ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
Size

1.9MB
MD5

3b563ba48a0f8a5c004973ad1b0f4d30
SHA1

82130adfcbfafee98bf66b3121c3f732592bca61
SHA256

ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8
SHA512

a6d4240b76d4fce8a22b3d86031445186329895244c53eeb9d66965b8b169e81fa2595a8ba1c7330f688965db0c6ab646e5ee0a5e8d6104873c2e941303f0547
SSDEEP

24576:j6keZtWQjWt/sBlDqgZQd6XKtiMJYiPU:j6kenWH/snji6attJM

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4556	alg.exe
3320	DiagnosticsHub.StandardCollector.Service.exe
4908	fxssvc.exe
3232	elevation_service.exe
2300	elevation_service.exe
232	maintenanceservice.exe
2960	msdtc.exe
2256	OSE.EXE
4820	PerceptionSimulationService.exe
5092	perfhost.exe
2972	locator.exe
5072	SensorDataService.exe
2712	snmptrap.exe
1968	spectrum.exe
4780	ssh-agent.exe
1164	TieringEngineService.exe
4700	AgentService.exe
5020	vds.exe
2020	vssvc.exe
4620	wbengine.exe
2604	WmiApSrv.exe
3540	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Windows\system32\locator.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Windows\System32\vds.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8c76ac2c4521e136.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c0aee4214e0fdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000790d25224e0fdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000329d55194e0fdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a297e214e0fdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de0096214e0fdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3160e194e0fdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a523621b4e0fdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b60d6214e0fdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3036	javaws.exe
3036	javaws.exe
3320	DiagnosticsHub.StandardCollector.Service.exe
3320	DiagnosticsHub.StandardCollector.Service.exe
3320	DiagnosticsHub.StandardCollector.Service.exe
3320	DiagnosticsHub.StandardCollector.Service.exe
3320	DiagnosticsHub.StandardCollector.Service.exe
3320	DiagnosticsHub.StandardCollector.Service.exe
3320	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2388	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
Token: SeAuditPrivilege	4908	fxssvc.exe
Token: SeRestorePrivilege	1164	TieringEngineService.exe
Token: SeManageVolumePrivilege	1164	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4700	AgentService.exe
Token: SeBackupPrivilege	2020	vssvc.exe
Token: SeRestorePrivilege	2020	vssvc.exe
Token: SeAuditPrivilege	2020	vssvc.exe
Token: SeBackupPrivilege	4620	wbengine.exe
Token: SeRestorePrivilege	4620	wbengine.exe
Token: SeSecurityPrivilege	4620	wbengine.exe
Token: 33	3540	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3540	SearchIndexer.exe
Token: SeDebugPrivilege	4556	alg.exe
Token: SeDebugPrivilege	4556	alg.exe
Token: SeDebugPrivilege	4556	alg.exe
Token: SeDebugPrivilege	3320	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 3036	2388	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe	82
PID 2388 wrote to memory of 3036	2388	ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe	82
PID 3540 wrote to memory of 1012	3540	SearchIndexer.exe	110
PID 3540 wrote to memory of 1012	3540	SearchIndexer.exe	110
PID 3540 wrote to memory of 5056	3540	SearchIndexer.exe	111
PID 3540 wrote to memory of 5056	3540	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
"C:\Users\Admin\AppData\Local\Temp\ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Program Files\Java\jre-1.8\bin\javaws.exe
  C:\Users\Admin\AppData\Local\Temp\ae3fe9184bb1be4b11b41d89091e0bc34ddf745aa78b33998858695923f16ac8N.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3036

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3244

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3232

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2300

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:232

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2960

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2256

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4820

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5092

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2972

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5072

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2712

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1968

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4948

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5020

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2604

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1012
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
25d4550dcef36570af3e65c4f66d61e9

SHA1
7f4c1d22b27a7eba70a00ef28ffd72b95392abf2

SHA256
94eaf8273acaffd2937b177d3fc2df366970c14922518cd87a900319458c97a8

SHA512
ed47e9b01ac6e667bdcee7b619e9eee84959f60b895623c5c82dd47d3813f1489750a6af41b5f60f01be0bd136195a751e76a56a9a22997efe0a28f10a1678fe

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
4c8511454d8920af60b20949cf38406e

