1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
Size

1.8MB
MD5

8f73e545d5aa9563e3d9757d8dd28093
SHA1

def75d4eeb7356121f00267292e3fbe98d4ce6c7
SHA256

1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f
SHA512

e7fc4d188cf7a7611e795318c8ab8761c318d56183e3e90c92e405de853fed011d9bdab8c93758465fdfb873a21dd91ee91fbc86bbc857a5a2d6dd3b4b4e83b1
SSDEEP

49152:YR4ck+b5kMJB7BBcJE+Q0OFvfClxg0YELRDmg27RnWGj:Z+VDJBdGJEaOFGAEFD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3748	alg.exe
2740	DiagnosticsHub.StandardCollector.Service.exe
2656	fxssvc.exe
4360	elevation_service.exe
912	elevation_service.exe
432	maintenanceservice.exe
1316	msdtc.exe
4808	OSE.EXE
3472	PerceptionSimulationService.exe
1928	perfhost.exe
2208	locator.exe
1068	SensorDataService.exe
2456	snmptrap.exe
4792	spectrum.exe
2928	ssh-agent.exe
2884	TieringEngineService.exe
5052	AgentService.exe
4876	vds.exe
3524	vssvc.exe
1032	wbengine.exe
2656	WmiApSrv.exe
3808	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\System32\alg.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\31292800ad45b396.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\wbengine.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exe1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM373C.tmp\goopdateres_ro.dll	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM373C.tmp\goopdateres_lt.dll	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM373C.tmp\psmachine_64.dll	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM373C.tmp\goopdateres_am.dll	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM373C.tmp\GoogleUpdateComRegisterShell64.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM373C.tmp\goopdateres_ar.dll	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM373C.tmp\GoogleUpdateSetup.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM373C.tmp\GoogleCrashHandler.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

Processes:

1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8dea0d83b99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee3ee1d83b99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039b899d83b99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba05a8d83b99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
2740	DiagnosticsHub.StandardCollector.Service.exe
2740	DiagnosticsHub.StandardCollector.Service.exe
2740	DiagnosticsHub.StandardCollector.Service.exe
2740	DiagnosticsHub.StandardCollector.Service.exe
2740	DiagnosticsHub.StandardCollector.Service.exe
2740	DiagnosticsHub.StandardCollector.Service.exe
2740	DiagnosticsHub.StandardCollector.Service.exe
4360	elevation_service.exe
4360	elevation_service.exe
4360	elevation_service.exe
4360	elevation_service.exe
4360	elevation_service.exe
4360	elevation_service.exe
4360	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1592	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
Token: SeAuditPrivilege	2656	fxssvc.exe
Token: SeRestorePrivilege	2884	TieringEngineService.exe
Token: SeManageVolumePrivilege	2884	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5052	AgentService.exe
Token: SeBackupPrivilege	3524	vssvc.exe
Token: SeRestorePrivilege	3524	vssvc.exe
Token: SeAuditPrivilege	3524	vssvc.exe
Token: SeBackupPrivilege	1032	wbengine.exe
Token: SeRestorePrivilege	1032	wbengine.exe
Token: SeSecurityPrivilege	1032	wbengine.exe
Token: 33	3808	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3808	SearchIndexer.exe
Token: SeDebugPrivilege	2740	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4360	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3808 wrote to memory of 4788	3808	SearchIndexer.exe	SearchProtocolHost.exe
PID 3808 wrote to memory of 4788	3808	SearchIndexer.exe	SearchProtocolHost.exe
PID 3808 wrote to memory of 1368	3808	SearchIndexer.exe	SearchFilterHost.exe
PID 3808 wrote to memory of 1368	3808	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
"C:\Users\Admin\AppData\Local\Temp\1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3748

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3768

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:912

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:432

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1316

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4808

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3472

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1928

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2208

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1068

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2456

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4792

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4852

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2656

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4788
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
49be8b2e20e635707e6caa88040e312a

SHA1
580991a5e2f0857d940bf98ddefb3cf96cfa1919

SHA256
5592f2673c45cd828db39e64b1ccf2578f6ceaf493f02b5759e48b72614b11f3

SHA512
0f364475ba4f9208d61c8099283c8000881250c273fa6f0fad678230c69218b5b51ef1322e6b130aeb62de6c8888eb8eed4d81cede68e5f7e2e16aa20e40b554

