2d471411d5f8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
237ff6ed23e90c120c6d29610fcb388a

SHA1
674f1048510ffd4761e123a2585a9bd06840bd4e

SHA256
af4b84d2d3a5b1c055bbaba757a29c69f3108dc516f6dfb7ebfbd6a1433237e4

SHA512
82a1dde1a5cb384b6a69692834ad853f17df4acab9767fe59849f5b41602bb03407119b4506effbeacd033ab28c9208038a2822c00d1b1c754bfb4e0ae7b9e64

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
45f83153e75781ad4ebb876f9c5d1b9a

SHA1
4c11ee7dc5a43a5cf7cb2f5d5134a6cc066e4b46

SHA256
30374dd638b2b8fc53b22d04789300bcb5167e67b03384c6905360e2d6ea1dd4

SHA512
20b313a3e19018894d65fbffcca6afba42958f9e777a3051de2e208c2d6a62ccfa849c0ff3cfc4cc23ec5210645170dd6545a6aad38e2c795a9383a7c57e43f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
682d041e84ecee045041546b0041dfc6

SHA1
5c02c07d1322eb6eae1646b5397ae676d0df8d44

SHA256
470b1ed8caf0108d91e8871310b438c06db2a4419135b59f95597f8e31431a2b

SHA512
665bd25b6d9b4d01c577568f5bab53f49e3bd55e2f3dcc11fdcb14a52930668dcf19cc80407cd01170fe5eebf02dc11a0c745d2a0062301d8892ef1510a1c3ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
618fb5cd31706b025de5dc337e03ee12

SHA1
fc9ece1ab421b9abb50020d0a91daada9a03bf86

SHA256
76e2c026bf26da6c7aab5800274b0580ab9c1fde6cd23d8e53be3aa9793f5aad

SHA512
13bb4e5444ad34260ca97701da3bb05a8cc9b99b8eb82d697fda4875e13ef82b41d24a7db5aec603d8030157f3126a972233ab7b2c6cd50de527e3030de9404d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
e0c78480a00471ab7f67eb8acf21addf

SHA1
cdb337279ad27c43db88ebad2b4e415ce05e139d

SHA256
be8be02be91bda3ffecc7ac843cacbf2773d4766ff19ef44405f0c72ca43e337

SHA512
749cda9812e9784c7b937300194b0c1ce9a03f77984c4b9db74e59888d999c40dcca0365dfe0254cbc010ce8522a666c0dde2a0b3bcd2442c277b06111aec0f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
078d3ab675a172c4b8bfefc0436f302d

SHA1
e188c16edf73b98b49ce028d21fc43d50e717a55

SHA256
91795fbce1939cae95487c7315a21b52d5f15c5adc564d5828d4657970d127b9

SHA512
ed70d1cac4a6164af120707f9a5e9063858770f252fca42179c1c48728c4608c3bde3e63e0de8480a29d75a77d354259f0224d7d2c20d315d27e1f520886d441

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
7cd59b06866625f6cd41efa891671c98

SHA1
5f834d484e90b51d614a1d525279e3d9a704f190

SHA256
d0504883913ca2ffec98277a0637e66e88d889a536ac69f50ae36440190a74d3

SHA512
f35664df68739f8cd6e5584ed7e3fc432eb36b0c0b003c443179011363d3908f11edc652f9e43b7c4b00c5a529a8316f987dde87552fcd91790dd48ff4c8951f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
423d486f849d195f3320aee770360e8b

SHA1
b9cb6389b9b08aa289cae2f02d554a9be0e3514f

SHA256
068f918b0ea5b893f5209f165e31f11b2a8d00dcd88f93409762eaaddb6494b4

SHA512
1a2cd9d0419871a6feaa36a940f93804ed55f4450ca2d7425aaace23652a20bebd9af4560be4aa686e53a2143ee9379f782daa4a20f5b2c5f7a96aa100c17124

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
84420323b96a46a54c30fc76913037f1