SHA1
13d0330a4b09195edfb3357098d4f4804aaff6df

SHA256
ac5d95461bd026d1462ed5a7fcd5683c6862bff6f5338e8f11a9bf3c172476c3

SHA512
e0e056c6017576eafa9f98e5eb3014a5054a494de2be3c7e36b42a18e6d1aacae5442424d2e9d53f934b777c30a721c6521d2d4c38e7343227d268f54d869a93

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
b4a9a3c4b22674d039ec25c60db8bfe6

SHA1
35f57987d6e26415ec2248051362298018b6fb76

SHA256
9fcbace0c66a26f82093ae83a9bfc84d28fb45879a0438215c466374b0d0e20a

SHA512
a25c656e4cd632bac715728d7aecf2d0de5d611850c7ceec59d32ceed937e0fd62a547eecd9c00297114265bb49cd47a72cfdcb83c3c2529478df5a79c4bb961

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
15d052fc6a918b7ffbf0693d4d6fe29a

SHA1
83bd8505d2863c86d308e7896df7aa6e1a0a1e7e

SHA256
ff60d5b48b5f56638ac46dcce492d88f1dd91947bbc9310a8e2c2e79011e63cf

SHA512
a529bf95aafbc03e2cfd41f17d6182c5b1ea61585e60c8e16b25f06e86ff0a26a03a87db328d384b6c105c1cd78e101ffe0e4d792986c85e2ebc9ce3d83d19dd

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9682931f98aece4869869d8d8e54a0c6

SHA1
bdabbeecd7dcbec8e3257740134daad8e70bd7a4

SHA256
6bca4ee5785fe5b448818f2feaa5de89ba37def993d73b03b427a1fe87b367e5

SHA512
d8577c64ba21b991e9d3e0dabd3a83a047e13781ac2998bc9bbb57a0ce61ce5cdc9a7c1c22c89b9e718cf16dabcf87101a13c1b4b653c5860108983ff723ed6c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
5cfd56a2cf40d1a0c1af0ad27079a6cb

SHA1
d63b4c111d5fd54b029f3fb4d54617c3133a0cb5

SHA256
938a73cf715d1eabd69e23491940df580c9b8c4a54df61395e1be632c91f584b

SHA512
93fc59b5b66fd4be26de8d1c24ded7e2c4d8b40ed5e4608b2631302ef4fc228320850c22a2771aea43b94a061879bbb1d9178a9ba6acb906b5c6f580e9938af7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
a2514192d92065a96682ed54f1957da8

SHA1
dbb08857c3a68ac9fb56a96bda0396b469e166c4

SHA256
1c3c24553209f96a75c9a45a4c9106ea0a58881105164cac2afe565cbaad6042

SHA512
9942469d066f4dea2a0329c60851618cc3d71b59693a399aaabbf36d3c5b28343df047b29392a4e042916b8ed0002af5769cbf5eeed945b6bcf040a03953b684

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
56560daf0e4fb099767d49ab3433438e

SHA1
342d2d773209fbb4cef6450efb01c1ff846d8dab

SHA256
eed5c9fd93ba117088a413475c558972bf18dbfaebb2940140c67a92509ade3b

SHA512
b5fc0c86adc0b4622c09ec94954751e239cbb25ed02e34baaa14f3b828ba6d6c37fade90a5836b76d3da19ec53a9f70fe5f3e00e8c2082be0a44598dbe22cb55

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
18ca1d7e75452403b36bd6233156612d

SHA1
1438c71597f3f8634c0360618de2f6bddd4aa224

SHA256
ee0290bbc9adb83870d23117db9b7e971b5abd3d00dc13c2dd6a495490ad8498

SHA512
49d0c10265d2b2774e9f436b0a503d1434bb8619bbf426cb5af4ae4ac18b732e6c91dff76f92a309764d62df34c882c58ea647ef891ce4637e1bf23d7213d1a7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7f5ae8c638c56710c6a47b08425801c6

SHA1
42555c965b604ea9aa17f1e4f78e49c98245037b

SHA256
14d00e4e3e6ac5fdc559b89d60fb851dab6f9c6406d1bca33a58e0b771ccbeaa

SHA512
ccb9f1f5bb7589b4a07cd2d7c6a82730e3864b9fc58b49ea2e2e19edf2f546b9176094bd72baec3c3c93720d9127ab8832a4df4e334b0208dd6349e7279c27f4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5803a913116d5c017fa0af433500d63c

