52c657629359928d335faf3305132f8e9e927df1f416079953adbc6e2b3f5c66

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
Size

1.3MB
MD5

563e2effa75ec32e724d935dd158da1c
SHA1

3160e721f09618f03a1caf7b5864ca67f49d5602
SHA256

0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69
SHA512

e1d99dd4b9471d2010a9a2e4b41aee5faa3a2da725e9a41f25dadf95fd2949e4a405ed77bfc922fcfca5e00e9a52eb74ca89a55098015f5ae1037628fa2308d1
SSDEEP

24576:pXDK/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:pGLNiXicJFFRGNzj3

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3688	alg.exe
4820	DiagnosticsHub.StandardCollector.Service.exe
3644	fxssvc.exe
2216	elevation_service.exe
1032	elevation_service.exe
4840	maintenanceservice.exe
3996	msdtc.exe
3972	OSE.EXE
4872	PerceptionSimulationService.exe
2068	perfhost.exe
2444	locator.exe
3052	SensorDataService.exe
1836	snmptrap.exe
4456	spectrum.exe
3572	ssh-agent.exe
392	TieringEngineService.exe
4996	AgentService.exe
4720	vds.exe
3756	vssvc.exe
2924	wbengine.exe
2308	WmiApSrv.exe
3900	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\spectrum.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\102df6d999262766.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\locator.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\System32\vds.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1E8F5DDF-3FB3-4332-A4CC-B46FF6E6899A}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec6ab7067d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b82776077d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000029c2b1077d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002e2ad067d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ecc573077d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000022695077d55db01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4820	DiagnosticsHub.StandardCollector.Service.exe
4820	DiagnosticsHub.StandardCollector.Service.exe
4820	DiagnosticsHub.StandardCollector.Service.exe
4820	DiagnosticsHub.StandardCollector.Service.exe
4820	DiagnosticsHub.StandardCollector.Service.exe
4820	DiagnosticsHub.StandardCollector.Service.exe
4820	DiagnosticsHub.StandardCollector.Service.exe
2216	elevation_service.exe
2216	elevation_service.exe
2216	elevation_service.exe
2216	elevation_service.exe
2216	elevation_service.exe
2216	elevation_service.exe
2216	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1780	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
Token: SeAuditPrivilege	3644	fxssvc.exe
Token: SeRestorePrivilege	392	TieringEngineService.exe
Token: SeManageVolumePrivilege	392	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4996	AgentService.exe
Token: SeBackupPrivilege	3756	vssvc.exe
Token: SeRestorePrivilege	3756	vssvc.exe
Token: SeAuditPrivilege	3756	vssvc.exe
Token: SeBackupPrivilege	2924	wbengine.exe
Token: SeRestorePrivilege	2924	wbengine.exe
Token: SeSecurityPrivilege	2924	wbengine.exe
Token: 33	3900	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeDebugPrivilege	4820	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	2216	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 2648	3900	SearchIndexer.exe	107
PID 3900 wrote to memory of 2648	3900	SearchIndexer.exe	107
PID 3900 wrote to memory of 2612	3900	SearchIndexer.exe	108
PID 3900 wrote to memory of 2612	3900	SearchIndexer.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
"C:\Users\Admin\AppData\Local\Temp\0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3688

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3044

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1032

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4840

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3996

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3972

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4872

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2068

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3052

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1836

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4456

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1636

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2308

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2648
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c673db73a499c5e624f0984c9a318d63

SHA1
7787b1e607a564a4f9e436df482bc0ad54f6a0a8

SHA256
9d3aed77b852a3da54e0110e83f4f2a4568d6d177bb7e3c72736ff9d2b65f400

SHA512
08f9a006609e25746fefd10d29d7d5bfadea938606aeaffcc4ec84f7010d2673c69ba62a643a651c75707b1e1eab0bfdab49374f9af0071d80920b129faf1185

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
2fa3567dad1774e9cca98b7ad1af31ce

SHA1
4d02c4655a15ecac3172c89c6fb8337ee0c2b461

SHA256
8cf6a011420773fa6e5e2f626d7aab15964901354c5a563fef2ca2ef3dbd32ff

SHA512
fbfe4f37079162b59cff93813cd4283380fabc8905a4d46479300e1b3d9e0aae8672601f9ecc53bc70e2589e8279f9d9432370f864b9b49870b96186886e64f3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
ec40b3222ef6a0962c84b8ff5d323987

