c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8d

Analysis

max time kernel
120s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
Size

1.6MB
MD5

2b45f50ac1c16eefebd59af3e1c25830
SHA1

c667b3d9446f5a553087d6d5b7043d2095788896
SHA256

c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8d
SHA512

ce362b1d6621bce48de5d35e77745c113c55f8ed48b8780cccb7e7c969230861b07b68d9bd0264c8fc754c3dc5bcab7de8c617de43f4424b3ed0c4264d9cd46e
SSDEEP

24576:p3io+rga2kuRW2S1bFkCndDNPcHjlVv4KDfHMc3eyNidU8cKlrU:pyo+rz2Q2S1RJ30Dr4KYcOCidU8cKFU

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1268	alg.exe
4476	DiagnosticsHub.StandardCollector.Service.exe
3996	fxssvc.exe
4956	elevation_service.exe
1540	elevation_service.exe
4404	maintenanceservice.exe
3952	msdtc.exe
1404	OSE.EXE
1240	PerceptionSimulationService.exe
2356	perfhost.exe
3736	locator.exe
2528	SensorDataService.exe
3284	snmptrap.exe
4636	spectrum.exe
2236	ssh-agent.exe
3784	TieringEngineService.exe
4888	AgentService.exe
4492	vds.exe
3896	vssvc.exe
2680	wbengine.exe
364	WmiApSrv.exe
3028	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\system32\msiexec.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\system32\locator.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\system32\spectrum.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\system32\vssvc.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\142bcd4065f51a6c.bin	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\System32\vds.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\msdtc.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\system32\wbengine.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{AFD1DC19-D740-4861-ADFA-3BC6A9F6A223}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85500\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a1a5a1a3921db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007041be223921db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa53d1223921db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045bc57223921db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007fcca8223921db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1980	javaws.exe
1980	javaws.exe
4476	DiagnosticsHub.StandardCollector.Service.exe
4476	DiagnosticsHub.StandardCollector.Service.exe
4476	DiagnosticsHub.StandardCollector.Service.exe
4476	DiagnosticsHub.StandardCollector.Service.exe
4476	DiagnosticsHub.StandardCollector.Service.exe
4476	DiagnosticsHub.StandardCollector.Service.exe
4476	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4972	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
Token: SeAuditPrivilege	3996	fxssvc.exe
Token: SeRestorePrivilege	3784	TieringEngineService.exe
Token: SeManageVolumePrivilege	3784	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4888	AgentService.exe
Token: SeBackupPrivilege	3896	vssvc.exe
Token: SeRestorePrivilege	3896	vssvc.exe
Token: SeAuditPrivilege	3896	vssvc.exe
Token: SeBackupPrivilege	2680	wbengine.exe
Token: SeRestorePrivilege	2680	wbengine.exe
Token: SeSecurityPrivilege	2680	wbengine.exe
Token: 33	3028	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeDebugPrivilege	1268	alg.exe
Token: SeDebugPrivilege	1268	alg.exe
Token: SeDebugPrivilege	1268	alg.exe
Token: SeDebugPrivilege	4476	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 1980	4972	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe	84
PID 4972 wrote to memory of 1980	4972	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe	84
PID 3028 wrote to memory of 3700	3028	SearchIndexer.exe	114
PID 3028 wrote to memory of 3700	3028	SearchIndexer.exe	114
PID 3028 wrote to memory of 1136	3028	SearchIndexer.exe	115
PID 3028 wrote to memory of 1136	3028	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
"C:\Users\Admin\AppData\Local\Temp\c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Program Files\Java\jre-1.8\bin\javaws.exe
  C:\Users\Admin\AppData\Local\Temp\c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1980

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3548

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1540

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4404

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3952

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1404

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1240

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2356

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3736

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2528

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3284

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4636

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2236

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:384

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:364

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3700
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
998829f2ad698aebc76e8915b282ba1f

SHA1
f14707d852a8e77f0bc89b07680e3bab875a91ec

SHA256
2601fd6f780d1ff0fcd43f2161a6a3791b2bcaf281d16095ed1bad6add5ae8ce

SHA512
ee93a9848050d731d68ad3853679f440362d848e103d3283ded3fdcdad3101a51fc399ae40a24bb699e5f51cc64d7e7f01535dea336edf9faee3b0752e0d2433