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
9645de3e5c706f5d519922397cc8dc00

SHA1
a610c1adb08d224bf186bc9ae74b26c7128720eb

SHA256
8d3cc33a0dcc8f390ae2048cf5d51534369ffc3c749c7900f3b0dd107e35aa52

SHA512
0784318bab2a4b890a3b6a859607e41fee88ba16b73e1f2645234323cc0fcb50a3ca6d5623857d7c42dda6c46a1a21b6c71213776545411fead9f76aef820b90

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
221f9330f4cabd8d552ac8b9c2f364fc

SHA1
efc784008f0cddcf14c7179bb449a6f962c48fa8

SHA256
abe8fdc531b45bc9370e32d9ec45a1f930b80da4c3f53850a54a84029a0ac8dd

SHA512
37a3620f694511665b655a7de503d638a07d0a690867980cb1500e720bd5648bda7c3f2e7d2764811a2e791b0f680103c63c0520839918b5699e707c8fa48372

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b98f613c84a8aebf52cbc4f85070dd2d

SHA1
d66e9cafd463a4c26bac079416f90619d3281bec

SHA256
78b07b464adc900ebf30b5af5e895d425565b042f7e3771c07e04f84fa9e29aa

SHA512
37a903481e70a2234ec0b23cc32584c326b6e7342f1717fd74d3af52d521bece4d12d0db21d9a0dedbb9978deacf2d94703595985e4337d22c0b48a215af5f34

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
db2fb450582a28e39507e7c1cd694397

SHA1
eed3063853e755dea466a7405a6ea7a67295058d

SHA256
5295d22c6c4ac4b88eb1e331263d0bff7d6ea0585ade2e88fd84394f6b2f576e

SHA512
e69291499cf3f533fa166a794ff4bde5d9af17694a603033dd009f359790b9cecf172b337bb9d2d4e2494786e0569a1ab7f4592418b1bfaa6eb532b1af886037

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
62ffc574bd6ec56cffa57d8d3eecd960

SHA1
3ef0a90ad49b8fda6b34dd6c262aa989d19f246e

SHA256
f2f5cc386e19563d91c335da6656cbe4da59bdead583816553c3de6c30c23bf4

SHA512
51130fff26513d6b20a41b8c43793d7cff32f5181b0fd0c17cbcfd959e6b599a8d476c618d7d176fcf10a31cdacabdf73ca878ca39ac687a03df66c77819a519

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
3211b03d38555b075193e9ceff02a4fa

SHA1
b7f8f641828eec6d4846fc22f7cb090fe400fed7

SHA256
0562301857b9fe5b9714b8028d89ab0779b3cf0690d792aa0ac0f157b97d9f47

SHA512
ce95d2b6205537312d258fa008823278581f9494322eca59c876bae4303d118135d2453bd85572d92191473dc89bde0a5c9f67ffedd0e9219e52ae76e0a1e286

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9adf89e11eb82124435f5d944004ce64

SHA1
177f5413ec3b55a8d05dcb1b987ebbc768bcc175

SHA256
619fe74504aae8ea5d242b377884b5b5a1e95bed36ab6b953a00be2eb5af0af2

SHA512
9e48883d9e46b91ab91b3a70b3dc1358b71bef69a007f011d928b0c84feb7c162b1134113eaf5da76931db7b960c181d0963d92d4796d4df41ca86af7dfe717f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
f76dde06d4eb83ae0eba5b066132dc55

SHA1
9793730505b488de4368271a3b4eef440f1bed2d

SHA256
06eeea9b766905ff4b95137d8fa02e77b67cfde89cae4dc0fddea236ef0d009a

SHA512
4544486c8ff2441338c2bafe0b66715e28b4f879773e3e7158b80dfd59a7618de6d4bc4f6681b62ec2b945639fa067392a1d529f3bf4672b46cd16227f9707f6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0d21f77f4feb2023b4911101705a309f

SHA1
7fea7c462d550626cc1df5778dae3a490b5dfaec

SHA256
edda2c31ab092392cfe5657c2e67390642bea72f28808617c95303947801ac5b

SHA512
c6972568cfe3ef32b87bd2c9ad9aad8d309e315499c14355b75190005e0ea0be347b5e86ba3495db0d0918aa181621d6d5bd63390fe9f19a56996b0ecf021d85