SHA1
9a96f4f481783957828d921e830a00c4de0f4be9

SHA256
9bb01ea2ec0208365664175e3532c26685b4ee31b85a6599dac33e03b729f8f1

SHA512
b72985cbc290834cb753681600e4d27d9f7364fde5c964afbdfd5bd423a467ed1b4b4aee22e3266497617b9e4490d33fdb2b8a3fc5206ba1c7b3940c8d3d6874

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
aed2900a3c43c24b6eeadf61c417d6a6

SHA1
ac275111f16d401625ce73a5270dbd921a9417f0

SHA256
16abd40b72690769ed1c8f0a03f991d87c0e3d839737a430e75dfa3658723058

SHA512
947b48ea1a366ff2f3aaaf0fe1344a7824ab8c53af8cf739eec35fb04642b67a9d75c1478b1e7327227a2c6466ba3282bc0b149b3946657e7dc3a0e8c64d9ef8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
18b56c083dc7a0575201a4df90d76055

SHA1
1a962a9b25f4cdfb624fcf89cc208d87ec74d0ad

SHA256
d0a621adcd62d6a4edb30809c503d0560dfd887fddddd9ec4bc5a972b763a183

SHA512
205d0e9dbd23100c9540e5bfbbbcd6c99e60e985168475023115920aae2ecb00e71b4b8b6544e30d9ce3aec9a98dbb131bec1c62842655738c5628d916553797

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
0607f0d26a7a6df59e50efb240f40842

SHA1
1833030c7d85d304dd5d1a24144982b7343fa5ac

SHA256
a21bc44ca2a2d105e4a43fe0e8e6b3a65c2a3dd7de8177fe773e502a2a496a6f

SHA512
b2a9401f9ebff585fd4f4088e34fbef7cd74f0a3f54bd16078f2dd9c118ea6941ec897b00e1d35387109079dcbc4d92ed9129e5178cb32235e5a0f96c9d30c65

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
b485b45affff9a9f87e6ab000f687626

SHA1
1e6ea31c700a56a706e69c92f68623e321dee65f

SHA256
e5df53f3941dd538870c41d43274d5d38d4fb553a6d3aa629f200d101dac36e6

SHA512
592eafed680adf7b1b4ec7f54fd4db56a49bf1329f6c074f9c6f797784983d19c1b4d66e75bfc825120859066b2ec80bced547895579eeffd19813d4c1d71004

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
968ab02306ea81206d8605bffd3a0ab9

SHA1
4f51b3c9e476d12634877d9de7014f660c983b11

SHA256
4d760a6c414cda4b148a1f6b327654cb3086bf244b44cf4d1ce4b97e15f46b30

SHA512
950e584d4bf726390ab8ae0861447e6818a1cc0ba85735c9076171ef48a2d73f30268979d1b4b09e972e1b83367cfb02cbb83d82b89b6040f9d5d8761b4ba025

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
93ab13d4122e217a97c1f9d4301f934f

SHA1
8c431abd51ddbf58cd6cd5e83c5da3939b36450b

SHA256
738193d5a244a8bf7ab4dbdc9d2bd41863364d7b150c529904861cf7bea02668

SHA512
217ffead048d720f465c70d60bd464764fcc8b424f59c2cb8feff4de97d92ef64b735e4907ec18d96eb5eb608d0b1e3ff420073dff066ee4566f274cbb5b1ca3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
bd5fcf95d3776f37822a6b6331060dd9

SHA1
919d85a8a02e2bd89c8b04bfaa9d78c4746570fa

SHA256
d429d44525218dcafca1ec8f69ceba7b8d0d579079c36e6407bac1da661d7b38

SHA512
ad9c234435630cb0702f044ad79ba2d4a130763508a2b307eb52a8ef55f74aefb397b655c4252a72bec108c28ad6bb7fd1d89f9ef4013820d32569ef75a017b9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7a25a2122a648cd120cca8a700aa0a24