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c3b3361b13c1b8b7ed51032aeac2448c

SHA1
d7479faab6d09285602abfa3e41b2bbc0fd904af

SHA256
f2e2f5314d3b66c226187625c828e15a7cc732580c86f107b801c9a24b2b3654

SHA512
a960be9d64ce500ad128b9506464508b2321108557ed7dc702e23107fc387230e1f68a4273c46f168ebc731b849dbfeb3f3da2d80ddc1cfd9b89b01b6b534dcf

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
d84fbf38df7536e3dda13e8d4c7a327d

SHA1
6f30842ce0fad8f7a052f62be0a08bf6086ae35b

SHA256
6ab6a888c5854dd8662d5b76f05ec7a0ac1e0b023fbeb690518b7e8648298412

SHA512
db778345760492eba2ce9ee26e5f19ab3f4190dee7bc3388c3199e83884a63a68eec107fedb2290882e1d426a0c0aea01b0b9158461074d511acec2cd2002df5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
08c78d2e5726f38b7e82c62e4fe6cdd6

SHA1
89edaccb8d1afedb303d1d0887b3e4a33fb3d735

SHA256
b2dc7ec4d94bf8e6752524dc7658e0e98b757d8b21dc692aa98248ca0134f0fb

SHA512
07bed95b30936ca00b0287a2af3e5ccdfe2ba4985775cf3b36328d1f57fede3b3c96577665d529545407a5baba438575c969ce20cff17525eeb25fa133075340

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0485eb8321a5dc74cfcb8906c58ef805

SHA1
a7973155de8fc4642d8ce50d3f3a56b800215812

SHA256
82f99dc6b07cb8ded8a2ff9a040dae3857ab1f69e17da85d946ee44a9811d183

SHA512
7a923375d7f63b8cc5984ff111a8413ff5a4c224b9225a091a04953f19d4a39a938d055e7462c7af878ec1f801fd0b5d4cddf3c180194828858ea12fcdb96ebc

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
21425217177e2b157ceadaaf45ac7e20

SHA1
2b51b514a710db0471b3b5d9c3723f49d9716ee1

SHA256
c4463f191efb6e5dc3becf7e3a2c201837ad8e93a1845989e651d663f7de6eba

SHA512
c162301d3474c90914bff7311fc8bcb08f66e17bac96999d59c8f8e0b01a5b75ddfb10ba0a7a890bc263166024787fb9d71bd84d510c37bf180cc222bfa8431c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
e01a2a5a6aeda9510c3f4cfa224fbd65

SHA1
a9b99fa4de4877d87023aba3502cf45f9b142ed8

SHA256
97e3fade138f3b6cbc856923af3e2316f1e9f95c84ec9d32aa8a690e836b6801

SHA512
6a94b9b30ccbb1ad1d16bf59149a19ca7f22123044befd315f210a039b741d6180080fe9847f467b5a8a3e9a3c91140fd7903796ac0b07d763ccc51fce037431

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8fb744d0f3bac7cbf20c21f8dc631fbf

SHA1
1c1aee26fadd15ff73e704676a04a8b06189b8cf

SHA256
4491366c085c4f4d69e89e8b8adba8f4b8a7d137a2952c6713ea93195e944014

SHA512
0a5104e2d47764a78116d583b2af07f2d38c12dd78aea36ee9617cf33e7e15a1546e373a6dff327e298085e0547bd05937e65e8385238acd3c0431add74dbe16

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
60b4347f616819cd335cd8e1c329a891

SHA1
fe27d87327e39f4ebb12cdfb339dfd5c09283efb

SHA256
cfdda6c8c490d1f6bd4f65fa314810d30bc8c4d5a7f16f48168ecd781fef237e

SHA512
bc773ea1895366ea0b934886a45f4131597bc7b9b8feffa118119f27c44e7e379d28c4fc939caa6e34f90950467c01c0e55dea3733c163c6c5aa295d12ef0598

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ec3739edc122f91b810dcf312e1aa2de

SHA1
9bc3f5022db4d5a7da8304043989e8b9a402f8d6

SHA256
c75a4723883e8204e35f45e902292dd6ab6e6afbb8b434feb503c28bd8e3f891

SHA512
8992acaa4aaba6d92cdcfcd9f4537420ad52f5fe88bbeca48fd2fa567ff21f27af72d34f9437d372688eff94289879595689d33ebb949f314e400204c1923fa0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2848c3ca212cda2d0e71710b08b66f67