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b0dd2d6e054695833ddf4deda1750b5d

SHA1
8ba39bf6a94d15bdc18aff707a7e961255949c1e

SHA256
45ead7933b8884353f5c15bacab60097ab5f14f35180d260f6dbb6745d93bbdb

SHA512
dd49909ee13303f4ae2e72dd307b6d1ea18d87aa4584433f1fba059bbc4f26eaa41911310934dbf3e676af74c6d5704d258e27b59612588b69806e321151d10f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ce03c868398b278d2ae1b2e81a5f4324

SHA1
ae8915773dd29841fa53cc5bf6427d7c2a1a1e22

SHA256
3d762fd236555bf5ce824b9de543610eba8c25115c0e07978491dca2ee47a81d

SHA512
065d8de74d61b227a2c2eb257101ddb8d268cf831ee871ed6336eb9ec1604578c0e1f11ccce3679791f7680df2481c513faa2e6771e630243e0dc4361ef272e9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
b04772681fb4e8dbad94ff1e355b3f19

SHA1
9fe4a6735494adcd30e029a6ff876aaf31435ab5

SHA256
8049b78342e10198a46a8104d1ff2c187afa409cb4b91e9e78b2523a5a5677d6

SHA512
f657288791cdc1fc3875932e659cbf1c5f8f9b16a4a30618c1df750514571cc6d8a085941bc221551123848bf35df86801b69debb00486ae1e4404fa9adac588

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
9659a90586d50e694313b08e43b10b3e

SHA1
bb421e2cec41b707605aa0f56d757d83000a7d56

SHA256
44203b1b7145f0c177e21ef98584582734f953c7ce36b81ed081e728c25a0b4d

SHA512
f5d0cb74b15920fb463468010c9b55c6986425854d2a4a75ec9f059584d244d2c7daf82d01180723f3de06f8fac25c079311d80d5a956dbc4fb10a291ec67775

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
02b3be149c1098758d1b1658c0d2f873

SHA1
26bb8d59945ca4cdfee31fb6cfff3448cbb49f20

SHA256
8f0906fe2a5e32be30e54721242f73e442bb59b0f24e867308e329ef8929142b

SHA512
7a2ffd0a9c7d92e498351449d37f1d9cecd99cb538972563f4e68321fd08f17e249b0be4783ee300643097b5ffeb3aa7ddf9993bda4fb0c3c9af5202187e0d35

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
4eba5badafe1cb8c808565585097362a

SHA1
95d80ff5b21036a8aa87822b089597da6a855491

SHA256
e99df44892cff7464cdb7a6506163800a6b9cd553660941a8c9197b5ec853094

SHA512
e7e1650935968b6be20dbc8deb21387d5fd68b9bed3ccf9c143be450c1b3beee8d8df80bb32ab8fe554e11a51de2178910918f812d0a3ed3aa83fcfe749854e5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
b972a63f32187a6efd2a2c7d0ad1b0da

SHA1
6d7ac70a43441e53a2632ddf14669ae9220f27f9

SHA256
f68fa80828704d09ba0e33518545413bef0c2fa34c3970adcb6597e00cb4f7c6

SHA512
dde3fe0ae6bcca1a0e9caeb7843ff21bdebf4e284c174afc30eeaed1e7df3858f10a6ebf65a73d4f54d797df02d3db4a0b8109cdcad79f26269e13bbafe54e96

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
fbfcd8cf84dc27107220616abe17e25b

SHA1
c8f61521bd87252508aea6a9be80d0eabcb692c8

SHA256
10b0b9b47c5895b7855b8319e9cc117ffabb735a70b09ffb5ec54c28d52ef3ae

SHA512
ddc98f40d21cb242c4b47e013ceef5695d90d64dddfeb4c80c6d515e3c01650a10ce608a092354683310f83f9fc732ba3250ae2ce95af5952b4eda71c496612a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
8d55d93b77b6b98b5ef7ff8ea6d00295