SHA1
b8cbd1aa1fc800e87fd754cf95ac826ada29a7f5

SHA256
51b5114d8270360932492d531b6bfab89b6f16f963eec6f66615c9e98677e5db

SHA512
b4371538b65835a4071172a6518c905be85b31c9915fb9dbccb6b1841b1eee4430b09baf54782a62f0370facbeae02f61d0f114cdc1fc6389b7b25ff8982a98c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
3008c216f6b8c808c38e09f14ad489d0

SHA1
2d463ba47ceab394bcc33bba67edb36929888fb9

SHA256
fc372f486645320176a8a8cc97e00a70050dd68f8bbb9dbeefafec6503730d52

SHA512
e28a37267bf7e24d521c2b6ba105921efaac5a0b6cae0c322204c5ae5d532c2bac879883f6f716e021f183d85f73132c8c59a3012fe5ef0c5ad805f7b584f5dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
4b53c25201d91a9c2bb0f7e05f604521

SHA1
d569413c1a6ad2b1079242b64250686f89ac3dfb

SHA256
047331eab9ae8bd15835d645b233ac659cb447ff5e795e5d1c7055beaff9fe97

SHA512
62b5a4c4c5efaa6e1a95a3ec2ef2b879602e56e56e9a5d3f934cffccee2822f4462399fb5656b90a4bb9538c1af8cbcdf66a88fc6af7c3118e302e4a72519bb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
6844e2456ab0c1cb82839a45c384b583

SHA1
0fa9b36eaaec0f68b4af6536bdf9fee15036730e

SHA256
ef8527aaf67c4187f141206dcd125f567a4a2aa4f850d18ca8033bed46224f43

SHA512
34333bafe37cd966d216370deef4c8550bcc67047bdf48dfd33438a6236a660f08f4cc04b5266c657a8189c2bb3669046282ec885fecf7785bb9c11e4e02840e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
31bda10c2fe6f15126af6f85289b0783

SHA1
33b1bb6ffc7cc219e84dbdf6020ef305ce6da75a

SHA256
ffc13717f4c27010fafee2e97604362ee706ce271361dbce4eb3ed9a11ff97b8

SHA512
c2a888e89e2969e4519276ce870f1c38f72dce6485bea732f4a1136fcfae817838d556d328ce94e4b92216d8fce2de481307a37c63543640bd08a36f309686a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
1808fe8aa92614a85317eb58c0650e68

SHA1
87800d59606d880fd6419c6963d15eddd9734817

SHA256
8b86635dc054e431e762144bc62e43f840febff03aebd30b06d1845aececccf5

SHA512
4126daea58f5cbc83a6ba6793b29293ece973bde2a30cbdc378fc36991ae40637773d109d444ba2ce12c52aedf555f0e3b2c00d45385f65f18b92f1491c81983

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
17c4cd961a600083135ca909994189da

SHA1
8f2da87af972ae29c47ebed94a1d31183ea3f3f6

SHA256
253257853899257ec1a93c7e4db0807e30a9261ca2b47b056721e348080032ad

SHA512
1ed194a598434b7742dbb2ad39fa3a75159e23018b2e02c747131373abe750212303968a0b143df56cccc6a4b6efb9ae76f6e2d51949f7e028a5d563d4291c79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
1d8fa89cbcd731f71333d824ee219215

SHA1
d95b692180ef5a5df9f07ac7b91b852aa1487411

SHA256
1387a04ad103119192f701d4b7ad2187ed0859f46cc3af8493191b559e84e2e8

SHA512
77b521ac2a6ffa4d2fa5224e77ca49bb9b2626bd8e81dd07eb4fe1a46e346103b5c78ac207306f9adea68283e9ce6f18a1dce1e9cc444a157e0b956e241c8dd1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e80fb5ca022f988e8469409195ee2b58

