2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
Size

1.5MB
MD5

60d67ffa3078eaada9390dae7e76b60d
SHA1

bdc75a0ea1ad4364b341aedd86b7152b11ed95b1
SHA256

2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116
SHA512

11e9f741e8f7068643e1233153436766d099219b0ac19f4a2551117e00ea10dd06400ace58cb2b384197e05ea90e17fe0191d1b9eb71d2d36814b2cc2baec6ae
SSDEEP

24576:J6keZtWQjFsqjnhMgeiCl7G0nehbGZpbD:J6kenWeDmg27RnWGj

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4680	alg.exe
2316	DiagnosticsHub.StandardCollector.Service.exe
4076	fxssvc.exe
3228	elevation_service.exe
1572	elevation_service.exe
4292	maintenanceservice.exe
1628	msdtc.exe
2500	OSE.EXE
2196	PerceptionSimulationService.exe
4404	perfhost.exe
2396	locator.exe
3992	SensorDataService.exe
1564	snmptrap.exe
4944	spectrum.exe
3608	ssh-agent.exe
2352	TieringEngineService.exe
3500	AgentService.exe
316	vds.exe
404	vssvc.exe
3204	wbengine.exe
2636	WmiApSrv.exe
4996	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Windows\System32\alg.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6f676d27b36a5b05.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Windows\System32\vds.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80406\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000275154a8a812db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000e168a9a812db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002436dca8a812db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d010b6a8a812db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4a910a9a812db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d6367a8a812db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7f9a5aaa812db01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2588	javaws.exe
2588	javaws.exe
2316	DiagnosticsHub.StandardCollector.Service.exe
2316	DiagnosticsHub.StandardCollector.Service.exe
2316	DiagnosticsHub.StandardCollector.Service.exe
2316	DiagnosticsHub.StandardCollector.Service.exe
2316	DiagnosticsHub.StandardCollector.Service.exe
2316	DiagnosticsHub.StandardCollector.Service.exe
2316	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2724	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
Token: SeAuditPrivilege	4076	fxssvc.exe
Token: SeRestorePrivilege	2352	TieringEngineService.exe
Token: SeManageVolumePrivilege	2352	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3500	AgentService.exe
Token: SeBackupPrivilege	404	vssvc.exe
Token: SeRestorePrivilege	404	vssvc.exe
Token: SeAuditPrivilege	404	vssvc.exe
Token: SeBackupPrivilege	3204	wbengine.exe
Token: SeRestorePrivilege	3204	wbengine.exe
Token: SeSecurityPrivilege	3204	wbengine.exe
Token: 33	4996	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeDebugPrivilege	4680	alg.exe
Token: SeDebugPrivilege	4680	alg.exe
Token: SeDebugPrivilege	4680	alg.exe
Token: SeDebugPrivilege	2316	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2588	2724	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe	82
PID 2724 wrote to memory of 2588	2724	2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe	82
PID 4996 wrote to memory of 5080	4996	SearchIndexer.exe	109
PID 4996 wrote to memory of 5080	4996	SearchIndexer.exe	109
PID 4996 wrote to memory of 4948	4996	SearchIndexer.exe	110
PID 4996 wrote to memory of 4948	4996	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
"C:\Users\Admin\AppData\Local\Temp\2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Program Files\Java\jre-1.8\bin\javaws.exe
  C:\Users\Admin\AppData\Local\Temp\2b0dd7486f83051c7a109d367dbc2307692dccb8a5bb358a97cd70cea76b1116.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2588

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4856

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3228

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1572

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4292

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1628

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2196

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4404

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2396

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3992

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1564

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4944

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3628

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2636

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5080
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7eb018d3ea9fcdb28be06e53b89d58d1

SHA1
d70bff81e2f0a6c2ff67db3cd4c3dbe66c55e4b4

SHA256
fada99b1b4464767e0beb0325ce8da08e66f1b341ac740906db9b5e418a2f236

SHA512
11abd79f59e2b25c9ed71b6c504c5a86bb8df5a0b52dd8aaa47d6fc49276420f96577e0cafecf5fc3c2b054f9918e46e6da84375fad77d04c6db71d1200671d4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
83b4b5dedf2cd891e91e6f0adbe41658