SHA1
9ceb9e4611b655f20d4367d11390e71f8170892d

SHA256
cf4827f6f43af4913bd7c6755a1444633b9ef47dcb7c376c7e1a60b6532686ad

SHA512
295e7464e9b05be85c149197fc3a21ab30a28eb902dd302b2ec44261eafceab2bbb75e19eac68a80b91345d6bc032933435dec651448dee561a8b65e86a771d2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4ac1df4bb1b6c7b43db52cae6c66fc76

SHA1
fe06a4e7298b7528a668f9299dffbab41c4fa2b8

SHA256
35f824358be6c2825f24a6daefa7ffccb3e836b7eceea1200b3c2e303bb1aa08

SHA512
5e4c142f5715cd6987fc5e5bb03965698265a05df02edcdfca40176c47b3f38e6aaec0d88b27a0ae53ec3b266f349b78fd8b3dbdca5943c5969838107b56442d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
c8bef5d957311cad5ecbcc6997121eed

SHA1
31d70d843d7ddfcf036d23f616a146d1dff2303a

SHA256
52845e381923c96ccd4443ecd654fcfc4ec709bdf397deb1e53e85e81a7a24a4

SHA512
8247556ed310c83d5cd1513eb41994991b41c4be66aa1e1c4accbd6d9db02708b0475f2ead13f81e826eb67f1ff4119bffc2d8edf7508fd860e2d7812867ffd3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
8c8830bd2aa3ecddf07cdb716431a2c7

SHA1
d4d036c051cb2a9a5cfc090afc974b56df27c0db

SHA256
085b517e3ad989c438d47f05cbee1a3b18210bc040734cb91aeca2ed1904516a

SHA512
7c94e704e4dd13a8916f9f78aceeb4542348e3bccbb67976852a44f0c35540702c5264fb93b9da9424f4ebbc81831b905b2ee298ac7628a0ed7737394bfca2b9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
ba0be7999663e8d29f6ea22a66ceab5e

SHA1
9cda749c73adf731ef007e2e1fe538d5a06a21e2

SHA256
4b779b4e1b313e646e1990386161120ca2146712c9f64efee9c8d8507ed94f77

SHA512
d15a3f11c16bd4020eeb90375c18169ef6a4bf48f0c3188f2ca2a0f60bfc16f3a0ff1c5a51b9ab831eef6ef133a7251cf4c0aca2e547200acaf973b6105f289c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
33fde54e392b7305c5b8ad1e0e9eeaea

SHA1
30aa58bee531838cfaaebe769683609b6caa5933

SHA256
9b21361df5f2953d09789703b687ec84422ef05ed82c99141055c37895341eef

SHA512
89b172a314ad93d45ca5954e390e0fd4b10cba66700b946c95ad3da24d759f793ac4a5c0363e4d4243972cb4849c600b9ae20647b88002ab2624ad980f880cf1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
0459a59a46f4dba1c8d47cdb6e829ede

SHA1
c284afbe9288fb3231fa4fb0c17c36c22c4602b5

SHA256
b7cfdbc6cd9f05bbd69411754ac4d21521f602d89a0aad464475d0499530a563

SHA512
32080ac1dd36dfaf89387432c84905be6a56003d0848164f5e665227a7090a4279d13ce4e22a4169cd341afb2998273f4c54846ac1b4382a1dd3a765b6b1065f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
1218b0991af587254ff48722abacd91b

SHA1
12d8b1a480e62fb4e6ee1ba2bfb6aa143638bbb2

SHA256
94da79de2241b860c5cdd9cf16d2c717b4f019b2412e450107f697a0b1d3d995

SHA512
efaba78f654f153489fadc5641f312266773da253f3da0dbfaf8a710ad00dfe83a2f8107140e567c9cf774f9d0653ca68d2c37e288a9492d616891950cdab011

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
5c00822aad45e0583a397b0aadaad8d8

SHA1
83269d9c8109c885e3985923cc8dc3cb40e18a67

SHA256
5ed62691a50f477d2d578f4d3021d52d92201182b747816e52711c93abb2b6bb

SHA512
91369afdf7be47202b10536971982c51ade3b4eb04c9a47f64d480582c639595a487bc8813df51102f3e8fcffeb6cc4c259cc41580187b9e1734b7e75352ce5c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
395ad8ddafd6742bad7c179b68289b1e