SHA1
4bde8a02df0bfd409f3e158d1aee726398a6992d

SHA256
4b951459f4291b7bfdd0ba336cbaff78b771277de54b8aecb0ba9bf40a71697b

SHA512
daa04b9a20ba317094dff657248dcb12580e3594507432c7e5212fb781029bff673a1e1393ff533fa9a535e12a2ee069e56a6792438fa5a2974483e173a20f36

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
51fb800238cebbd9b7c251e098d06bdd

SHA1
d1b66654ae5d7f866d6a8b74e0eeb3c336164050

SHA256
4073bf8c69470383790934c28a6492ed2053fc781c927df2fe20d4df40c588e7

SHA512
8bdac3ef3f39c21c761ac74a947c2970339cac9f5099e46f44ea4c5cc17774c6f43a4378bebf8e885b72c16179ed71495c308081a36b849a5f8d6d64722adc0e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
5251bb37592701d2be7a9795c6ba8265

SHA1
004b486c49f6f1ddbcda30dcfe895ac4f508a18f

SHA256
4d72bd317020d10720c145971701e48c37f06428b46ff6a2a64d4de585e5f1e6

SHA512
e562da78c453a632a6caeba5c7b6c1176457e2552b4ad884bfc455bdb8518a7e31c53f39277a8c2333c8cfbdd91661bf1360f8515b483055205d468a1d7984fe

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
f622873563dbdb2df03c27ada269e4d2

SHA1
1c9b96ea743048a58235ce7f8b0208f2c360e586

SHA256
8139778b7fd172956c84e90539b41cfe4a0a614a8ceb09efe7d04e7d26e69406

SHA512
4eedfab6982a6e627223e021f5b391fe18a2c852d9981b3b1d4551c99a77fded7a47db78eeffcd73387e8f91a9559ebb6d386731c17afe2a1ba9673634b6e3be

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
d011e52c30d083566865541021562349

SHA1
9248fbeb1f38d25b9b26ec7da2ddb990cfdcae2c

SHA256
50b01a6a5c5a7bbeb34d6d0c14d81233d92b055dc28d16f384c78106c5a3cf9d

SHA512
70fc2ecc0c0f4c357fe67dfb48461203a1cd27d1edff669cb33e71a8d51942082aab0254c98025ec2494fa8964c6a087f41b058023dab20e59c2ea5d0de20ee8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
6c4d83b11d332bf5d059395af3c5cfbb

SHA1
e9dd5a8af5da47a2324cb0fb92932c8b75e1bf71

SHA256
d1168dc3e104a8a95c4b6581f8a51460a38b6279ba9bad673d0ec5817558ffeb

SHA512
31578235aef5df824baf3ed99fbbb8d8d4b57dfef4b314080bca9bc984a1c75309ae4a45885ca0cda7c671f4cd1352bd87fd990026748ccf7a3dafbc947b1514

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
664562bdea35fb96c4a51939476c2b56

SHA1
89d11c8034810be8bd70074d8aa372a306d92466

SHA256
f7ec94f57e03f91d211229d6735d84cf295f643598f45a10ac53ca9e36c4d4c2

SHA512
f6dc7cc0f285b0cbb51ccca0a4ff70fe0bdd748b1ef7801bddd7d2115de2bfa540e9fa0f781319cc7586587c22650014fdac06319e24700f8e5b91da92337fdb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
b2d9ce7c7aa22460c2a6a5152497c0b4

SHA1
7374983d6977b21f10daa4e474b59a7567db4b0e

SHA256
a4f5d930b4bfdacc0a845dc017a2017812f5393c588620caaf20de5cd82f87d3

SHA512
fdb6bf043bfcd20a1ef240ae297df56160d104e21b7142e0081105f782afb2610011827ff18388443c31f71ef9d668941a42477c5737729908445913b35339ed

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
edf64286c2667dd910231893c124f274

SHA1
418c2705ca24aaf358b2466ccd078bf79acba1de

SHA256
3783c9854b59ab26bdc9847ab332cd28623e2344b35ad6a8e92297ed0f876ee3

SHA512
7f01400bf4223720782de4413580e812697a36e9f0a55582d894cd2ac076db32b0bddd95719d1da8a15c2fe4a096eb4c938fcbf17cc92cad3aeafeb70ecca255