SHA1
ae9e294dde696540550ff37dc1014552af841d01

SHA256
a3e5b919782eb4a1120af6a422d3e75c0afc999f7f5dee688d4b8171d62a868f

SHA512
af2797ea0e20af589792c3b34312db420779dfbbe1b3cbee67e314122fa3f83e3888028838f8c6509a119c066c528e8cb808513e7a1b041b35497a62fdda3d1b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
13e02a4edef8f790583f96957946e1a2

SHA1
2dc4da88003157abf8ece66f82ae557908768ec8

SHA256
d5405c22ab82468088528818e358665ba8264b2a552d80daa9379c5a523a6cf7

SHA512
4b56aeae48ceebd49b2c3cdded24f5c104d14ff0bc9c428dfb86b76bdfaaae3b4cd68c1ee73dafdf967f7c635782d51572c7b81656d31e9cb69c04da72f52316

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
e53e9d1bb3b69dc963e28b4e3af2026a

SHA1
99c8a323c0f884a61bd102dfda5cced85532b033

SHA256
eb27f3db104c0e1398fc8d7243f10e95ff326ac958d49a61eada0d3782a71101

SHA512
11e4fb693bac5ed745fb9c1e5d7848a87f626c8ae24fe0163bd6c5748661ee4b496f599a660eedb7cd09b1459629e96cc1c62e7dec92c061057330663be9a26b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5cfc8e3b737cbf692fadb020383b0b97

SHA1
7010369238867f23b7b7c0ccf860a904ece9eff5

SHA256
571c6c64a13e0c399611bbbb9fe3c4911f56e37d11f0c12dc79ed84c4d3556dc

SHA512
7847bc32a1cb46e2d41d586ea8f07963757b289cbee4b05231a645e29512780278a1d648190cf543c5b681154c1016e47220835cba510e11b55639f892e7511a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
0352a5c548fb0d3f8fda004e5db4bbee

SHA1
cc9ee2be34f4f9db48c5a1f101618fbbb2381575

SHA256
b9dea6bf894c41b0c69b22f80b9bbd4a5dbf308c875c2ee600121ba1e2c03dd6

SHA512
3cbc9978a7fa2d8a3273ae666ba0172565efc1f2a47127800cd1cfa66108433f6d7906426c868036ed4a6e3566fc0ea68e18bfa0b2bfc031c5bfe59f5ccb01b7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7953336dd021d8d70944784d246057c9

SHA1
7707417b951e508b455369d45106bcc6c8150a62

SHA256
2343724565891f29216ba1d8245ec91d123bef6a02324bb3dd902c13b17b0497

SHA512
cbb7409f1b396a29ce7128cdf74be3d974b633d10e2485f49f5026e06ea0379169e353edb3cea0575827437edf656526471e059e0690e2e3470c9d8b07695083

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
2b24dd55456961f5efa42e8c7a9968d0

SHA1
eb88cf39e3bdc80648208e38ec5768e63bcb24ae

SHA256
57a42c3ee571570a0751b4685a774f7d1a61033b7a63843de252512c0aaf1e51

SHA512
118f7ee4e9f20925727f92e8dd9c36709b21318b0b64af405df2e769774ba9a6ad68a13277700eb41964a747e6ce69ad13d88734ce49d43c7081629b1622fc47

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
4591e0f69d3bfde9c66b3a1a9fef4216

SHA1
a11323bf85bc4c6ba9c5849ca0e8ed83ea9dfca8

SHA256
3499d167ebcb14105391d0bfe4df7b979855cd0c55329eaca4fcecd4cec78a66

SHA512
1270b3b9c6868686055c30e631dde403ecf97ea80dfa0213d1079360d9207e1d65f3fc871963cc64c62a95efdfc0a3dbf1a071879b0db92e62f8b1e911ae01ac

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
b6f4abf6382d14c0f91c9234ba4fdb9a

SHA1
b1bf6431165591d1333c35c036d27e48bcf0a43a

SHA256
b0cdd87cc4b206845ca15153e1508f8c0c69ba48f40414276cec519b61be5c25

SHA512
3ef147235fc748b076eff2d64300890fcfd654133aedd4385de9fe6fb2857cdee65a838fb9dfc7877db06852a0591f34562466a8b84926e8d646382b3351a253