SHA1
c4c1e6d553d9478681e7585e6906611e5396252f

SHA256
315ed62db4afa59a35d6340ea046f7c15bd405fd0f79d921aa588867257ed8a0

SHA512
77208570c7d59705ac2eb296b40fd1f03b02b9d77966b11b0f03c8ee1dc5b266cd24bde9b07c75ae2978a257e7305a7be6bec63cf86ba57a86e97402861f1427

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
4b1bb53e05c73c757ff7d344d3a72a73

SHA1
a367d50af2bc42499da5b4130a2ceee935cd4aac

SHA256
10e5490a3fb73fa66501c22164ce2bb377f7583b4c0b69dbc4a32e8356383a8f

SHA512
23614014898ee4484240d75c39a04c7d2d3f53835e2cc7f0bfe21ecf0f4a80e0934b5867cdf7bb8089b2e3403126aa43e5890ba01145ece2dddd06bd2979336a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
41f04c39b1888b26baee57bb5fbe27b6

SHA1
77d6018a7c44a66928495b01a5425f78ade5a198

SHA256
509cbb920a87a352a7af29d03d8c8cd2386cbc78bff46c30977cab6b6e98f88f

SHA512
ad870f6ed60fcc1c653c0b7b045d717292a13f1dcbb2febe67e4146d70cb163b6e29c24b77dd4907bb6f6a361cecd10ce24d4b210400fedde76a854491d3be19

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8a7b9d969d5221c757f0be091256c9bc

SHA1
bd3a14da7d4b623bca07aec402931b4a1a99c0b3

SHA256
e8110c44eb00f2dab013cb9e0daf22a2bd5a8fd3db008d0fb85bb549e29845cd

SHA512
82b65129e52638fab0932ace48b49047a9f32aa1b3f0e928a1fc0c0112cf5f94abb9df841079edbc3458e79d0a67aa48aeec7f45c43f7eb5ffd4a39c2c8da525

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
6f84ab0b3d1f1af1399c3dd5127beb23

SHA1
66fcbfe671304bac279a58c84bc2b2912e1b8102

SHA256
8e05aba61fb50c224c7446bf2d173e537f392d686d84f3d6e1fe0301949291df

SHA512
fcc4df5f700800e6fe9d06e8ce5fd6d18c9b5d63088ba072a7a33460cd2793e62a1ba9c2cd4a63039021f6fc7ca44b79ac9fcd7cda7f857fe47d1a2ae7df902d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.3MB

MD5
e645f3b92f385dabc838978bc3be1e2e

SHA1
fde8f25c6863336f86e80984c3d477e0f951a697

SHA256
a0b3a0e88572d0c263b769a2727ec409b1dd3a6509b32811e5d90f0ce3a8514e

SHA512
8c062af942ed8e1f5992c472a228e8a0fd325134d7e48808543647caa3850080e2b6c9b7191532739581c49dc2fc8c30121bb726053804619381dff4f6dd7b7e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
04a15a4b170660d93b5100b0312eff13

SHA1
ca20f1fe9725d95e5bad15af1e8de85e0f27ac86

SHA256
6824d2d349810557833241c0355b5812eca9fb337a7951bca93523258d4cbaba

SHA512
b77090a0c11fe986b8ac73ca5373cb5f19ff9810934a512e3fb9f5c91fc0108d4f0506f0caeb3199c4c68cbabab92c5061d7de59753bcadb0205c045bcdb0840

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
d203143fca767a5e783b7d6021f8fd91

SHA1
25d8340b16db298a3be24cc66974d90d028336ea

SHA256
cc45c83da4644d2f2f09c6b25bbb22066bf24d2f0d3232ace887437c97f57f17

SHA512
07025dab68f64217624089814f7f7be768016f369d68a2cbc247f7ec8dbaf668b815511608531c1bb4847489640144705e775c0380c9c64aa98969334c89b6fe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5ce9b392f58f2d5e742aa7b219417177

SHA1
e926fdba4f9549786eed71c7e241d7df31cbe1c9

SHA256
10bf14786336289736c7c88233fe62f946f1e16e8151099ff5d5397db083e20f

SHA512
d3421d3da5801457d2dcdedaf324a9eb8c5786cb62b8281742ca76a88eb000a260cbfaa9b762ccacea650a56e02674deb20211771fd3a01d167be9f27b52ba7d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
67a9e4cd63b3b2edf60199dcb8917215