SHA1
4feab6bd8fc8a4956506a0576a83badaa3258d4f

SHA256
63835afecf37d0702e8d856c5773543d9f16293b0d307d9925cf04791b5e654e

SHA512
7c07cff4821cea8b7cdc8b393286eb19b687e5f9a5bcfb80ded77b14aeec65e0891b16f60cb2895618c2cfe1f01d9bccc7f906871b1eeb5b9ac4c509a68f52d7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
0fc4c86d820a8130c4e515599c4feb26

SHA1
bc35480fd41f1218a2e8a61f174366b6eac96f09

SHA256
3b28dd571d3de9c0b0cea210eaecd822abc311ec46dc66c8c438f6f62b1d7db9

SHA512
3468194a62f5f1cebbac93b15a364cbbf144028abfb0ede5ca797943fa11294d58e438b9cb99275dc897b13eba16c95814ac4664249b1cc0e9b37336cde6b9c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
a9fe8da7358cbd5bf4c23f9f34d8025a

SHA1
7e327874ca0a9f37c2d6fb044f2b5b115074d8e3

SHA256
dfe4f744b2d7acea36fc4994f659e88cf8c2735f9cefc41f619de8bd00a0f232

SHA512
83d28e1c87380e046b5b825aad3c2bd66c195f1f66a23ac5ce58cf9821523c79af6007ed673bd063658d608fe33e6279df5ed1c6c732d2d03a2bc7e4ddb3aa8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
d3a02f4d43fd14a3a8e6965a25ee8955

SHA1
162e3ec08fc04477d840f153352598a51c7fa77e

SHA256
89d5b38228edf1f5bee8b3934cd4ea0e1685450d8e88179c2c784d91fb71572c

SHA512
4b2c248cd976374ddfe412d17ff77a7c60a30aedfa5bec3570e8f337028524858861f2672249d6d2134389a0cf1d71908aa4b9da95a7d74bf0f8219082f3c79b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
944b3f9a7c1bf896bf6e0ff00f918b16

SHA1
4091980cc8f0613b512991a91b9ef1174ad57c8d

SHA256
ae1d719c5e6f0101941be41d1c9d4fbea9b46fd0a992885cbf26789bcbed127d

SHA512
524ec23eeca1f804742918ff020696cb348602e97fb3c1fae810cb862897ec499109c0a19fb24f5e51a62f98d9c0c18f955a4782c34ab00d34b4d59ee423c5a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
76a97d4b02edb2a763dfdd48494c473c

SHA1
757ac7df585f8bee19129a739e868dd8de0b5b76

SHA256
165480a84319e86c84a8d1f68340e1615c933d772b82334a0744039b0b47ac89

SHA512
507fc3515db3a6049d64702b5250addedd1e54e9b61ccdb6ccb10f6b5cd2030ed12037dc209e71f1951cc4a0d1624e62ca61b0ac654f5727db8bde200b678941

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
712f836e7afcdf49f267077a653aa94c

SHA1
7af81882eff427ba8229d983c6290001808802c2

SHA256
cc2836bccedb8e731211ed883556d7ed2062af44bd63cc7f0e031c8927d6e30a

SHA512
6c531f5fb995bab9d43d63ac861d35e83ce736d540e39ef7fd0e8fb4d459ffdefc1e7a1085527bc2b37983c14fc117f564b24f9664b8870695bd8720e804f9ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
12e2a0cb16c2423db24343b1b346604e

SHA1
3d721fdde23e040c6ea84a73ee7ddb9fb01bc77e

SHA256
06eec72833fa6c3e51a04336f730ca57d4e0f61974bbe621df9179a140898578

SHA512
152f47d5d2c45a113d52a082c31f2cd7424e9766e0ce4d8576ee2c657c51ea6a99b10a268350c00e18c187909c143d361084fc8896f291aeba3f73a6f2e5a9e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
db00ff1da608766b13167f03d71b4ca4

SHA1
69b6cccb544f6df92e7e0471deb609c9d89c30b4

SHA256
5d4454c9b8cc6068ebad6e8105e2b86111a3befb727ccf1240d2dffb96988a6c

SHA512
db7965c5f4882e78145a846e2cec7c853a8b118fff86f48acf6e112c6681eef17558bfe436cfdb66fcd7e8a12a1f96aebe7ef303123e523de99279660c28205a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
b1aab2c3bd030604ab30820d4dde31f6