SHA1
279e65e5a5da1ff2e0088a2505cccd628d4309cf

SHA256
15296aa98057f3bb85ed005c909584b1da4e2a1351a5e51dd9fec47f1bc1e47a

SHA512
5a83a4dc31736492740240d69f23f1cec6d6d97da29e8ab20bf9967dbaa74ef15cfdabb6e8fb1e1684a282f0aa942a8bd75a2d2ce504d1ddf7ac2a39297d2e25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
68fbca12d98e077acc69e2c4d29735df

SHA1
5fe281caf06c77e04b6768d3c7ebcd6d95aac92b

SHA256
4a6c67b05271826b0320f1ec235420e3561c68a998363873ef588196fa4081e7

SHA512
6775dc5eaa7f1ed82bfcbeebc828ee0cf7dcf2d69957f8de9d8c35f37b28163b849be7035435107ee27e74df667f240b68763dc5415e49903e553c5a4f3c3da1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
ad7403f984117b8dba189a69ec8aef12

SHA1
6d30416d4daabfe17ff98efd7e4204cd48f378d7

SHA256
c88126b9f4774f494df04f0a7aabb84e4cf4891faf297ecaa97b2a770d36d83e

SHA512
2ab5c92ca7c086f6dac4ae1c392c0e7bc715eabf10b2cd4bb85cbb77f3377d5e8f0a5c33a074ae51235efeae94608aa339f8cef51a796004059dad9d7c433eef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
6e75fa262d2aa620235f147ef426e564

SHA1
3609e360e2cad8d08e7a2770daa3d6139addc691

SHA256
860f642b8703a46c7b3a2ba2968340fe6968386cbd577c2e9c4dc713110a6a74

SHA512
287780bb1f17b0df02e9dbb14f0af0a4d8791054d355b3569d2e8908f4629d41f3a0fd23c2644e1611b65567444a97fff78af6c1e77c646ab939f1b300fca658

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
ce7512fd183bb8b5981d997fe2c57f1c

SHA1
99ee7bbc846d7011e94dfd8d10f3d4ea56e4e4b6

SHA256
92148dad1f87cc58b5cf1bd09fe6b33e3feab6c5ee612301a82efa596f616d78

SHA512
c0870ed2d5d7a304e6a70ea4e1debb7468e745523f71c1db82400e8149eb95a2c94b5276063e297080b5b875a2ba16d58fc93a998a55969dfd06674595e5ec08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
784c91406a7ab6161efb04b5b1a8e202

SHA1
2339a23754f87ca869d76a174c4c12f17f8b7706

SHA256
58dbe883775248bfa203299665cac445b0538eeae62a22b4554d8e10e55ff3b5

SHA512
b0a1bedc228042b7c5f9e5d7a62c4832f66578a746e1ef09f7d154745ca696447067d92d712f49ee4dbf58ec9e6b2b7a13d5abde4739b16398eaed2c34450111

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
51afcca1469bc25ec53cdf7a10157751

SHA1
7ed47ebe5dea9db735c43ffc820447a0eb5c4642

SHA256
09d72f23f6e785df068349ecab97049850652d7097f07dbeac0a82f37a63e1d1

SHA512
fec872b6b9a6e6aa2515d5390561d18e4b0673c155ba1ffbd02e745629cc4161ea70c00b92eeaa946587f0b3fc01aae0cdbc33fd1ca06763ee8184592871185e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
9a4af3f5c40218164545bf22383fab77

SHA1
57d85cdd6e92675a52328fafbd7929e0e30a818c

SHA256
55a7267caffb5125950fc415f90dd12bb668304a0380743cb3c453acd7aec3ba

SHA512
0fdfd5cde80e6719b059cf90783a04467b2fae6e614373b1bb087f4385a6de51f73f43c2ee97fa3cf4c5cc527e4220d3afe078f0001543271a081c7bbb3cd0bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
0fc43c68668ecee5d5a8ecd520a70830