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
1841ad04d4268da8e96fae26998ffef4

SHA1
ea9479307fa3d5b19421927ec9c0ed081a6fe35c

SHA256
f1b1e8618174d5015c394e4704299b216eafa617d895527a27e38de1f4ff8ce4

SHA512
95577e17a6997463fb8991d82e2f9fd70294c418b7a74f78d9e45cc208a1613328e00f20f0be8699e0abdd30ad553e6e03365a796945ae6fe020de2344bbf36c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
14c5850a2f002baff1f58f5f7e1ddec4

SHA1
3b05baf25f77fa943fc72e9ff9c48d1341f610a3

SHA256
a785df88adf36aa3dead650bafd4b418b616a7b1d641ae46fcbad75278731526

SHA512
6fe750521ed3e1ffedb818cc0363dbc9cd467c58a18fc9d00a375c6685b57c8b58d39cf1e421e795aaf130bb4028705a5f7a5cf8756e613279e6950798625ace

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
0c0786552693e3dd32d72ea0cfa19673

SHA1
51a8edd60fbd91ac11558a657bbfaa41aade6d1f

SHA256
f561a66ed0989323c026db97d9ed5d2e328f55769518be0f83d0d4dabb8f42a5

SHA512
b404827f69f14105d8eec57ab03dd0f98486b900537acdeae2199e868d6031412708d00199a058f4906c296eeca0d7497a202db7789b44c7c8aa4cc48d65bde9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
8172eba19a4e0015cb1415bb93e247bf

SHA1
c5b49897e21b80ebc7f219836aee0dbcb805e83d

SHA256
5e8eed861229804e1ed055f8e3ed51aa47c72bb99e34a0f65e3e94a939b8dde0

SHA512
5cfb43e9914b3f4f5347a70b72332b1c1fdaa5adcf74f3c1c00a154269b194303e56bd1b821bb79c6092181e5a453a4ef2681a28339e6284e92c249514e9e06d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
07ab1f04136a837348de19d3dddd0ea1

SHA1
612c85674c8a973b2d9260ec6fef63fdb0ac1117

SHA256
0748e48d787e36b88525ec9b4ec2b198416ba1306559dde3d36e18cef6215d89

SHA512
0be7a31807a370d1eba2851752324d73f16c46a89e6a2c2d7e191e89aa19a34f57bbdccbb1031e01f8552c7c3d86a9fa950bcd81b2de7c9e923a955c13773b1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
ac9ee75da5de53e6cf6a2af5d3cc6a98

SHA1
dda062c27b727c57d8f97d13091eecaccaffdfca

SHA256
310bd44bbf864a6684988ef8c01016147c2b2aeff3c06f6428468845b0df6283

SHA512
91a96a543aa75500e60806441da9da950e42475ea4a36cba4464a571a364eafe07490ee830e7d188a49863c39368db4018ef66c060284c079767cd2d7d567555

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
ebb74c88003bb7ac0ae20d40161da7d5

SHA1
adc8a8692eff72f3a130f74741a409e49742cfdd

SHA256
379bc46e7f79e654f54af27e467b6a38e25e62fe95a6877e2f4b3c34c9049191

SHA512
17bcaaf7cc200f9df2b5e893c0de5d9afc531da21a05efd91a2685e5ec591ba4b16048b5595731a53db4505f7de2390e3ffd8c06465c3c2437dc06d3e3f11f10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
09f25eee849db1085937238ab0ddebc3

SHA1
5d56fbb452b9cfb9e2a337098e4caf2672e407d0

SHA256
904531181485eea20e94ddd8efed33aac32581f0729236220b9611f001dcecda

SHA512
4e24728de4774bc0dd8733485d651c878b456f103a26c2a2cdc8f1017877baded881df9c568da14993e3bde898ab93bd7f016724e4907a113cab48e60cc1ce38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
9577cae14ac6f989b4917a2735cfe460