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
28489875c99dc38d4a939d6722b35c23

SHA1
e25f156bf6868af72450726d813560f0af607342

SHA256
a4c5f976e824d8d72eb29eb2bcb3cac6c6a2692e6106f213917bac667448b960

SHA512
ecd72ae82c47c8bab181a67a9c92ebd3c1ae506761d3adba31ff7aa26ff5239209c11012c6e0a2984519f4a418007d458b876e016023ea7c7c9854bdf4ef9f88

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4d054edb4e131119c5d275404a7d79af

SHA1
dafb8db8f2aa104e2c9d54fa9cc712715ff9e036

SHA256
e7dd591227436e0842d33cdc295e5bb00e7287a361a2d15d88088a441153322d

SHA512
62cada02dcad747c00870469c5a9b47169bd52a0af945ae2a7437edf79299df50e613d57a00e3e4cf02320bf0c4d15d473871c528ca2f508980cbd7fd398fcad

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
365d5b0ce1fdabae286857a32f6170ea

SHA1
27031eb8ceedd60c7c131dca5eaaf1708a0a058b

SHA256
5a0ae46988b5d86aff11548a7a8a328afd82125001814516b465065f1cef0fe3

SHA512
eae886aea72236db07cf095565e1af4fedf5088a1b13c0978d57eea37bdd3dd6dfd29aafe40373d2f37bc02cfacf6b39acf0795f753269cd5fd23e279d62ef8b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
9e6df73834048b00fdd47ef5fe2990fc

SHA1
f656d6824bfe0c05f7bc675f94b8f2d40cdb67dc

SHA256
92b3934e3d6c6ad974b39bdfe59e789f6ed6a50dd5a26a074575bdbe8665a65e

SHA512
a44ddec508a28036bac7e7af57c9cb827a1f42f847328c7f3252940fd7a2595da87650f70e034631efb954558befcf6593a2cd5e38262485c1b779a37265ba0e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
cf43711569a30e981f682636e53558d9

SHA1
24adc20c500e8df4d6e5b09f460847a63810148a

SHA256
df305d9a82270ba8dfecc261c2aaaaf8cf3a999899bf853b3b1274854c9bcda7

SHA512
3e0822017615f010518661cf2cf813b365346ae9cfb2d64cffa262f183cfe30cea41664aeb155f34442e087bcc78fcff4332bf05d0bc54c1712e54580d94a357

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
c6f705b311ab20625316a717a85696ee

SHA1
33392315096936e8613dfca7703bcafd53af531b

SHA256
2416b0ae8760323c2f25f98468402896c93f769fdf51bffcb761c423443b0fb1

SHA512
a05428da78ffbda719d1b75ef3d7acd8025b52667b8d7f9c1cdb3e19b7a5a769cd3c04f2602a51d5582928cdc505bc91703331d96e3f6eeb69f501a3f00f04b8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
2a4a6a21a3b82d875aa78f2911f1be18

SHA1
24e7c969d7d08ae3e7d3f0c3304413d43e1d39c6

SHA256
06e459fcfc6b6fdf023617d0cace42fe1a008f428e053e790dd40e2ada7dd368

SHA512
b822defd4a1253efc0bb0801477c2b3474a1e080cab27f2b363b19c9daf4acf227baed9a9c8bc06d9c5816dc7fe020c5db199f5652778cb267fe41c6cc65fbbe

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
19fa96474cb269473a5a6738965b3043

SHA1
ecb14a29684fd3b6dde926188dc664fe5fd91d11

SHA256
3c4f6f77b74b274c81613f216787601aa175c9937e9a01b1f6fe7b39902a47cd

SHA512
1f70a0b8a853ed7e9efce607d077a8c65ddaf1a0320f699d4f3709dc71fcc2051f1e07101dc18cc0b734e00e8395417655b9faa888f8cd93fd0be57fe190c36f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
78f2400cdcb1e9772a12caef6a05d5cf