SHA1
eae6b88995b2efafa69ae10e2726731a78ed41e4

SHA256
92e38060e64bc8fda0caa6ef02a8c6f3c22725f4ba4489c8f06c207a0906ffec

SHA512
ed4d4a4d05ba9cb8b6d5b9e52275c910431f5f25b624af12bee46ccb5e8177ab60f41524c0b5f2ad1ef611c798209272ac493371b97b880b4ecb10016bbfd1e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
89bd137fc5177022d26e98b6d04c973d

SHA1
901bd160e6cbb281f0550c64c393f2e86b7b6b43

SHA256
f9a692f694cb7921043188b4aaf21ddbe5adfba0990403f1f2d346dc8bed3c92

SHA512
c34fd05ce4e3f3ef6c5fd4838a143ac5d0de00436f9e98511b6bdf98972b724b87781152204d5a9aa19abe519e8a575490d76581f7ba23aedcb024496f46c47f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
5443331e8e1562b8b26640d4a380957f

SHA1
62be8e8b0277fe658b3139b37765047d00805395

SHA256
7f364f696ce96b78a00c28253b6e4160ad53af46500170052ae515d3f15b6487

SHA512
865e9ab0d2529b47618b60204d2bef443aed579f3db0c0aca3762dc6fc5a0d9d6f2efd9c3b1ce01e66714a23fc2a9c41d9fdca328b921e7e6fcd46b18513734c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
3e47b55ea82ea1342c2ec9aed57373d7

SHA1
bd22dfea1a78912cfeaf4aaf8f49e743d2c47757

SHA256
5301410b1adf78d9f14ec60731351ce4c2bbb58a923a8c24a173a4ddafafa24e

SHA512
3e441c3f0cf6ca4f58f202a91de916632bdd7abfd2c62dd665ab8077b9c55aa50fa70e6e956fc0d01f74425fd099d975986d14b03327a04d3dffe5ba68b61c5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
526aee8f2ea04a64e5a28f3e07fc8a01

SHA1
0c77111bdf3461a8a7db2c0eb7a7d6a129ec5244

SHA256
30949caaad0209472daa6ade361409a0c953b31b676775026f5da63c4a20e418

SHA512
840348b025aa49c21e438118bff083e93f66f4fc7c4863b07d202154d89249e013abb793e204365742f477e814a3eb442cd58ed728ff7ebc46130bfb4a99366d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
ff05f51d5d27e4f71fcf98cb7c6dc2ba

SHA1
9bb10bf310f8bcb0cc16cd5406b4489c905269cf

SHA256
ec11b1fe892c0267ee37dc3ba606ae97cfd00758a09718b0e687c5d533286e04

SHA512
a3c8f3940557967b8a0e92b214ba4debc6d678540d0105524992da994a6f39e977e583b231f2534f27905b58d5e18266ff09e1cb06829a11ee4f17ad1cb34602

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
f52f5162509b8c0fdc09f4e718293447

SHA1
5408453c72373052c6f225e60fca1fe5d001846b

SHA256
449b03f6635aac3665dfb8610deaed3cbb4634a94dbe8ce624182b5ccbe379ef

SHA512
421afb0a35f5f111601edec10105e60fea7c89bcad5f0c6345e055d555cbdbd0f93cc03fc0011312939aef47b9762d100a84ae5eb6b7bfd5fb5e428ffd9a0ae9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
a8a9af729ea515d5e1718365e8dc0e50

SHA1
2d49dda0988c03b010ea45268ecc1ca77536a710

SHA256
892ae22845c0ae0b087e05b52a21059ed1c5c14416d19583e72bcea9c9c0deb4

SHA512
d2252f87acd6a6af012485c21f2db8222ed9e5cfa3fb9319cfdfeed08dd9f66d43caba4334cffd4c0831c9fd55f7aedef764dc15839a1f2f1d1da7e71b20db19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
09881cef2042d72fac877dc6c07b338c

SHA1
985d6319c2cf97373b2eb52efd5389bb37ceb48c

SHA256
8bc8c91682ec9b4efd2ec5a854a334eb806a49b9167b20976e50db608eaa1459

SHA512
cca7583f772f6d641e77d2f70d5244e7a3b4ef457f2188ddd613dd246e778931e299f397bfef5e3b35d7dd11a0c5fd80b9a34a21e5657fc0594ee285a75188d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
eada7e1b89d160382b6f4a8149c5dbc9