SHA1
f63e3692e91c50bfdd2ac8253c87fc1f9b5639da

SHA256
8a3d8fc107ea9827cb38abaf9f563b57ae840dd496af9abe4755882c5a8e11b8

SHA512
749e1f8ac7d8d7ec057d304fd171c4db5b6ecdf10e348d87b3e812b6e25438c168192dd98944e52b51b538b50176c736030b0120526d7d744ed71bad9eed01d3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e8626da9f531acc107dc7ef5b95cfdf1

SHA1
870bcd8c4aa237369fd0de543d3fd959f2de9802

SHA256
11fdefb2452623f4c1c85664d26068eff4b593b2760d7a3557708757259bb574

SHA512
a7ffe470592205a425859c13ce7dac550e1f191d8fb92f6a123c2b6913f242ed03742386b307dc147fe6952cce2a48bcf8f3d1567411f990cdca0b1f22e93774

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
af9fda1d264a67dd240ec21fa8a61f41

SHA1
41bec4ed772655408e742466ff06c9a881c66f18

SHA256
7ddfc3fa1ad7718502e231c105168e762848b800c926a029da07045a153c529c

SHA512
78463e4186c47ae19c3feee5cabb3cfd50658fa3ea293f774a3fe936e16de62f2a7d306a2e2407eff77f659ccdde16874f85a52232b186b574ec9c17118d0b4b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
66218c93e089f315ce54a87a25271d23

SHA1
b11938f26b27cf55817ce35690c8c979b18b1aa8

SHA256
4c5fcef6e4545d72732e95515e236b7c7f42d3df3b5c5b2233819b9a2429a2f9

SHA512
2554faaa5874753243ce2e25c3aa728afffe732e3ce5644ef41a25f0cb9092c10bcfebb28eacceed1be80b63d152b7f1ad3d27442e4e75ce1f62eae263159209

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
1127b3959cc8782fda69723798884569

SHA1
494452ead6870861164d702de7948bb933e3372a

SHA256
a0af06f280239afa22fe99ee4601c9314c8380c450c1944ab8a7bdc777e7068b

SHA512
29061e7898e2ecfa5ee7f33954a68f261d9561d1f2d2207467029e22ef18579d8b17a66f18c182533e44e15c81885dc9048851b13470c92c3ddc2c021f548ba9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
84e5a4078777267a7c39f382510b7613

SHA1
f0d41104edf0c463e281061a30733367a352f12e

SHA256
c25dbf42091209377a9d2d846d0248317a1b7a9d5639610cde22a6f2a4fb266e

SHA512
77a2c4b63afa2ae8943b7b7b9fb02d08b4d17a31a2672e4a88934486c59db849799bc3fa4cc2a13435fca992a80f612a34435ce103a140605235108cda3746e7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
38b40a1ebbfa85059a9ab98dc301fb89

SHA1
3a8fe3b965aad7d5a354ca7655ea5a1889ed4bd7

SHA256
c7c32b2de46be9f16e9b4b23b28cd265fbdce225e8e383a81d8a148e5de43734

SHA512
d978e4ac4f2c6b2f433a802df25d460eed2afcf5be06000355edd9775335cc1110f97df35c3cd6a2c09bc2310c87f311396352833d07af1852c497417ae7ea10

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
bc2a57ce18edc0cb699e0d1d56e7f0d2

SHA1
a3bfae4ddcdd45ec6d16c51898f008ad46ad396a

SHA256
31570e28e0364293a624f9e4d3cdbb37456c188c43590b9ca01fe660ae60f650

SHA512
11dad2d27faef17171e8e0834d564e605f0faf956bff5c84c19631f36e9f24fb477e562d2ca69388dd94477667faab1a05627eaa01c114cd992cdee8d40d4916

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
69acf8c0d711041ff0f8d8ba74773160

SHA1
24229135c72ada77b193578f72853078e315d2a0

SHA256
29793c7550045757842f865565711f273ca3c56026987b7b3e07245e8c75ca35

SHA512
002325a9d9d9856c76e64ea10af39b301a8896f879cf8638c423b8aeccd25b4464e369b98970e465d131eb77dbaa898c79e06cef0f7ef73789e32830e5b0d64b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
96d31751d315888741dd7cf26770b9b3