SHA1
df74be24a5d7831e5487cdc720f5ac6098b4a952

SHA256
d6290a7140593407f1af85cde5ff01eb4bf02662774e5a9fd5108e005a0d67d1

SHA512
4b4230f1a654052f782719073608af47a6cc584f17ea30e87e31df23ff67342a4019c2958bb487143dbeb885d861591a1ed55d663c2fb094ad9cd1800b2e9624

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
1d1a022fcafd2dd6b85a912057b90b10

SHA1
1b88330aaa9c2c1c27d1acbf9ac83a9b0d074639

SHA256
ee4f8eb68e1b9eb5dfaf90a96069d8d47d3e5c979584f7f1b08c19313a592626

SHA512
3047002a56bd60d3b8c9425b73e35cb6e271e6d2c25a81262b29d6e68185037dbc49c6e3ae06cfae6806d27f197b239e886edc85e52b7234934a601ca8b6657f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
df551f4fa3b8ea9b465c0a8043b1072d

SHA1
29aebd7fd5b23fdcdc8282499477442b31c50071

SHA256
a8415cc404bd306eb0d60e127ec59406dfb1f470d17bc2f29878c10d80d0414a

SHA512
9139d2066f2f940a20f0492d1f53673e3de65104d27860d95992ac5f4960d4471e71072e95b1328a1a793309081fa1d58cd6363aa5ecddb441d2ff01b36fe869

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
d33b4d0fb53f48476ef08edc633ec7d1

SHA1
3d27d529d6695a127c4370e23ddd0899a1414b52

SHA256
9435912396328e7f822af143fcb01c044efa208f2738cb5479aa7ec995fcd049

SHA512
ca08dc03f1302ea9eb1f95ce5798aea1193045e57554b747c1ca04babfd2803ea82bd98c85fe54cdb77554a75fecbadbdcae9edbba9941b57717840eb93ac3fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
725d1d0e0c9fc811e8d39d727d420a33

SHA1
96bfb56430a895ebb422d896be680207fe06d865

SHA256
5e5e98b35773cc77875d10b15e7d10afba2dba43758b0d881ab6eac061ca2cff

SHA512
6455952f00a8d92c18acb06f7501c47f84c353fde0f85294faadabedbf5f799232e945ff2633263d482e41a3f0b24efc36d2213d0a333b6cfe28ec8ebf27d50e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
b10cfe895c904afa9880043a677fda0e

SHA1
ca27ca8913244713351abdea5163c4729a3b8648

SHA256
62d8d0a9978090ee46c08afd394269ccd859cdcb711525fe2dbc58c49fd2a5d4

SHA512
e52928bca88a7e55e081fc8a45be8befb0b89e4192fc30a1d0586874530278cda12143bbfa2258a67544c7f6bfd5762361936a38e22cd9a908c094ccc0194232

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
9c0c7c3834f6396b6f8d98f8b1afee5d

SHA1
cb28ec9cd8e526b0de289688bced1da1f3d1d9ad

SHA256
0502884bdb78431181ba4947531b5368b3341ce62202bd5cd71fb9025b13af64

SHA512
52a1cc91e5dc6936263d5fc05dd41b6a3714a78065ed0044c25a081202d27a17ec42ae14395a5dc522a0ea6f63dccc97f265969c628e3c546d35c3c6ce92b8ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
10654686a36c828f76d4283861768b62

SHA1
2b95ae44a001b1402c80beceaee622e93721c1f1

SHA256
0ed7a07c7a07e25376e6c23c39cb9d76480bc7ebeb1d5e860211f4a5f1c219a4

SHA512
0d93b4b0e6cadbc9be142c3c0668287763aad04bf6b438b1f824cec33da7fc0948464e3de6bf377be6531f75131729ef50576c9622c1e0044767d144b35d4763

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
d46c7d9a47b1794268e3a221fd870af3

SHA1
8b980431e6c6353aae7bb83cd01f8c16ca76e3fe

SHA256
8df54e0af1a13a1d50dadde7b88db76f812529097594f151a2023adc829337fa

SHA512
d364232273c3a8c94c84415a272cdf861fa11d3b869142da53546b75cfd8d9f0c3e2334b72bee4542591d09bbeeab87d30f6888f9ded86bbc2b8b2b0ecc534be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
16ebcc8fd32be8b31c1b0953cced9aee