SHA1
41c3521cf21d33dcad2a7364ca79ea3084fef82b

SHA256
e307ce284f362d18e0771b544ad8a9d911f3cf7c00f2ad3d6dc901058d3dda94

SHA512
e721527000b614275f5f183e6e3e0de5a120d2d976eea4e1daf3d86e4023b841763fbe0d3bf513e5a2333cf7b62747e840b3222558debbae526f5db979b2f538

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4c26277f170979387db5d5e92da4edb9

SHA1
54afacdffdd505c7553c46ca389eec84e6f470a2

SHA256
2beb4e469627c7a44340049ff8c060f35d9a12a677314badb49a7ce5459542a3

SHA512
dbdb9abf6ac2efa4c4e6a3a375ddc6081d2f7f4bee38372a85c8435016fabbd97de3defdaf136c7178e1658ef4933f25bb98e2ac36726e762bed404423b9768c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
d99aaa6eadbe4e6dc7c9639f35a08d3e

SHA1
2ff95a6d3db9933992e9f71508ffe64c44abe7c2

SHA256
a0852ee5bab0d1de607f0965027d32db568f7d703774e48a9ac9463dc4a5b831

SHA512
abb33c32e6b295b0592caca3d83754660ebbef6e507566ca649c3b2740c8dca9dfe57807b515a9b2fc5f211952277834e1d0a32aa7d4dc70d409e7326ece7cb5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
8a9b9950b4e1604341d3290ade112f94

SHA1
4a4b4838136b30dc6647b5ee63169d74a96b3c2f

SHA256
693301551954ddb8c5bb3b36020c657962d4e717674f08deae76cee1b3a2550c

SHA512
dbb57b1abfa7f2a98fa96c13df6166244eadab1ced0df468ee71b0e62ffd7f9d47ba9b1607cd2a41d954960b5fe5846a718c73350f6d253a18315fa7faed7b2a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
499fb2d77ec1c85f59b1019dcdd2f168

SHA1
f41cd41a19885144eb2880dcdebf626869cfa975

SHA256
f5a5b26194851a1d6fac9538366e4f6dc25ed78a159c7690c694664a01d9366f

SHA512
bbd20018794e318584fdd06686820cbf63b701c45cd96a0432fc0919d8f796980180008d39d5237284aa5fbd09229f6843ed32069c83e2f41fcb01c1bd4c6895

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
b32ec533899f47da42ab7ca1927377d9

SHA1
194f429c4ff504e040bd6c62e11e6fa4ae3e5d39

SHA256
e4763b570af1a89495bc3211e7b8cf895aa85bfbae940cf1228131e73ccea2dc

SHA512
bfc09356f8cf93225f256655dd55fd8ce54e72a2fcfd1c0a345a52992244e303378e9eb2530f1afb176a30de3d688dc1dee9d6c400ecb2715d6ee380a591083c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
d14eae1d182eca182dafa2315c286d74

SHA1
5a5cb84ff0800f83224838fe46d064f11db5d828

SHA256
8e98b4f957533d43c9008aa55056b07aa39e053811c394e0dc0f094dff42fd88

SHA512
424bf237b3c94f4c43c4d1505ed373452ef533e51fa874d9113b78274c752aeffe6a3df53ae9d6fffbd1af31fd64268a14d4e00c293e54ff422cf6b8805aca21

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
eed9cedb8d48c30202075139b84467ef

SHA1
38c6ddf3d1ec65727bfe1923b7394c0531354d0d

SHA256
d7afb2c202754cc0d36bcc02756a6e165e5cc0bf56f0dd2469ea5fea6b1fc575

SHA512
0616ec0619f59e77b278f32f1cfd6f8eb4b50ed0935b79d2a2712d86ad115670da99f5b0e321935be2fdbe80c91c60f48a0758d8445abd058aaaad07fc7d8f37

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
3df0e1fce31fe30ffcf52409fe125fe6

SHA1
20993551d9477553e572d10faa4f907514cd8eb5

SHA256
32fe84f2962b9d2b9a46144db4db44696470eee29727d0f3c55c31b3c799952b

SHA512
a94db1d960d84e744ed9e686a3ba265a256ee0aea7bbe0e17d28317f3011654f4b8ac26af34f8093515772caef6075918ad48444604ed0e4144d762d4c429973