SHA1
0f24dadb68d6d4c10590ef6f9c9d5d71a9404166

SHA256
05630656ad1f971a9ba28666d1d666d065588a861811527aefec5b9bfefa25e0

SHA512
5399d74bcf5c131e28e5df1076f88e264910304d7e2167e48cdf6cc6e8692b93a7e52743be188e6f703e18ad388ce78ef0ec5f335d78ff928e7557b04b487ef9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
e2e9987b17ddff4c2244717edf1f1bcd

SHA1
983cd71631dc6c2c3b1ba07ce1f459b343ad88f6

SHA256
44bf1fe9eb295c647e9c1c12267e8ec5d4f476f0881771d4bfec1d7a395e2285

SHA512
97fb0ba318fcb5cfa27561a4885082d5fe1288addeed8b82ec428adb6c1e055437965cefeae74348d596f97a66077c2d46b362d96cd4f6af68bdfa598598f2cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
3aaa8ece094fbd00d831cca828b32643

SHA1
354037b189c1ee4051cd3a1cf16ab6200914bd15

SHA256
c49b5aeda2da0270706edbffa3e89bca5ac1927873e2138b10e411b70ccd9715

SHA512
143e9fd57cddf35845b322a6b62cd081fc86763d3ff258929e83dfc4057991fd92274cc6e65810e2451d1ec5f8f04a95360abf2d6ca9b4388ae1efcd1e8786a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
bb6b2aa492baa4038c64037fb26d60aa

SHA1
d12c107588d66027cacb99e2516b1ebe5655e890

SHA256
0fb0211d5336bdd8726c52ade2d2caed694ac914f298c78bb8c868cf150d2cc7

SHA512
01b50e8bb135e7320a35b80c64afd68617324193fddfe88b44db7c036a5abb42ca6b9fe1151d061ccd041f62d9c464332d4b2239ba1f15baa28987e4e8ad68ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
11fb8efcde0915a6900531c296ef098c

SHA1
bd26ec8844153d28f2213dc32f196f0fd0852e93

SHA256
321ab9f89bdde93d160c06613b69c767bd40dd48eff8d5e2aaf4896d17262f67

SHA512
c368b4a67a4c2b6a2f25a8e33daa5168756b00917500e97c6e292a7802ae3a264452f4292a71618f4fccd994c9aadef17066d855bebae4df957fc1e9a761fc20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
2128a0d6d096cecc19f2601f42250bb9

SHA1
86311d8e3f915d6c1cfbd9524d0130e25bfd7d3c

SHA256
d2d24b6ee936dfc922873f825dfb1223af25a625024bacf11f8682dc3e2450c3

SHA512
5b256bb9f038a9fde6ba75aa7ccaa8df38882b25a134a907465add8905e92d2a48616a96525874580a6680c11243864888c1fc9da4493951c73c910c027399e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
8c32c2cf9cfc137eb1407dd40da7f7a0

SHA1
f12a8164e9a2ff6dfc83a2528961b7d41768c539

SHA256
bb7a998d3d2799698ab459109875d1d107ec309c0ef4f4daef9a056726b8c287

SHA512
9779652bb34f62c236326264ebed64a325adfc821112ce0fb5aea9ed4eabfceb2702870ee1497f56fa19ce615030fc700bd61038093cd88a2d2de8b126ffcce5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
30d57516fb2041211e1c41b226784d83

SHA1
7721bc2cd2591863f4356ff4ded002465fb3d234

SHA256
08fa64c0adf6c3dfb9016809c6fcf3b97cba4062b3e845d87aebd5bf76bb8f6d

SHA512
e21645e05c898eb082e5cb314d905654e0be54afce4697a7795c2eff29a405e126a784a4bc106ef5a78242232446320ab467d040bc9fe90f2129f790323d4777

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
a12c2ce9e3b403f28ef7653899fba08e

SHA1
eb8de38d57e29828150c3f4d9dd1159742faa429

SHA256
1408d4c4150b9deac843e6127c7a07331209a1726c7126becdd61f0b5fbe329e

SHA512
8c7787f4270690ba2c3c8c2cda3e3dc5405e660fbf839716a48e28490b91c46b2d21b86bbd2ba9df9b6fea944e17b48cff1191581ef7cee238db1991903b51fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
a1a95f78a69cb5e7fdc995e9a33f8040