SHA1
ede22dcdb7367233975427b9c371e33fa75e339e

SHA256
8c78985b8ca7095e5a7e9d9abb9969eda3d5597caffa76f5d7d1450df4884fb4

SHA512
5b6573d7ee9d46f4d3f45d0d403b6723d067b1285d9886ca84bea49eed4407e19a9d011427e529a8b602fb52d78ac7d093ba9f46ea7afb0361f2b67ddfc5cf1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
891ffe5f1907aa659c8b4dca93755fca

SHA1
31ff4e5b23fca3940da33b08beb4e6383faf708d

SHA256
5ad4f4c0d31d68e9fc5359662095f0bb735883c57c4eecd4c7918a7f41db9a88

SHA512
9a8991fe21751ca45d06ba1651978b26073623d6a0325911d79da1db7e598cc960f41a927d01b6da45bd48225fae29116de2413cfccd7863045db1d53bf2175e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
38643ec6bbce34bf93740fa89c145d4c

SHA1
a09b31172a224b61b5c8dcfe834f74675570c0ea

SHA256
8bcf7a1023a6d8b99c30f17ba2843707b99c155928a25215a4ceaa17b66fa03e

SHA512
99be44e89931b3be12b381dfbeac8d238b87a461083b1c49a691be113d8671d4d08378552797b32ffdab6d34ecfbb33ed050a507ec05217fc4e1bb0568e785c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
5ff98e7d701f3f547c564ffad2b4a6cc

SHA1
fede0094279536c5ec98abb2a4a95e027ab4887e

SHA256
ec9f22df8d8afcc63200a221adf132693ccd24d169bd51ea0758d4687d101322

SHA512
8abbca3bb09f9014986b1ec5c3399b68c30ce1748001d4e0c4cf00b06a40678a05670f22e4b48784909ae3d605c4db7084148d87fc78920b14167df8c5a4b677

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
d0055eca956501580b11036eeb98d8dd

SHA1
23a2fe066b8bd1c16f1c72bab7e0e0d2a95aa506

SHA256
bc46198ba646946c921d4fa0424730932105eb3a74f0493dcbf8c8be8f5ec632

SHA512
d6db005509f8e33812a0d546feaa7d0acdbc24188c034b728408df5b0e8df113009fe039c53abf71f3d80c44c8c3b7e015404ce015d636edf9a373f526ba7c48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
0839530f392eb65b6601f169bef6177e

SHA1
3346b0d0b231f88a0ae8a163ee56c7457a42109c

SHA256
7799afd1d37804cf1e3f11b2fedf486e144547712ec84e7c4d978b47086e704c

SHA512
e23c80a58315d7e28186b878ac1aa0feb69c4e36b9fc805213e36b8c3caab7c65af5a837cf26f809c0a7cec149b7c9960d106b9347ece68e2eaabe75aedacd41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
112855c0a8e3e76bf4aa42ab27b01ab0

SHA1
9bb01fb39f592096691897db178e55913ada4133

SHA256
04f48b10a85710ad8911fdfda6ed58f29eeb75bffe25691f492f5d5c37b839de

SHA512
b43c3cb08affefd6fe47430d0586066a043b21a25b6d100b7f16eca6ff88b278559223454bbd87258241f93c49f2c0a8ec91f000ebe3ba708c3812fef477318a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
b481f65bce724459be1501e5e411d70b

SHA1
4fd802149a4efa8ae1c0e7fd39a2ad59086778dc

SHA256
40340a102f8f68c6118f84470da8f2ad0ad649858e5ee1b9364ba07589165c47

SHA512
2427620f9697a757f7ea4aa224a58565f27002ed7bf0aafdbdb155b9b7e4e6de09cd75a962e0067b2f4ca02087e0c567f9ce4dca88d48448eaaebcbbb97c3cf8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.3MB