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
6df90ca09ebaf98eb52454f85b4eb115

SHA1
48da43c82b2f99aff7341707ffcbe55f05c775b4

SHA256
f682f1a5e728a908f535cddf23a136df1a76d8d2d771ba8f6169d1b1424f36a9

SHA512
b4297de642c0dd3f27b87935d5cd3b86e90141e0fb309ae133fe37050789a66678a0d44494e5a0dd3bc40db1a3ad6f2db9c46618f7a96e64a0d3d4ebe237ff68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
20415dc50322af9b0237204136ec2522

SHA1
af1e533d908be3bbf1b51e4b88dc9dfdefa1bd32

SHA256
b83c9c4a85445a37527a36238a9c08fe7f918fa13f765bcea8fe265047a50659

SHA512
8f115b296b9138356cd7e860f866753ca99d441d924eea50b9d8ea38fd3ca82d73a42ef3856f981d5276c94187ed52d477cea47fcc35f8d6eb5e5c99f6d40d83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
d769afba5bfcc3d6b9a475a504f44cb3

SHA1
9abf8ee09ea2c4f64b29f3750309ae41c90af33e

SHA256
f29e9ed33fc708e9fe41b62e1d8e6c93b0f1a1ba36c7258165422c5344e9afd8

SHA512
09d597a74448e10aa0583e8dca88bab9a43dd8b2c8e327ce814227ed3628534baf04cc7fdd490fcaa5076b7e895246b8f8f2cd00589e6dabba838a7e78243af8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
3912b74298873041e766abf203bf03b9

SHA1
92e3305d4d26882a5772864f468687e67faabf92

SHA256
9d1299711c7ed1a5df781cff055fff819a97833f53bf2718ee7885aa30e68cbc

SHA512
084f95936a5833ae8dc9c2ec9a5da06c928212786f38e3e8410b0d5f05d1019707e3bf00d4a7ff54e3243539583a744774af8ca527b2e938614e5edb6b10cf05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
21bff4cb7ea4b131457183c2abc9ce7e

SHA1
8e82d6a92ed3318a150ae8b97a749d5cf3572059

SHA256
62307fc298a869ca02d0e3158d36c2e2c81640bf77210c25636cc70d3f292c20

SHA512
1c049cc3615c67b58eebaef6cfed37b3feb89dfaffdf31d169790b4f557017cc57437ea5ef469ac7c7c2be67b772fb3faae08b342a790b68609f1fe119772d42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
9edac6111e0eb1cb47666846933bddb4

SHA1
7520ad6cbff8bb3b7ca6811e245f55c37b73fd85

SHA256
20ff5f3a3d6787aa767afad18546685b9613d7b667e936eba8f5038e8db66d57

SHA512
e24cf49ff0d23f13448db43c78f5657144406c40e96ac790f1ee39c922328ced84899bbfc6c8ed53cfcb1f7b78a4c631bbb4e131370d692819a67812d07d8fcf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
1b5065799f9f2e17b6596be725963fac

SHA1
10f282f751ac8cf755ead51818cc114648f73d79

SHA256
28cf44f93e0590a1d392be6ba3242fbae36411dbfb37879795ee96a641b67290

SHA512
582ba86d70c25b0f858ab46afbcc7d68f3eb458eb58e9367f8c0abd57d91ce9d58e387f0dc57a8e78b6ef7ae2009070d2ab965b8f57ba89d9b65eb857d973e45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
5adf14d0ad9eaa9c4616aa0cb4c293d1

SHA1
ac8aa252c42ef4e3abd79367c4486a2ab8693032

SHA256
d43fae61c71358a15b9cdcaecb731b825c336cf3654963c5bfdf3fd4ed7881f6

SHA512
276c69e29320da440ca10d04c7f188326aa9530721c8d3384e44cfa90ac6ec4190c6875fbd964b2b322d2b93ab7f9388115de8fe3e731c8d3d2580759db4c6ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
57f76e871af4710063946c3749a4a5ad

SHA1
589aeedc563b104cc6a1262da8fbd5a90ce5b767

SHA256
e2cf39c4d5d64491529a8d80556fec54b63c683ecb2b6cf39d2ac37562b4c6fb

SHA512
1fc8298f17723c39ab63686925e4814a148f538c921fb96239e8d79527044aa617ccdef1d3764a4bf93c1be2a2cb420009d3be194a961d6fd8ab203d6ff6d3e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
dae4a87011172c7a1dfcb13632853586