SHA1
6ab9cf4515378868f1b2296ab96993bd1823880f

SHA256
87ee0c17c14ff4820df3659f0b22a9d339b23b6ab2f238310fad1210ef8a96d9

SHA512
aa85fabc605cb13be6e3e6e484f5f7f4ea454defc92e24f052e0520e9b38ae9b8b29759a891c1e003ee49c15b0796b394210e04d3c2f3426635c6fcf69cfb9c6

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
56dcd1993a6bafc61a510ffde7af1919

SHA1
eabb4558968dc2a70abf44e44e346f4920f007c8

SHA256
ca24f838edf3021f9efee31fa18ab4d9d0cf6ff108dff2a7eef5d488bfa4ff11

SHA512
56778ce3d149995284839333ea2a614f3b4b4a585aa9bd64a14a90ef4d15e23d4731026a220f19ab1070c81711da783b28e04bcbd3fa3aa27b3a53a43a59ca35

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
d65a23be17e9ca5271dc882a39161492

SHA1
836b96595cc0815a731d62eccee8e3f685654aff

SHA256
6cf1c96c1bb4e0464c541e17fc0da8abdcd711da7999dec1e3ed72fd84a02db8

SHA512
01193bb0875e95c63de5d4627eca7844347d0660db1acb2dd25cd4383621d80b9e0a4828e3a01d7c0e7bd0ceee29697ab159bb5b0cb76199b9dde2d53be45141

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
640a1888bc439d5397de4ad433393786

SHA1
738c97fa7f3242322d8dc1ce374a5c8c02192861

SHA256
d990aab4cbeba741cedbaf9c3ddd587fdd852da0449a0065bfac798f15073622

SHA512
f258ea290fc15568719482aed9502a068c4c971ff7c02d1dfbac24a0602ec05c675f8d7697948cd59a7e872d8503f40937b8ab76b33000ea79bcda1210ecf242

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
475889851849f6673f470af68d630fd3

SHA1
66f3c6a0a5ece371516edb28603febe0b2d191cd

SHA256
64d37a345befdedf3f578b1764ce7147a8a1a3bf17bfd60b986fb80d924ec82d

SHA512
65ceeab97b4e79c9a8be1932ba0e92880a051d94420ed4c6c99bfc7e15f257382acbb3fd367da77c9cbb30a9d92280e2c4d6486589f207c0b13e9eb2967c92dd

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
847987d3a75f93c5f2f499749771a5a1

SHA1
948df2b6688f8a85ec25551e0eb800d2d854d2bf

SHA256
17dbfa3d12d0fe99efaddf98278356f46b05b45e71e55b8163dec2659fb87526

SHA512
cba3ffaa127a5e6885c30e40a92e86f686e8401e3621e0ec6f620f5c9ec30adf5a73e69f4e9a2206db8607f59534f5338d58764b411d9ee3f0b7f0c6060da543

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5911d02e4732df9d46120a1ccdf8c0d1

SHA1
8b2f1c051e2968fe15c02c852c722a1d02e0e74c

SHA256
3abd1ae93d6336c00f6ec29b405eadfa687677fb080e54a4111ad8bb7d58f439

SHA512
b73607b1642d78d62701f7eb1fdeb0b13248ec9f5f3fc7663f9ca1b27d9e73f2a438b77d796b06455640ea5eb1a93ecd91b55f82b2051133b39e22d9095a3556

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
3b88bb87c8b99a8ed06bddca5356ba65

SHA1
407616d4088f710725600884d264e443aba21127

SHA256
13d03bf4e2eeb3b3eee5ab9805ce458f1c602994beab173587b8db1d8e60aa79

SHA512
1b03b5e5c3cd3cecbd852c2f1e82ff71b9dd53c1de60cf66d5978b5068c62c4138d9c9786835f467643f04151650c20f51ef367837cc55a70af297f4dacf8ae9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
52f731d44b4616871c97d001de078468

SHA1
80c9d252867af26cfbdf55fd7154b9d5eaa08d24

SHA256
60f04e71597e87c19f33b13913c6d57364ee93f6050add8a1b3dc307ee1b460f

SHA512
46c545fbd22961071185c0c6884996e7364a9e8dea9f7840620711706329e172dca1361f09994f469fea12d10a2f05a2a5ca05fa059833794b462bd5b11db61e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
a52d3feff18ea8d3e5f9d3367c8f7b5b