MD5
e1c25fd288a843c61a69b3fd60510fb3

SHA1
dc7f690c9f32631fde30ef9c307dc2cfe098a3eb

SHA256
04d1d06c99c86025f5fcdd2e0ba5d3c91669d38761d76af08bfe4f65c42f3fd3

SHA512
398e31882ec5ea4df0e0d260bb02850cfcdb78d82b0bfd59c6c02ade4d05fc65e78e7c355649dfefc0733b69e2e3053dd74f9f3a41d63a6c756ba88378254bb2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
7cc14073e1cd2898119a5049d60db481

SHA1
38356706ae469b7546c0799e13369097e44b397a

SHA256
325b134088dab1ae2c4e41bf09139236d3917600e8a00522764b9fd5b145dc6b

SHA512
d606b3b511147315219e0a097c7b4d65489e8946ee17d395ad7221cc89e592bbcd48f7db703464462e164440f44ebfdf41e887624f905eda48ba12c29e04e2a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
6231c65abb508d7dc130c30fa635b531

SHA1
b65c5cbc557bcb8c33580b4245c84abe6f674b22

SHA256
1925519bf529e10e4081f942decd6ed16e834a728095b618e9b733ea77bc39a8

SHA512
f102e162a1d5afe366c435419d99c663e2e50d26b3b6946574e2b31af5025ba6b1843c93957776258662ff0d5270815c2ecb70d7a1ef4672c6758ca2a7afad5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.2MB

MD5
f7b4bb80452c58ce25dc9212910da807

SHA1
c765681330af91b265eacb7ea573bc9b64819900

SHA256
106a727dd82b1279b05551a83df959e6ac04bbbce3c3e2ccc96cd7fb18cd26d2

SHA512
02f6a6e9811075a43186ab40fe38b7ec4ef86b788fd82a685e91b265d12a79805cb21f912ae9359cc5ee9e870b9f9bab902e340a4f674fe278e223e7138137bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
6efe9d0c7039435efbc4c24b7df57077

SHA1
4d14880cc6e69151c3428d035a414d091998ae9a

SHA256
ff5f36505d984658cb6977dca4ab95c87aca0c295bf37582a4d4c362344fb3fc

SHA512
1fc2e1836fbba57d75cf3af74d4e0aec5ddcbbf241f5aeaa4b9432c4289a0a9a786327285597fd39923ae40ad8bcfe0a300e4a304dc98e552865abf1c4db6ff3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
33ad14f129b04fa9a3ae4045fac87502

SHA1
334a549e2531931f83ca86a4a4a88ff5b842644e

SHA256
c0d32383402d2fe98e9c11e75f1f34671076e899387c809950440013d001faa5

SHA512
692efe54ce7f57e4763a3c2b205eb4dc99c75fccecebea7c57b40e4ec157479520c2f6559ecb4249cd1572a993ce67127fc8e2f260e50b4d21768cceee1dd6a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.2MB

MD5
6647b9efdd642195e81923dbd07efd18

SHA1
9b19a6cbce995470cde9f5d0467bdd3e7e2ddfbf

SHA256
f263d04c31fac7df3a03643be45a8c8ca616b6e231583d23911ca0f947cd9d2b

SHA512
bcd3674309c3c5be663c668ada249cbba10eeded119f7dc3aeb6a0111da1e76c3530c2ce88852ab46d48205ec3a8307e6a4edaa71c65d8fb8c904b5dec46b607

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.3MB

MD5
31ddc972d3a2a722467c7f301d8369cb

SHA1
b35c1693aa3ab67914415c726a6b28f241fd8462

SHA256
e3f3894fb05b0d067ed2b80da301fbae86e6ed117bd377d513670213927fe671

SHA512
b7aae640c35ce48d67ec758ab7aaadcc9416beb5e5ebff5d9769061143bf373c488fd02b7011b658637ef0847a6c377001b58ec3deaba8ba7b98ad146c192b20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.5MB

MD5
355fe23d9a3e0e92aeccccf047ab62df

SHA1
6cd34fb2f9d657aad7f7949bee620f5afaf8ea39

SHA256
4147b17effcc53ec25f6ed367b586575d5194b96a90b93627f60bfe2328e7468

SHA512
cf08b6f919368b25411090e5851537985524974f10e584353a7e3ecf4dc7c3a156abfd8d1f6eda4cbc3989c07f2bcddffa6bc6d967b119aeae47f95f1331cb1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.1MB