SHA1
1178be8fae156474b80d220791d88af498bf75ca

SHA256
82b70a6cb9dc128e11aa7676311f2a3b9e63bab7605eba1005329d96cc71c86a

SHA512
648ee21684c351755e3dbb04bc02c0b4c6f303dae400d76dfb30f6a97a1f5a3227d4a8e13f9f31470b8726ea0c90c50d9a4f0edd832fabab79a01949da8aaf73

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
70464dffe4402ae172aeb7c2f75f352a

SHA1
70749734dd2373635caec7b464189e574ccafc77

SHA256
f886fe4a1d68016d4e4317fb16c7108eecd2c3fabab9e6b3a313d2998f426494

SHA512
d02910b9a5950c9efc05f136d7e9353cc3e36c63a5131c32eece3ccc2ad5fb2c81c4ca560b18b3bf081d0ed469fc7f11912134723d70b1abe5a149d59408cc74

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
122fedc2ef6217f344d93491e66b003c

SHA1
e2b724897a6a46203e631e811a79b8d7951dbfec

SHA256
6e9a0bc84f8f1571151b2b3af0237826e3ad3b05df7ee95b937c0ca63cbd2ac8

SHA512
7f48b5e6622ea8075218f8dc3e5e3f19c203866d6a220add26ead3579e5ecd746ce025285aa56d398f5078b63a2e1f2a5e4d639a04d4cca83faaa01f59aea6df

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
5eb27db06984a78a7815163fbca72f46

SHA1
a970c086a2793812d17689d670f42827c8cdd720

SHA256
0b798db5e8f7a8453a3b02b0bd649963dae1c67f773fc57413d8c70378de20cd

SHA512
459a5ba60226468cae80ff586e9909e4873e5f76bd9f7b974cb0df081b5445ff4dcb51da7067a30fc76f56212d85f22a5baf75932b07011498aaea6f6a18277d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bad7f0aed7706aff208e34631d29cf2f

SHA1
1e41f17f86a54c144688a8fe5bcdefb7bfe60afa

SHA256
9e664f8ee35d300fc297acf19ded813dbead0939cffbb4c4498e7ae27f087e63

SHA512
f56c88498dae94550125309edd2992314eb94deb7f43c6dd435ee8f67165d3951dd2d31fe654a8b7c6eb1e793f8f9bbc1c4c39a25e4a07fc30611f8aee41cff8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
8f34cb3578202cab45cd7cc125795c8d

SHA1
19889028bcff49a40f5dc083bd98d87cc256ff45

SHA256
82def4fbd6174642f427c87b20d7518009dc76cefd4fe2d46cf1b3d73fe51253

SHA512
1363cf6787c8d08c192f563bdec8221ac9ea5450b77357c6fec31e8d42e16137a0d229e4d7ec45de2d52d5d3da31db90f255f3f4b0d2b48ba5b537116b23c7b2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c149c5fbe5d84a791de9e13634388e1a

SHA1
0f35102ae759e193a6fd15b33886cbe0f7f96186

SHA256
808fa90ea50cba665cd52592efe8b5845c50a2b77ef6b26f0f91abe8ad35181d

SHA512
8e3ea4a4677529a1db42ebc05847f5e35bb0487e24240b28cc54bcbb0429e79dd76400ba327b10992cb84e6016a6a5254bba0c6725d8584dadd78a0ecf9c5ec8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
b82974c931170cb5fbe3316ab8fdd65f

SHA1
2773b305ed6846cf07fa316db6ab342d7f5d434a

SHA256
e01e5a4a1d82bb8f7c13bde9c726db19f2c0c21a0a9632f59c622afa14c847f3

SHA512
8d1c8466bffd9b0520e5cb9aabc646608179bc9ccc7cfe04eb20c2d9308119d7f12e5ec72578c5f4d00957c19a25223aedb4014d409dcbb3f6c7a141d1f4d07f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
f4816c355db3a3d6e52a21ea48371f64

SHA1
69a4796a245480cede1f8bf0cedbb04e7a3bda77

SHA256
dd1637d5251fc8b6e57404d91e5cc6aecaa451dbe0a5b4985226900b8be7febc

SHA512
1451a8737abacc34eb59c898bfc52fe94fca1c9f142a3b9904865c43e7b7b5a71029163f09247f21b1c035de7867ce88ced02e81f5c07b565d938a75f0f5bd37