SHA1
b0f4192e82186eff07a775692a2363723fea757a

SHA256
239fd4e71f36a58121e2bfa9c5a81eadb46b5aac540fff1a18ebc7f3afd4c0fa

SHA512
aa98e29bcdb28a4676fee8a1193a6dadeebf368478c8f23d3918058b4a1d94edc79b687024cc4df789531899e563e5ee29a65970c55ab54334efb4918aa5d4e6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
70a602c88c5bf895f162edcbade98497

SHA1
1ba1bfb8a7bbda7d0591b02daf25100682e8db06

SHA256
34d12ea0fa9b3eb023ad39a0c7b39a0b19beae3424536d98a516e3d70059c9ed

SHA512
9a387cd18bc0c53cdb30c944a2654e3f62e096adfcead0991cd13ff6b8d934f858d4cde799173837549494e33065583903bc3ac259133089868c2a31d08a1ff0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
44b193ca671fbb05a9768ee89280d51c

SHA1
7e5a8fafdfb3df255770125e548829c736419f0f

SHA256
a6432a1f669df0a0840e26f882654d40771477e3c0ba51159a8affa29338354e

SHA512
8699f3e6190cfafe5cb252919d35c2c7bd6872af12cdfc283c9e2aac852d1a1c4043905d04018bfb9c806850b7735441ce4f7df37cc4214f569e3499e11fb2de

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
dbbe25c64d1636cb6675574c3cc3c983

SHA1
50c145f145984bf7b73ff9de3c65e74160f0110d

SHA256
ee7b8146689d0cf76db59fb0407f068a4c4edf78517d9cccb6589328be5e7a99

SHA512
6511e39eed7534ce08259bc0eafed374f015d99f44a2da0dd51019034cc174be23cc6a29ecdcf0b35f6a648a19622c0cf01ece568822668abcaa28171beeb5af

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
b5c6a4836dc1e065527adecdaf9b73f2

SHA1
fa832bc795844dc87e643dfa725e6debe9c85964

SHA256
83be07f00203988b57dec56a2968ccfb57bf9ec05026282c1b6ff4030444a301

SHA512
92087299264d3866ba774149d70db143f3c90926fdc09b4ebc367b4e25641184b640a751e56e403a8e41db55286abde1fe23fb8f6b1e575692a6dd734800e327

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9a377e43d3892c4dfc1056045a4d2db5

SHA1
fea4c62ac9ef2157a480c35efbe838fd25e3fca0

SHA256
167ed865ea309cbc6dd3cb911a3b57f1de5e29e3560a99167388f5996c7f3aa0

SHA512
29328c967818d1d509480162a3c19c6da65eceb02279c6ed7854fd0fc809331f9ad7da4be1db4c73e040a32da4e8147c6e1451ed44170a0fd28fd0fc7225105e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
cb12dbf425fc24f20c81af5b784ca5b3

SHA1
bd6f0ff9f549a0582b5058ecd273736cd03ebc9e

SHA256
cfa2be962b82e580055c63316efabd04a80e9c740e19964dd73b23be335ac28c

SHA512
1afb1ab5ca051f95e40d95d761dd0fd09d7ddcc1d5847b9f6a5266048f552ae548d0baf3c623b78573548be29289514901e6facd8c558b69796e0e0f8e7026db

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
107c1b02561e96c988c7e1a2903e395a

SHA1
4fb048d3cba0e61a7975da40abe29d688fe3b76d

SHA256
75e99b5329da5a3f130b43b49a97c3a0dd4b84a495805ef255e9518e2c5bc208

SHA512
03a1fecb3e17f7c5ce1a90e200d2cae2eb6e7004ea25743eb2fc94d9594d11677c81d29075eac7d58e26cbc2c5ecb04459e8c537eb26dff0ed2dd9af985cd54f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
fdda0ba3bcb4eccc63e33bae2c732930

SHA1
7d47559bce8ac5de16c27aca3785d57d3edc4648

SHA256
9ca7d3a40652dd03b453b27158c8e8f560fdfa4fa37f0946c5b084afd5a065a1

SHA512
651d8452748ecc4f9fc730fd30ceac03e2992a9cbd01ae55f179feace83258f54cf07e6a2528c958734ec4434c256be80c61c8dd07623efc1c9a1bf9ba8dc436