MD5
24b208f4709822e9be46a9c0ad857bb3

SHA1
ad3c972f1d098012496cc697dc8b89bc946c14fc

SHA256
23ce28e9399c594746bc219ae3c386c37ee743c05250f87bde31d491cf2a0a38

SHA512
3bf53e5c8f1dc0800d0c37053a1996fbe4fc00c46ee5780a871edb94ab802b68a7da18b43a44d770fc8e2b8738d6c5891219aae6d3bbb91a5a32986e8c718a76

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
99da57cac5dc9edd04da506ebc2a04af

SHA1
544a4aca687eb603c7087d933fbbe41e650d3364

SHA256
59fe176a40a9b5f94a2e5c120c7bbe4739444b92277293f39cbf31856d575df7

SHA512
b45db596acb1267526b4e5cc8cb2b7e4fc2085c18c31b42bba4cf78e4ae1e36567fc0fa8f9a24c3b3b134398fb0e66d7d871b2589348261a886f9c8f93f61a8f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
38b9bc6b582e2fc469945239d55f9beb

SHA1
c3ad063b98e491d43477fc1acf53c934f1d3742c

SHA256
5eb0c3ba84911c4d8e722dd27cdf0fd983fe55afd708a8c47e9ae724bb481a3c

SHA512
c65d2a79012a9c87c61778d6121dc84e23ee0035f92e9b7ae59f6c79d1612541c5acacb7e7897c37ce245fca5075f57b16df3cd2b2a918c7d749cf37aaaf4845

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
3dfeb082bdb1f712e64387b45cf23c27

SHA1
273cc956be1e1b1d24998a20f947432fbc762beb

SHA256
8be5c3f531818f7bf582df38a12b5f2201177f973afee2bc1fb1d94b3e4dd80b

SHA512
51999f622b54a83dae1ff0d269144db1adbe98e685b1ddae2cd0970d010af12ad8603b2110a331a0d91c67c213b189cec5a6deacf6241d49d852de3b0b92a6e6

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
23cb5ab90f0c6a6f2c359724241cf812

SHA1
b097a846c6de03fbbff304df2792c465bbcc56b6

SHA256
6ca21578c3e700e2b46455d3bbae73500808b9b2b9800c7007faa0fc744309e9

SHA512
2f6fc5b62cf278a32cb253e3010629d74720aec35434b213459a1d4e4601e33bd67f129702d8722ee4aabb5901153fd1c0f41d1a1c4fbf454235f41e3e4d98e6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
0e03d504e654b3a44948925b775fa015

SHA1
383452b3d759087cfb5701fe887d86e738fab784

SHA256
bf335a493a26a14e5e438d398f17729c5a69f3c188442c0d86b0e2bc7d4e0463

SHA512
4cf675354ba965e890b4cf59bae4d3040ed8f85fbbcdfa57ee5e2345d5100e98f4d0b44509d5c884257627077d1917a5ab846ad77abaddf10e880068f286b664

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
60b72a12418ed46dc40f7b7d54d32719

SHA1
8f8707ccc7c0da280a921107f0c158556b6dd782

SHA256
308742f6913db0540ebe50ce378fcc316de7a6f1686425f8c8fac573b8ca3934

SHA512
183260abcfe94c5f265fc934196b93f5b60410c759f22e697ebe8115f33501dc0497a48e81803ae6a08837a11e63ab3f237ed395dfa7b6de9adbf3ec65da3fa5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
1153ba882fcede551172ee9ee5088e88

SHA1
c058e0688744e9f484efdbada69c776b261225b7

SHA256
f00a5b016cb298882279879a86e63622a84a8ea7db886450903bda83619b842e

SHA512
8d37fb77da9665052355c20a44c806304d7b06373147f86480b08ed85f88d5361784d231d0eef72251aee1ca837fe949a831ddf905c91c63a98f053d192cc6f5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
992b685e3701b9fdf2f712a76dbe71f9

SHA1
cb6d58ea9c07c55f3efc28840806c72332773831

SHA256
c2b59c9d91ce47b89b047e3a9bf6d7437920c6d206524a075ba18940c149ba12

SHA512
1c2c9c2a7228a13cdddab52df8a4dd535310e03034798404be91a4b65a0814693431b5795efb14af5e200c1c362dc52c71fa49ff00972c9c6293ce835ef7a335