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
dcb00e751d9bc7d58ae7d1cd5e504ef2

SHA1
cc066d7927bb485a7cde62b97e40ea7351df0722

SHA256
fd40cb944d443f1cd87ec8b562ea92fa80adf4823584aae8bd8c57a9307f5b15

SHA512
5625161906ef06d9c91f7631442b77273f0fdb07bd97cb1086b0f96e612c6c341bd6e5adab69c65e57d8e30680a6d790e529fe55408a815332c7dc7436da4a52

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c9b5b3f90b25a43a41764d165a98c13e

SHA1
4330fb9f60b093fa7809c539bc11abc4f90550de

SHA256
d0e1dd0bee0da1cccab76c0681fd68611b76b61d5668ddb8bfc1b626dd3119de

SHA512
a3dcbc1eb5a1c6ab9c392e37f98ae0f49131bc240a56f23e7c088ca16b80e25d3a1f1e84249aa9338833e9eaae9a26a2c204acd36f01e6b693dc09842776cfca

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b6674f4992dbc5b82360af58f39ea65f

SHA1
759b480e8d886c3e7d61887c2f6a9a44ad346d11

SHA256
1f0b4974eacaea3a576e067d13901286f12dc73a97d6bdcdffc7fcee8d90af71

SHA512
a0f322fe16285728693e96d8f7411c9b95cd12f55a6aa7036d79ace29f64bd296d3aa168751eaf85c24c3be6b5f546d6e4488c47019e6002593c08502123ded0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
922c050c840c0f21e6907a7b7294be22

SHA1
ec4aca6af175a09ad67452069abef407e3aacae3

SHA256
1ac3e68b5a787db1dd9c272b0720840c4444bb048d2b99ac1a933902a4ef5907

SHA512
a405b17554f801f693ef4b7bbf13ca10185573dcc53b966966d1d7e6fa468decaff6ec52c3b8f67e3e93f0390e5666d7a94f01ae9d15036e0340cfc3a7a59dd6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
b82f5c8682ac3c27406f4bb0fe35030b

SHA1
46da9e057d6a531ccb571e211515e5810678db84

SHA256
268470d9ed366ff85d9bf68fe5eb919448c787159313b1ac7db0f65520fb50f3

SHA512
0fab80ad5bdb4926b2c57b9569d8158619bbb3a4ce8642e73f258b9d3d6c7eed2e7df1fd9be4849dd9de38a3a81fa5c000c2f92eee3bc1c016de9211e89064d7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5eaed5a16c37329497dce7e56f72e275

SHA1
8da7d11e473b95f4a49df35e99e9ea93a52fbe56

SHA256
e23dd41b924eca6df5a5cd6999f79e12c68715f06760acc7463c29a99514a359

SHA512
1a6c9da429a2c2f2ce6186f6342194ce2457513d11e519424f0ae71b25b7f66454dd3dbb762c357db3d347ae645edbf43a6db49a8f2fbf3f786b84e6590fee6d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
906795ddf2ebd16ecada0dcf19825527

SHA1
ed9fe4386f19bdab2f55b84d3517a526bcbe98b7

SHA256
c929a9ff7f21a1ecd96d48713401fef59b5ae33437fb6a3644b14110b11a2fce

SHA512
4ee8f448d498828c3ae30f485f415399c9a05a7652366ab007a2329e984016cbe24002b7bd0e7805a44715a28fe86631081142ac9fe0958ed654b765e16f77d1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
3c2a76aa645157f0d492ee1a208aeaa0

SHA1
812b36517d5b7b6dd647093c670d65028609a3a4

SHA256
32718ca4a62f71ee20a57dc3b3831237073c52c80b547d6ee5973b1ebeac39ed

SHA512
a288b06a450d5ca8046a148369c8b6c2ebcf5b6e036006c38ebb529c77f519e3467182e0399ff204a1b7cf660c8ef5e6e7d241ab6ea75d0f0011f11c386368b9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
0898bc8e9bc66dd495b8818f3642afca