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
bca3d078a60ce6ca99183a730531d6bd

SHA1
3b82d13f226feaae78424ab7ebe266baf7e468c0

SHA256
917880d9d98afb004fde0d3fd3298cca84b85622dfb4f5b8e724d7906628a25e

SHA512
26ca62c674884cb8a1346c033fea68887c9b3e5caddd2b0d3991db076ca8e3f9629443b7736cd37db397471eac8b359a4358a14df7d9c6e95de731bc673218aa

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
eaa62197d1a49d871dc63d0319619906

SHA1
cb405ac2e7a6afcdecf361b28f155d1da097e721

SHA256
3b78bdb0db05c0c63c9c87784e152b0ce8e95bb1828e10bd528088f546af7d97

SHA512
46906ff2dab433fe3938a6464c2a3f723bdd3c653646135e32725b57059729edec95246c6938d8001081d1e14d2c94c0669d4903fb61ae9b289018e13ba47c4e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4a48756d4f636f1682a9597a422ea5c8

SHA1
5f1973d739842f72ed630ee4307e6e536a315d94

SHA256
2e0d9644f7e2997320d533563ea77646e3898a5cd1ae8c10789739045fd66579

SHA512
d36cd81c5e02b09f438449f926006aa7f6b56db01b64793b67b60ce20d6779626fa389cb9856dc16ef9ebd3c319f1e1d63e49f5b1624cc05be41d42cab3a253b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
23f20227a2c34540ae3da5618cbcca40

SHA1
4e57aebdb3c91ea9c4c4734e0190bd6adde611b8

SHA256
83cd2a2bcad2d344a709cb67a3cc7f13e8eae797d828a5529ab63b9dac5faeb6

SHA512
acaca848403aae170393e625cfed9a21f71dc06e0bab08dfb0422a9d60cd8b63ef5a873ee9da4d5d1d1b7a38f9d19243dde01abfeb210e5e9635002b741aff2f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
b5bd2035d565c2c5d2cc388698723306

SHA1
ad7421e5885e474648d7919834199ddc985fdfd3

SHA256
e4de4d9854f7bbdac3d197e960fc431cb20f3318828f8bc54ad875448379b89d

SHA512
d3fcd5f46cb9987ed154e992dc726485bcd90d55dc288f1c9b987ee0d9d04d42fac2beca5c697459e4e6778dd3d6fca2edc03174584f74c5236c1c9797106927

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
a419ecf101dc644a61d2affbcb769a40

SHA1
00a8d73ca12ac3389a759f88b6064af7cd8d2cff

SHA256
8dbefc5f384cb347b7f6316961bf33c497c0e20e9cc4f412ca513b649d622c70

SHA512
0bf4d3ab58fc9f607f74b814736e3179ab2c7a822053206b1932fa79284c4c5a530633fa7a30d16bc75c1889b26322d23431ee12d2c7a158245205024b61d729

Download Submit
memory/232-82-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/232-84-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/232-76-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/232-87-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/232-90-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/1164-207-0x0000000140000000-0x00000001401C3000-memory.dmp

Filesize
1.8MB

Download
memory/1164-524-0x0000000140000000-0x00000001401C3000-memory.dmp

Filesize
1.8MB

Download
memory/1968-183-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1968-428-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2020-529-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2020-238-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2256-211-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/2256-116-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/2300-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2300-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2300-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2300-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2388-462-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/2388-75-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/2388-8-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/2388-465-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/2388-9-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/2388-0-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/2604-270-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/2604-531-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/2712-171-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/2712-370-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/2960-91-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/2960-210-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/2960-92-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2972-269-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2972-148-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3232-56-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/3232-50-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/3232-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3232-182-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3320-27-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3320-129-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3320-31-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3320-36-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3540-532-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3540-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4556-14-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4556-126-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4556-22-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4556-13-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4620-530-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4620-256-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4700-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4700-224-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4780-523-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/4780-196-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/4820-237-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/4820-127-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/4908-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4908-59-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4908-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4908-40-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4908-46-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/5020-528-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5020-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5072-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5072-527-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5072-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5092-249-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/5092-130-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download