SHA1
3aa51e83f288792c4fcbc2a0bc9e7bd40d8cc8b4

SHA256
ea8421fdaefcf05f4f119e3bfe43ebdb25c542e718e8b1bdf9b2a0be90d45318

SHA512
f60acb7d2de151bbbdb624aa195e933373ff5ac0801421a1ed13267f6a74ba7dab467beac7c569d853470b4a4a1070e4571aaaa55731350ddcf2c50dff14dd2f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
ffab26522e6b89951f691152b0259daa

SHA1
09ba60d1798eb4b33534bbdef850677befeed2b3

SHA256
6d54909c7f3b1398c5673d58713aa35df426b91e91a1a8e7de1707eea1794109

SHA512
adcd440cb2c547f0865a708831cac92a284d3518b97f222af289b18e4826d08ce018e7b2a3b2ca5b722e694497428989040cd15f08a8eea5dff251d7d96748bb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
630f260460f5fca557d6b03f89352068

SHA1
efb83e1b3b03ba0de6f04ad70dfba1f2a0a35e5b

SHA256
aa5910c0376d8f71bc7393bb3c165f2053d7cd49431c7793b5cceb5f3eb4bb93

SHA512
ee46d56830db80bf2fc43ea3be35a0527bbe22096581bfaad0daeddce3744f875d5260b4d72fe4903ed8cf87153cd05b0a597e91d980d5953274e77f11f64b8b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ccf28e4ac6fd8288b706a3cc2ef20922

SHA1
15cb2ffdd71fdd9101f89c9e12083a54aaa1f284

SHA256
30eeac43d970ca84ee3a3cfe7aea43d8a09dabd40fd78f9f2a415ce045323595

SHA512
cb006fd488d76bdb933e7f1d346b396bf48e3477841486aa8a9c04373304391ab915ac65326bac0188421de461ac8983b1db3c1265fbdea65089580f30218596

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
4ff24a0e8bc8b26216f7aabaa080473b

SHA1
d851ea078ea66b42e82596c442e5149db199d44f

SHA256
c0c93ae53225baddad4578ead51e86a5be91e8b33c1da886fb2761e305973d61

SHA512
aa6bce06f17d9eec10b5e819ad73d89a3b0d6d8b90f3d252ae7b0ac57c2f3531c7595c52a33f96e97d3d32e84d1adea62ca81c7753f8474fcf3c04fae7214d41

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
082e3fa5dcf01de66a4560176ddb1302

SHA1
965a38453f55488ba2bfdbae5887315557db78c6

SHA256
8612a249fc1fc1073630948b03ca800ec38b56046f0621583a4968006d724f41

SHA512
f1745327eae509fa248a53ee7b002c7ad1834267c5f2b08aada93af652b6af098fbf80c659d5471c2ced6128dfaef6d98a66c692929c64f692f1e229b0d3c957

Download Submit
memory/696-250-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1296-248-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1428-234-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1428-76-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/1428-82-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/1428-70-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/1428-578-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1596-255-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1612-12-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1612-21-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1612-13-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1612-257-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2204-258-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2244-38-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/2244-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2244-96-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2244-47-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/2244-84-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/2272-252-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2304-259-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2708-256-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2708-579-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2912-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2912-572-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2912-59-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2912-79-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3080-254-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3216-261-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3216-580-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3396-238-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3396-575-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3536-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3536-35-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3536-32-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3644-68-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3644-49-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/3644-55-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/3644-464-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3724-253-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4088-581-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4088-271-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4540-236-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4804-204-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4872-260-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4872-87-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/4960-237-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/5024-1-0x0000000000A30000-0x0000000000A96000-memory.dmp

Filesize
408KB

Download
memory/5024-485-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/5024-0-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/5024-6-0x0000000000A30000-0x0000000000A96000-memory.dmp

Filesize
408KB

Download
memory/5024-80-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/5024-7-0x0000000000A30000-0x0000000000A96000-memory.dmp

Filesize
408KB

Download