SHA1
835aee3e685f03590bf8a5da8f0401b27f5ddfdf

SHA256
46dce2154d1fa29e48b6b6bfffcfdaf07fbf9f2cb712762fda1264c05cc1ffd1

SHA512
b77b6884641bdcc06c6dbf0830e550cb040172e8cc1cfce65a1a27bdf1b04bf3ba2d5c455213adecffc4d3845e9b8e58588b9518d3b62987eb416eb03821112c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
0859afeff9097cd2d50595e22d299311

SHA1
6e29abd8e6ab21af21c719f970811ea5075e9f50

SHA256
b087b6f64503fea4f48250f1c41c32bb6ba745c37f4c7f0eda93a42a38c70bfa

SHA512
ded79e7bf3184aeb2891a93341d8792689387c72f30f3aa184a9239c7ea124a58a61a3e05ba3be0062003948ca72f91642302163cfb5964bbb9d49d1cb4b6d89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
093abce24ef51bbbd3308c4fa9d9ddbf

SHA1
bde67a984470e252bb758e7645cc128f58f3ab00

SHA256
84d86b7d1707f23c5296883127519d7e005f9508f8b04541599bf7a580d094b1

SHA512
a4604c5fbcb81d094790018faaa64c20b4541d0eff2d3d95ba2828a0a225b8937eb139ba9193d375ffd95e6d26b897ff07f234a6785e6c30df405b06b96d4838

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
34355c5b4f62fd3b063f7d96cbd20f1a

SHA1
5df10fd7ea3e1d9491ae87c99e77d3a3d1ba65f9

SHA256
45299612fd46dd996f3982786266791a0cca8fdf77d9a100377a3151bdf8b617

SHA512
74ee928075e1721dfa5d8d52ff986518be95fe5253bf2f087c7c2eeecda31d2fe36634e01d34df6a77e3b1a0732a8622508541495666323d42cddd00f908aa0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
9f75a8d26b2a77a1385bcd9c9488b576

SHA1
684d8c90e11219f07ff98b11708a7aea560c34af

SHA256
e1e677c382dcd3f026093c6c1966e7835fce84adda5b32f9c4cac74c815c2419

SHA512
0f852319e4c286c7350bab062867a73cd81e878da3c284e3af7af1ca770329d46582d0d190b897f84b28a3310b4f678ce003831f13ed9e2d0f6cf3ae9bdae4b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
86d83b1c0980864d3b853550247d6a8e

SHA1
b3f658c13ea9e43bc64326e2bd8331bf59f75783

SHA256
5f6200879d004569578682b0a59c449b1c31e679a408b43040a7a9534e2b06e4

SHA512
3aa3fccb852a3561de4d7609eea16912bebba24fa46f71e8f0c37fd41283c144d6431583ca79e551922abeab5bc6c158e44cb9e58314b2c73331426cb982f5a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
7e0f1f98ed34b8eb19ae4bd480457654

SHA1
3cba55278ea81c11e5277f58dfcf7e11ed2e6ce0

SHA256
a714e7fe0d0deb0c97b2976955b340ce5034da16fb9a7b8f413c380e2e6adcab

SHA512
565c1a6082642f5ca380eec7967a00fe2a955453b73bf1ebedf4af33137c69f5ea8cc7f0f9b9ba7b652934f6c7763bcf2920e22cc0c54e919c050a7ab5cb9997

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
0a06dcec6ae2f7eb427b4267f5357679

SHA1
0ca711abe5bc2d3b4434f17ca04dfe961d159236

SHA256
21427380b3e443f0c691616f3e0234b6834e1c5b6b0a4f76238be4410fa24913

SHA512
04c98548b7c77dac95f17dddeac5fce21c4bc6570ed09828d4b263e87c07d3d782ab29480f290140371b9a09bf2a8adb9b17c39bea2b790c144321223a90a797