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
3b2e02beabe36e13897b26473c5d756f

SHA1
e679d43c49e642f6413175e87aba7c3de93b9534

SHA256
cdbab854e94d015d9b1e92183ea4628d8c19af4e2f89f37e46e9483f2d01cdeb

SHA512
ca3c55c7d99a4ef269d7f9d6501fce1277e5de4c5aa10b1a4f5a5223266a836428933758df5064f9bb14cfb3016fc39a37ec0b1c4e2d65eda5d648c9d4c31469

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ae2425d1d0cbc221ddea97788c9a3278

SHA1
c186b7e0ae252b2dc368daa84e4ec58ab5923918

SHA256
7acdd878fcce9f6bfe2193d88ec288593ccc84b7ad305b79b0a3452f984d00c2

SHA512
03b3abd2f5fc6ccd43563199307691cd16252da2ae3a058c88794db7ca09160225110b1a759ae7b568b42a8497b88c6182d586fa9e26b5e3c1b0522bf1d39a57

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
10501b5eb812906bf7a1718c2d7a6faa

SHA1
326f3b74afb5172043852f80c5144323a2e5b21c

SHA256
d0f503d0c357917a280ce29c616013478e5a4bf5840c7dbd20fb55aeb9aace03

SHA512
64bb9a3384ebd696871b29d8577a9950efc340e23475f33209b15d09c106e00bbf1a88cadf852e7647acbba5a2a9e99e21032174caa2292b9d9ffbea3536a998

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
43e47f83da8447792f61ea4adac5e903

SHA1
f806082fa66ec0361f4720a664ed3e6f2ce0db13

SHA256
539449096ab4ca87a6e3547c4e06eb32d825af3b663bd41bd684ec77e63f810d

SHA512
d5a041bb23b9bca1be8da9855bd15285bdff57280469fb85ce2e69743cd19c90d04ab98c073fe0fae69a772330734c28c350f3620095af05ab18bf2e1767bb7a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
2052a8d80e706e4099536e22bde29449

SHA1
9bb544346a2e2b43e8f7415e0fc35f991cfa67fa

SHA256
33deff89c0e17f3fcfcac0f10e874845e6f953ebaf91264ec115b27ce8cdbe8a

SHA512
365f92683496b149b2c7c9bc80b15642240cca131f07464d9766e455a71a3290623c94867557fec640179b18de3757073737f87e4420e3051132f264ff092089

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
39ee780b53fd36ba6da942ea72e26eff

SHA1
70e024e67fcf01beb339168cb8664b02402d7cd2

SHA256
277c7610ec68801501c1964712a55347fc5cd510a6e04b138943f1ee334b5bfd

SHA512
53a63b7c6b222d4aefa9b67ef5bbfef72833cd9ce76bde979848c3beb99b0b194634b591a881d714c31522a8beac5faab8e2a986873e83a6381fa140a1e88c5f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
f4aecbf9bc31238e5c08e53b2457e4ae

SHA1
a89ac84464a3736bd0221cb456d574429a2fe5a9

SHA256
5b9c7ff6240501b4d8137c516e7d8ca8d47b41517a7ed95ccf5c7d441972c11e

SHA512
96680958ec3e314651b90309c2d4a6d0d1e446cc29e4ad24e9ca9d7be43d499b3212133e18adb15f2a016535cc6f94f4745101fc2587ca6e463be09424a4692a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
22591fca639f3b95ab82fd3a039f77ba

SHA1
5351592288f579bea8dc3f788410d585cb60ec73

SHA256
1a882105514872957ea4230044a2111a9b5583e8e507f5a297a00ca956491a8f

SHA512
313c296455d3fc93ac1760f043a245996fbdf86f31a01bbb715d07f06f1f42199319a7586dafef132a74a837998717ce45300bee1dd25016f54e9419f1b89dfd

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
a073e6bcd1805570f2e25591d2e82981