SHA1
af8ebb9107c04a594a1031653b7ccf32db9f8ef5

SHA256
842a002e22dfe468ef78cbefdfedc903cc655d5fbe8099ceaf4438ff70c21ab3

SHA512
fe363ad7c5904993a47909d5fd68d0bcbf1cfcc7ff057fdf5d801b7ac9c1dc5c5b43f386fcbb3f38532cd592eb25e060965cdf574775e48aecfc01530373512e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
84d69d351015f3f7b48ca645e34c8039

SHA1
3e9e4dcdfddf0e32dd12d61e2ee979737bc1a555

SHA256
e93fec860f1427e1e206b08355e4f61dd6c3e699d76507476dc66e2ef0a96799

SHA512
0dc4801965a17aae7eb3aa9c23ec4d5f7edc2485bcd100187dcdb6d9e9a82c0bec29ac0b379f31f8472550503a34c51ac65d3a2c5a5580f44c8c333408d8b81f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
6783992073f64b35f70bb6e4442ed5e0

SHA1
6cdc74c79399843391ae215de0a642a7343f162d

SHA256
be352c29e4092a034c6069dce59d9fe11aa41714d77126d14b50b123b60a7dae

SHA512
3c956dd268c2df2addbc8493b82045032e99d33b1d58f6b7cb356c3ba0cab4a28764fb738291ba6a06db677bf7da4dfcffae50f1c7764f1647457f14f167e55f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
c79c4c4fdde2dfc6cdd179107ea9922f

SHA1
c5bdf3e3df7eb01a3de725c0b96529ec9b4550ce

SHA256
8acde8974cbee426fc0faf8c657517c051db625c93cda89af6a589bd614ccc2a

SHA512
88d1289ddcac54100667d99cb3380cf26461efa131aec1fc40b8ce905e14fc4828f29f11261b975c8fab334d8130203ea85127ba692b4bfe6fa24eefbdba5bd8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
39b535c80c9cb11e70e0b0f176b59450

SHA1
316e8428982719f8a94addcf38559eac2ba67592

SHA256
c74e03ffaacfcb7a2d663403e2e5e74c85366fc9a9ee64c0cfcb8c9f8036a29b

SHA512
4955f72f793d65063a75ae4048c4b1862b5b449e340b71e4448df8063088646aee16ff3a9f6a894040e1b14183a5e0ab628ba4238a37d94daa5681afdf82b72f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
1e82a4775060bfdf2e08feafa53bc8f9

SHA1
6e686b988334d2a35c8dc1832ba9c13ed05d946e

SHA256
f01170658658178e1df1f32c6a3a798ae97c50e0a92e3452c4245fb0627293b9

SHA512
3fe42b1db474455733d7692d50aac5fc70cf476a9a8dbf22713f3dc27904eb0bfa3d59df60c2150b0bf28f03c062f831217cb490203371dcffa2a2606a591026

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a8de8eee4e45816d667cc512309c401a

SHA1
bc07bad70ce16cf61f7ba3efff8e1bb55727f42b

SHA256
15ff11f957032f8afd0291223cee726615b45b7cc28966c4990547bf5901ed42

SHA512
187a17fb8070f32863ec709b23bb05a082c635784c9471b03d1ca3fa8c724cbafc3df62ce9c41f509c840e9ab07fced9719d5e6593fef38b218bbd6f6808567d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ddedecfb9b4acee24fbb62e3f3a50d21

SHA1
2680b9119da35fc53bffc19068b0518a79131d94

SHA256
74d437f40cc87226ea1667a10b5d4100bec12084c16b080cbc36a0b9ccd09826

SHA512
efcba222842563dfb72df8ab0254a226fae92049578b14337ec83b456fb54c5d9b25e2037c9781fe277929d448c5bb7f08a2801cf089ad026ab7ca9811777391

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
ccc6b4900961987017dd929752d6fba7

SHA1
336f5373f5effd9eafd8e6d0149782fc81cc99fd

SHA256
4fbe774aa95028237fc6d3bcd23956f39b3da631a089a1e643283bc845fbff03

SHA512
da763dfab557c53767d8b2423d93d5b76195380a68e1ca63d321926b5ce494bcdba4557bc1bdf66d3a587075918f13dbdef99be4e3f0c3d64511f0918e5dff5d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
9758a8b675bcdd42a9b06d10ebd6d1fa