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.1MB

MD5
5ce4398f983a9608e03b6158288b8d7b

SHA1
d8343eaaf6e69afcf6351b572f385737279216d2

SHA256
b43fb8b1c49f95bc3b4798c65e3aeb93080baa20cab87157eafa546e5e4d7a5b

SHA512
be3fab7bdb827ff2892aba6b9e87851973fd56aab6b225c35b7035fbe7a6d07ff73f1914d4ba860ebc5796e085226413186aee4400612368a4741f640c2e8177

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6e9748a6ec75e1e3e671d7b5499ba4f0

SHA1
d09ac49a829fc046881c22c3f023ba5e82f811a5

SHA256
9a42ce7e360edb6bc5cf1afc9c5adb04483570278cc485cc549e6d17ea343d18

SHA512
97ef1a9c77749a5dbc099fed2f4c1d004da809ff39ee6a04263bca2bcf2f70b957f89da6c3f1cc417298f604f3a2519b34396edcd8f77d97af64759a33f6cf55

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
8f3451d32698bf7e1c6e1950bd26af72

SHA1
bff0c6697526dbc3bed9c1245c0d60833265b9f6

SHA256
671756c785fbee6d4af6f1e787d6c5ee954d21c438a5671ff60e4ac733fc02ac

SHA512
215d204c08bbc811040f074dc2b0be1260933560e5c7f686da25c1a97f3bc85eb125d64d27354e9d7f3994daa17e4dc47f2d1b4d841a6564731a72c548e7f2b7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ebc2da6b168fad292a8a121458edf6f0

SHA1
32f0d8a0764fbb719346f7cd67adc69839322762

SHA256
9f6024edcc04cce6a9e7d94c1cd7dba0605ab17ba47df62ae7939a7da9107da3

SHA512
f8426275327e3fb90791839636930f76175ae2e567149b532ce81ee886f4fd502a1c00488791330edaa7b92b2478e1c3f3ce8a0fe8fc62be72090e4cf169d324

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
aec01bfbee64ba2a0d66bec50f1d8c38

SHA1
ced9ea9251b1e09e7a385fc299559237cf19afba

SHA256
1e6e8e6dd8770172a18d108dc5a25a8d43f9254133fc2ee88146737ff1128b1d

SHA512
4450e3a6145bff816a3baac50e82168faf81e9dd5aa61f906aee117927f72f9bdd8e3677100745f34a42f5fe819824e2d954b598ceda8056c09252793cbe424a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
cba1cf6a53ac88ff7277d132a063d8d9

SHA1
57cebd98c5f350d22b4d5dad123432b9fbd5b8a9

SHA256
79bc6909ee8dac0acec797a6f162c3ceaa4a7f57d23141294547b3cb43ff8c06

SHA512
ef1b0d18f66ac77ba98869ee4c67b5b45155036475651c4059a5557d49bc4040e68d966a46095e013c2926a26c3bebf21ce73617ce3ceec00f61391bd4701653

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
39bd166c4b2297cf8f05baa780628ccb

SHA1
f7b6bc2489bf041d815e8863e42d3a68baa47e3b

SHA256
fe548fb5c2bb4d762e845f4a79cb648fd3ceee2f1ac37c0dd98a9f9f48e13657

SHA512
70cf7bc678e00946855fc8cf6542a1c243f65a05f0f1108c438c3551278bb36698b76852ce8b275c6eaad8e5f2fe314701694510a89dadf7d3b56a4c0b8a004d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
00a2acfb6aa4a86480b3665d18c5c583

SHA1
69331665189b50dc560d2f71fb6c9b9d5a72cc57

SHA256
a00b1e7f6610286f80c4747ef7e0d414e29f47cc861b3dd351b4d2a4c151f59c

SHA512
5aa339c8a82d9c6772d983b885379d2763f356c9e1efc43b8c47f84256d7d81dc59c79e99304a0d5d8854eda13e3e84eafc63c4c953daacb0d386f846cdaecdb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
53dd5795ccf7342d15a01047e96980bd

SHA1
75aa70c62f90163208bdf71d5c4612aee7b35ec4

SHA256
906e68856126ba694869ece5ec22aec2d4c8b8c7510cb6c6d9eb6d40608bb264

SHA512
bf92dce9634178c4525de8325230abc6641bf64e49e0de9882d92721ccd44ba378bf9bed5d27c5a4186f6c61699472bb85543a58ca3b3f44be11bd617f98cb6c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
0d70c1465dfb7f8d72d86c9c28dd1c2b