SHA1
1fddfedd7eb601ea513d902e3d12584b4a73c005

SHA256
68b57f7c35f3f1930f13ddca0be7becc9296f01d2b51be9d15ca1c37a8bfc261

SHA512
f58297950e3bda0e2c3672e34e9be26d593128597df645d8ee2393fa14d7c41eaa0879cc3092f69d82ab14ef6ac033ff60d83fc2f1216ee1e1da836dd4be029c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
656b9b65c7a8f21be4012554061121d3

SHA1
155de0b5c0fcde9e9c3e950d8553b0841e9ff2c6

SHA256
9acdd4efe81d67badd30032ae60992fb16c08103331a3b076f2483063007c5d3

SHA512
09162b39a27c6f937a732fa2c5d4e80380e6a746914cf2875c64ffa00390fba55dfd79a452572759ccdc81ed5a8f75fc887bf2fa3cc7bba1176ca2df97c69587

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
22bff31e9a49d03f7e0e11f895a5a243

SHA1
9e1c845382fadcf024f680891fc53cf95c0f8e33

SHA256
12f881678f574717ede3e8365633c807507ff97c1586da1822434c9d0e716efc

SHA512
ace24aad4e7adaeb8c1b55982547f5e0c373a887890e6e0a03c944d3b7eafb84af02f4ee79346d8d7cc9e5e5111c194d9bf3aa1852fe8b3e101e09a7fc36d394

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
504a45e386e9b9f06a31e0b9e509b9d0

SHA1
3a3d2641ed2b168930068bfe2a7c14ede43857e2

SHA256
12a1fcf9c2e0c31f3799918fc8b47c39450ac1e439c72dc1af7bc4ce2f17259d

SHA512
7966ca88937abc42135002b77721fdc3b518a1f7681d430d5238924f2066eafdce5117d7755507e539c619ac2934ad8ce89b4a73b57e2d49efac10ba99310c51

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4d1437029ba6f5f7e0ace9494eccc6ff

SHA1
ad5d98e06ba011c65377bde17793bc478a017716

SHA256
d840bedb18cce74d0e38a83dcb4418ef6e57c9219b380c8255157e9f067e738d

SHA512
0cacceeffec497dea076afe8738ff49948bd45f87a6b242695523f5aca9e1607327407e22a8e64de41ba2ce5ff1f653166b053e3373d10dc75197b5a8b0a4b39

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
a7e9491d2a95a6205ebf8951a0aa1eea

SHA1
d2f84b9584a2ad5a38efca3bcb3789560d8e8315

SHA256
7b7b3e2a9e267f9e3a336052ef4dd95dfd29fd277785f5110e86e5db9e08acd3

SHA512
4be6281bfd3df9a25e816520c0fc9616ae0b732ac29a95cc750bd5766de44304fef1f9282c3eda121e20f6a749ddfbbb8ecc33f0eb528daf98216a986e262e8c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.1MB

MD5
1c7899be69211c33e024b5b975eb92d4

SHA1
8e4ae4235d912bfbc994ce3e1bcfb90fd9b64fc2

SHA256
76cb9a2801765ebf2ea634a3f727fb19552df0cac8e95240f4fb43a6b05cb950

SHA512
06fafbe489b1a3fa1744e3035f1c234410c969e65683c8acddfb9db04fc1afaeabb2e5bb053a974f4163298e7e14421e50da6a8532c5b09068903cf4df9ed93d

Download Submit
memory/316-219-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/316-706-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/404-231-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/404-709-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1564-162-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1564-374-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1572-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1572-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1572-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1572-180-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1628-203-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1628-91-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1628-92-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/2196-230-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2196-126-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2316-33-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/2316-37-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2316-27-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2316-129-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/2352-539-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2352-192-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2396-254-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/2396-133-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/2500-103-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2500-218-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2636-255-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2636-714-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2724-468-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2724-7-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2724-6-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/2724-473-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/2724-75-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/2724-1-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3204-243-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3204-713-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3228-52-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/3228-59-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/3228-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3228-175-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3500-204-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3500-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3608-456-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3608-181-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3992-712-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3992-267-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3992-144-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4076-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4076-50-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4076-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4076-46-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4076-40-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4292-77-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4292-83-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4292-76-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4292-87-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4292-89-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4404-130-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4404-242-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4680-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4680-14-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4680-22-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4680-117-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4944-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4944-430-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4996-268-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4996-715-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download