SHA1
498ae09c0427a3586c09576fd765e99a673fa646

SHA256
e24909b454e002c330c950884b8407933c1a608b983c12f64c351413920bd2d4

SHA512
3db984ccbd8e421ab086980327416c383e2380d71aa7dd37453996cc7240f267aae7790da1366a4172b5693d475ce6cd43eb93c9bc40b9f5f6435d51419f9bdc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
81bc960d688ce903bdfe4727039e5fd3

SHA1
cc451ad56380bc82804c03b23bfd8f56e904abdb

SHA256
004831789851dd837cde2a4ee1da88b267f0943d9d8b4c4786b59e33cfbcc631

SHA512
8c3251c2e2758096d830d548442ec1d83f0791f5c98526b3d8b1efe68f5f56a7d8fe309f1709d667c72ccc4eefd408ae24edf38986f3ac68116cc3ba7220bf57

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e9127ad2d6ab43b084f80c09626374a6

SHA1
35174309d59db97d3a513d212c68470e22a3e051

SHA256
a9ae310992070d6469e31bb7d674a21ad0af82bb0513a2cd4a84ad9f0072e5aa

SHA512
d4e0cf048b8aa100eac4ec760231c6784a3f3aafe43f87b92a40b0de5c0cd254922952412b8588db2b409cd2b5ed17f85c4d9d51a0bc7aa92da6bcd5b8460eee

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8d77377ccf2711c7268f71f53de8a6f4

SHA1
22085620218fd3a87e57d71d5380b0405b82a11b

SHA256
368f13d3bb5c172cfbfc0f539920ee66821e17088377fec94c6da593005e8555

SHA512
a9a71a933c498f1b4c77231ef378fd86f2ed0c5814ffd17f806bd3bc8ea4840233a1a9875220f9fb5384082efe8b61f8b93758c3ec8102e432e56d0831a7657a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
3ffd8b8913cd749a470eed28a5d31b9e

SHA1
5d8c06d87bacb382042ca838c977b35f18afc73d

SHA256
5bdb16a20cd3c2ab155b4341956f26932bcd2ef6dd332d2b13b8f2bbc54f4c5d

SHA512
fd69777c2eeb54956041c66451e5ef995ac51a4ceda5b4160eb827ef36cf65384827db425bb05b403647315090dd434cdeffc94e2d2ea05cf38dedfa3614f36e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
05005f4ac9438ab53339869fd071b5e3

SHA1
fa4d70692692a4eb1d73055a892356de072b83f2

SHA256
456831cb93dd9106a0c234870c0c7a60b5beb2b14b0b2fc6999aafb11f07047e

SHA512
5a4bde173d5ca3f093fd8541a7850157fa55db3e5fb0396f920e93a42899c2acf109d21a8a308002abf9ee1c2ab0a98940c11f8b677352be4b3510a508ab2d68

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
de4c3bf6b40a3edd41b746131f2fa680

SHA1
9bee9c949f9c0bc081a408de63744a0dc4a9e61b

SHA256
7dc23744ec1e480b552164c704016cc7cad0f1eb5b5cf63e5e4918481b1e37f6

SHA512
841dbab470c171c966308b57765fe7abcf1dafdc29336e7443acb69a512fd40792017a40d297e98befc968fb4aab37c1a129880ad19749213b9c90c63b1a0c5b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
dac753de28c3f99a7c8220189afddd1c

SHA1
6ea9eb322cb148c4a55b13eefebf914419980ad2

SHA256
eb35f267f1d33e7f3e49b764514cca3b4e5c52f6e696e8fef0c2195df12ec619

SHA512
b22b3e645ec221d9101c81d608f8cb582725fc304561991b01871cc1d0f971bf14268bbe388649380eecefc1f239ef487c4e370cf490221c27abb8a619a210a4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
9cd5cc391acbba547936af1649b368e1