SHA1
0e8e0fb65b62c406689535dae92396b6741376b2

SHA256
5c54282086d65bad7e491f11d0751ab4fb4730dbecc1fe3f5e95f43d3857b416

SHA512
6cea9c5ac752415e72c350d45a808db67598aa7aacde6ab4a1714f5a78a2ad3c4ebb7edbbb08a17de7e0d18d00b2da9b5795a07add978b239e20ec924cb7e815

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6230ed6d98c28f1d4b9f8352ed810e2d

SHA1
aacf93974e065e5505426472301d7cad0debb29e

SHA256
7015ccdb6a0d0df192206617ce9407481b88895c2f957c7fda5d71a773684727

SHA512
299394356ebe22c750208859cee7f2c598d6e521f65fb7af227375ac55b620bf01ed156d30ec424b9031f88f10abc0203c644fbb0b55758c8c930e5c52f70858

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e35c164f4f91aaa8151b02c1d4dd5d34

SHA1
ac93491b7f9c4d966b9b6395c1a02f664a923dfe

SHA256
927981058be5ffe1fa842a42d52c26a96a0aed56c6e5d7d89adc95c34a0948d9

SHA512
176b8312d3f2e83d792c75b6e6beeb321a36fd706050e0720d553112b3d38c36ba182a741d87f1c42fff86f2a1c963a41e3ef65ca343ed50b2af37bdf7dc028a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
fdfe125b6397954adc4be65be9e717d9

SHA1
86cc1ef46f887c0200c1d576f53174e7c0d4c103

SHA256
84c48375a3e898b3f2f589f948163d21f713b79e5983c70d52984e8ac7f13873

SHA512
d7ff168c68aaa7c114a608febebb4d11e8b934ce8ffa8f2d0f94b064e4d7bc8a130521253f1619dede8ee20b44239124079a674bad5e61650bdc9f9831e186f0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
59a4be777baa4abb0026cb3817ab86c4

SHA1
afd822954bc4e877f0ba3f6df7245c3b0ff3823b

SHA256
477308459d482a294002d55bd60e647ece4287893dacb0bc2501b681b120a008

SHA512
98c0e853054e4e3620731feae4cbbd1fbf15f26258375bf63b3f55dba081604d816062540b3d233b88a8ba97730350c5f07fed5181cc6f92678a5087263003c9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c4731bdd1486c57b69386157e81a5d0b

SHA1
5e6080fdacc0b47f295b093006c4657d7d887e22

SHA256
e13028ee55be9df6d91eba8d19f026fd519884af2164fcf30f89effcc2370331

SHA512
c9c0ada1729dfa5bc3d8cf1cf57fcfc3c07ff96329de9b0f44fe0faf5715affd0a0afb2d66c582b68a617e421d67802817057604a837dbb44948f7939b3eaa99

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
71cc2f904d10054e626f2f2f17148cb7

SHA1
b631b61cc1b564d162aa56e41030153f45f61a01

SHA256
5d0b8da23884517bfe26e1347d4755074c0f6b75dea3f809ea8292273d95d8de

SHA512
65874b0881a9a350a099e640c182bd08b19a57bab753955c107137636f0dd9b88ca1dca4a7ccb151f56a41914f923b8dccc456ba91ad806add453c12ea27033f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
97bb2c9d6a345bbb91a3ace49cf52a56

SHA1
749c2b97b53dd75a969459cd998720734a8b54e0

SHA256
7af77e12a66222ed1ca5e809b57c878ed9fc34d53dd7f43db7e25ad282e496f1

SHA512
4fdaf4a21f04c8cb5e68431f16d6db233e6ff3f653465581b66e665e8ed01c7d9da57e923ac4914f8a14a18fb0139af8d611a5a3876671d2f9d55349f24da4e6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
e58bf9c870d522f458bef8a93c243bff

SHA1
b10743a6324b0d40fa43271b5ac73d168b43e7fa

SHA256
8ce181fb561f6e4a6508ac2d6490c92fe2d162552b58cd8537d919b7699579d0

SHA512
32017a09439156a1deefe36a30f0611a693cd9516a2b83dfb9b22b9ce9a30ddb662989319fd12e1b6b8831173506f85ff9790ec7fee1a90a27e0cfcbaf34c218

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
904c59e276bc751746651d748b0defe5