SHA1
2fba9c15ddaff298a418b9db31e9e2b2705a3253

SHA256
5ec968b21ff92ec9c882360032715b9b54911bca219f643792e27271bb89f122

SHA512
5acf7bf09ca7f294c9a8cc95bd12b13114b35f12914736f9205872251e05aff159aa19a5a6b68ba56298a3651612a5759003dcde5cbeb023dbd6d963e0c021ee

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f8b5599094b9db9563cffe22e79a3877

SHA1
44178dde494131aa4ec0cffbbfffa888eda3dba0

SHA256
b09e9376495ab6f655b838c038cc343dff38468515045ef58bc6c695d2288d01

SHA512
85076ece5fe7d4505280e0986d9797f4aee066e272584c4d61113d2d32f15347d874fac16b4cfe7e674fe6425cd35f785d099c66a9a683fdb27e0c502170fffd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
8494294fef1b6618a2ec81eeb3b76ed4

SHA1
c677492f86e8ae7f381ac77be58d345d55611f1e

SHA256
deef35c7b2ab6d203c64d08801c15cf119d5c8abe4eebd017f7b0a33d5ff57fe

SHA512
5936931afab29b033342967793e0d6047d5197034e7268fca5fec8826d0e4c6c949e1f5e6e789231f95c0d5c4672935c601e809b95e3a560ffd1fe8da6622576

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
eee116b554527e7ee2fc667f56ef3429

SHA1
4f4e3dcfa400437b2d339f4214fc068b5766eba3

SHA256
6cf61a32162ad89c8390d300f30b0fd70ba405a062b5d8393724cf24799bed9c

SHA512
cd5d023777ca59631b217031e5a72674a6fdcbaf850de7436344fd5e1d24d2fa3f80a4a4ecf025bdd75acebdeb401a17a61a1140bd304351918450947560d601

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
00faf622c4972518cda80ffe6b240cf5

SHA1
b069331f5b495295b06cbbbf46f6242b680c3200

SHA256
5d0b7b6929c6f8c6345f92ebbd14c9e34921e89a9bc9a854536b7fade6e0937d

SHA512
101a58dab4a9bae93cd0021e102a03fd509e25411e3533150ed78dca77b9ab21fdc5f3fa40e6dfd1cc1d302454c59ec7bfd9d3acbe7a280e695ade38050e54bf

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
5a4b553c18b2b6a5df0fd92f358eb572

SHA1
047eb08f1aea9dc3dd5eee835a248ecaa5e18636

SHA256
b37c04680275a68fe22035ea95bdb05d6921866871e10d3d18af8b70f45d2173

SHA512
834927f8bccebfb38450236b3893f16e20f486d793a1f935022fab60489903568a26a828844f544274d5a530fcff914f83d29752444b480f3410b62c08512cf3

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
5526bcdae5d01507055d67db3d150fe5

SHA1
489994edad799a0c3e88a2757ef95e3908f5233c

SHA256
f51974dcdebc8ac993ed19f68754fa886fba9a28435797af7e8c854a4ea3f33e

SHA512
e59862ac1123b039fcfa42db765a8e1d6eb7dc7dbab3b5de95400e02d78e3c1cd77c60913c99ba5f4db7a2b9a9c9106597349a23bab77d8a0259ab37738cda8a

Download Submit
memory/432-137-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/432-134-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/432-132-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/432-129-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/432-123-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/912-112-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/912-119-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/912-231-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/912-113-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1032-236-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1068-183-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1068-541-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1316-138-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1592-1-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/1592-429-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1592-8-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/1592-164-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1592-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1928-176-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1928-173-0x0000000000650000-0x00000000006B7000-memory.dmp

Filesize
412KB

Download
memory/1928-168-0x0000000000650000-0x00000000006B7000-memory.dmp

Filesize
412KB

Download
memory/1928-676-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2208-182-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2456-188-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2656-109-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2656-681-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2656-269-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2656-97-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2740-187-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2740-92-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2740-84-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2740-91-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2740-90-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2884-232-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2928-680-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2928-212-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3472-162-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/3472-156-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/3472-165-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3472-675-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3524-234-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3748-13-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3748-181-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3808-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3808-682-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4360-106-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4360-211-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4360-100-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4360-108-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4792-198-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4792-679-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4808-151-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4808-145-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4808-154-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4876-233-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5052-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download