SHA1
761f7af72c97eef3eb0fdc63d04e2a47cfd6894f

SHA256
b5c9006d0e3a782043822b7ebcbef73d0135c0c7fec58cffba762c55f5365800

SHA512
bfefe58dcaa684f5dedf5acc72353705ca228616f3c9d4e5fb762711af70ac5f9ff6b2092606416de016fa1b8ccf0b52e73283d7552c961952f4f2ac02caf3df

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7d6bdf68c3b76c3092923f79368d3d7c

SHA1
7c1b4cd3c69214feedaedeb1c9aa8c765c6f3ad7

SHA256
205add1a514dec7dbdee089517e3e57c2bd5407f50c182c4a9dd320a867de314

SHA512
c0b1b428d1548ebde4cc798ce911ff71efaafe23e46ce0576a7dd3a17f59fea35677450a6b0b00dc823cc94ce60a4078b47f03aec8b0c50e340eef2474802978

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
62cf9689636fc18872da257b33eed12b

SHA1
99ffb8731ca9e9a57f524f1efbc30026b081b70f

SHA256
83e2736202b2078c6c017611f9832b409d3a74572c54b988b55a8f7c6393401b

SHA512
7c62c80695e88f4ebe55a2443158966945b601e84b9a222484eb1fe262f79a8928ca62aac0c2baad77340dceee784087b5f478e9f7e31767b27283133c16e288

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ef5d1cfdceb3164ee19169b4e3a823ec

SHA1
bd1edcdc7336bbb76ffc06e2e146cc7abfbefeb2

SHA256
b1cb3c94245516e11b19c76839fe30f917c326f06db38fedcd905c1c73484eef

SHA512
7c5014fdbf2cea2593894399dd22ca327263111040b280e6b9641fa51c49b009d747468879747a19987d08ccad6a6bf25c535757051708b3fe254b4165829492

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f3192e097a67b2da4ae55c1a87fd9beb

SHA1
a7193069fc9e4be8987c7b865f9d129ae7f30670

SHA256
404ee9ab77c758ef8e72555a71b8d85befedd2bbde5d93e7a332626836ec6611

SHA512
9ba2777ca1b4a45d7ef7873a7c5d5762533dc88c0f68bd1fd8df9211f4e238c4ba818343bf80797666ad98894e9c84ad6c410c00ac53442e111e0e4555eb0fba

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
f2f586d9e326a6b5a484339e0300b787

SHA1
0d3eadcc182771f267eae95c84c30241e8203cde

SHA256
4b32cc461d2df32d6729a1629791c00c093bce52d0ac801737edd54f1d72cb40

SHA512
42123a1b7815afb71f2f29e623922b99406c02326fa3e0ca205a32d0c110ce1ccb7c4920433222298689dfc9ebd5f470ef430fa9fdf294049f374b110429ae89

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
98e3c341132f478afafe36f94d136685

SHA1
600204062d532501dafc7af08cc1e2658ad83839

SHA256
4f0d46d25536f092d42fdcbc111dad25b78d8172ac5cc5c46c6fbe7d72b0242f

SHA512
8fe7efa171fd7a9cea0fc70cc35e81cc8f75b0c4a992bd0b786629a1d998642850816bafeb2646320116f572e7ced814dbe724e485ef32153dec856dac8e6ab0

Download Submit
memory/392-166-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1032-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1032-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1032-44-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1032-393-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1780-82-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1780-378-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1780-2-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/1780-7-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/1780-0-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1780-380-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/1836-163-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2068-102-0x00000000008D0000-0x0000000000936000-memory.dmp

Filesize
408KB

Download
memory/2068-107-0x00000000008D0000-0x0000000000936000-memory.dmp

Filesize
408KB

Download
memory/2068-160-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2068-518-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2216-32-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/2216-38-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/2216-40-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2216-351-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2308-170-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2308-520-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2444-172-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2924-169-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3052-516-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3052-162-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3572-165-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3644-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3644-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3688-99-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3688-13-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3756-168-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3756-519-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3900-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3900-521-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3972-79-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3972-515-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3972-73-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3972-83-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3996-81-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4456-164-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4720-167-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4820-24-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4820-23-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4820-22-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4820-16-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4820-100-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4840-61-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4840-55-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4840-63-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4840-68-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4840-66-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4872-86-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4872-517-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4872-87-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4872-93-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4996-142-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download