SHA1
06bbc0fd3cb123a6609d7e905d60170191849be1

SHA256
f9399f665baf84dd616d3546d28e6cbbe42451b2174f9daf76f383e2e764c0fa

SHA512
72f9ac743074a502a7064b4bf2e7fb30f4b2788c9d04c5290aca5d4abff370db4d0cc590c2b3fd6e34c63c15057452866792a95f4417d85c5688e250b3e24508

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
1364d16b78a693b88e6b22b6a520592a

SHA1
4da1e02f348de72ebf9c7966a1f0a99251cccbe6

SHA256
73595c56fcdeb4ed92558f9ef08f001434813601202953e4b365dc8e0b29867a

SHA512
07cd7b9d4c80d5e19bf59ec5e98f71944b858653d5dbf9033e84d016aaa3771c45fb8d88612a4b8e1e96422c8d1146fe2b2ea37e2572dc3eb620ea6f30e9da82

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
07d78fb3f31d4c863f773e0f758be38b

SHA1
51a05b01763a7685b724195485a9026763892e34

SHA256
c99b6ed813aa65de1ca0dcd6e095cfc7f244d9793f2726f1e7aed941f93ee83a

SHA512
a69080f65e536fdde9d285e19ccdf9eb0dea719b9b1e90fc676d987fc321175a961d5db89a96c024705c18cce37b402bdf72ecf9c78db7a97454d2c58ea27b19

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2013a54ad5f0ff6ff47bd0ebcd43c3d8

SHA1
70e5d16e77e14c9ee569942c892e96655f2f4676

SHA256
c74f9e58f47a49d337861246756ba75407e961dd85ddde2ad028e0331fd6fc6a

SHA512
41490402cb7f06de933b3e2caebb134fcca7f7362849ae329b72bc2768648f19f9c4270d5bcc25118d87fc2cbf0fa7ad42eb925b51a98563635acb8b8419a58b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
68fff36bb5ee66f2af35203eb365b269

SHA1
831029518118f370945e27840c27b036e3ade9cb

SHA256
2a3aa26acec1b9704226372b58aa0a59d49fdeb8585bf448583879993c34f263

SHA512
4acbc769885d7d5e0d75f78c0e1eecc5c0c2dcd94ab3705f98ac0d9ab1cc72dd0e36baa7c46a75f1de3961593f8bfe5366a12fe5d46e6aec44544b62318b2c4b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
c776479d1cc317368ce9f95294258a75

SHA1
f019c8a85411da066833db3aae2d5bc5f9d3be10

SHA256
5ea1aacbfd16b4a7ea14ae7790bd381b4d201acdbc80f15dfa4866749488570d

SHA512
50e7ae989d5d9e50c0bd13fc684355912933fe37d05a2016fed24a04c8301ee07b42735e2c044d591568312c2025389fc7b83062521ce788dfb84cc257b0d799

Download Submit
memory/364-533-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/364-269-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1240-243-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1240-126-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1268-21-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1268-13-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1268-110-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1268-12-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1404-231-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1404-111-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1540-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1540-182-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1540-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1540-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2236-195-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/2236-452-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/2356-255-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2356-129-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2528-531-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2528-158-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2528-280-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2680-256-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2680-532-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3028-534-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3028-281-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3284-170-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/3284-350-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/3736-147-0x0000000140000000-0x0000000140129000-memory.dmp

Filesize
1.2MB

Download
memory/3736-268-0x0000000140000000-0x0000000140129000-memory.dmp

Filesize
1.2MB

Download
memory/3784-477-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3784-206-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3896-244-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3896-528-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3952-109-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/3952-90-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/3996-45-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3996-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3996-39-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3996-48-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3996-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4404-84-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4404-74-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4404-80-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4404-82-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/4404-86-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/4476-26-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4476-35-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4476-34-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/4476-125-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/4492-232-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4492-525-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4636-431-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4636-183-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4888-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4888-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4956-181-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4956-58-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4956-60-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4956-52-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4972-89-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/4972-1-0x0000000001F90000-0x0000000001FF0000-memory.dmp

Filesize
384KB

Download
memory/4972-484-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/4972-485-0x0000000001F90000-0x0000000001FF0000-memory.dmp

Filesize
384KB

Download
memory/4972-7-0x0000000001F90000-0x0000000001FF0000-memory.dmp

Filesize
384KB

Download
memory/4972-0-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download