33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
Size

1.8MB
MD5

fe2a7f72969b7e9e14f9f0c9ea85c769
SHA1

2ae3891a767ced93c95b27f8554470ece9e6cd96
SHA256

33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f
SHA512

cfdeb9dbf6acf6e930ddfcbde4aa7048a91cf344a56ea6e5c1cfde21d26f78c150860c34f12a63e64ee95f7dfca4f87658891a0da00e1934e5535c8c1ccec4df
SSDEEP

49152:MKJ0WR7AFPyyiSruXKpk3WFDL9zxnS0+pWAV7QqejX:MKlBAFPydSS6W6X9lnaWAV7v

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1164	alg.exe
3240	DiagnosticsHub.StandardCollector.Service.exe
4612	fxssvc.exe
1596	elevation_service.exe
4468	elevation_service.exe
4748	maintenanceservice.exe
5032	msdtc.exe
3588	OSE.EXE
4672	PerceptionSimulationService.exe
2580	perfhost.exe
3180	locator.exe
2028	SensorDataService.exe
4440	snmptrap.exe
976	spectrum.exe
4740	ssh-agent.exe
1564	TieringEngineService.exe
2064	AgentService.exe
2356	vds.exe
1136	vssvc.exe
1084	wbengine.exe
4960	WmiApSrv.exe
464	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Windows\system32\wbengine.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Windows\system32\vssvc.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Windows\system32\spectrum.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\56df5606aa61dacc.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Windows\system32\locator.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3E70.tmp\goopdateres_de.dll	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3E70.tmp\goopdateres_da.dll	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3E70.tmp\goopdateres_fil.dll	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3E70.tmp\goopdateres_vi.dll	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{544CD458-F493-4888-9A56-33661A7F5454}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3E70.tmp\goopdateres_is.dll	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3E70.tmp\goopdateres_ta.dll	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3E70.tmp\goopdateres_en.dll	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM3E70.tmp\GoogleUpdateCore.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe

Drops file in Windows directory 4 IoCs

Processes:

33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d33db5eb7699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb80bbec7699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000922c83eb7699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000105ab4ec7699da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e45dfec7699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a5c76ec7699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e30ebec7699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b16f89ec7699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005403baeb7699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
3240	DiagnosticsHub.StandardCollector.Service.exe
3240	DiagnosticsHub.StandardCollector.Service.exe
3240	DiagnosticsHub.StandardCollector.Service.exe
3240	DiagnosticsHub.StandardCollector.Service.exe
3240	DiagnosticsHub.StandardCollector.Service.exe
3240	DiagnosticsHub.StandardCollector.Service.exe
3240	DiagnosticsHub.StandardCollector.Service.exe
1596	elevation_service.exe
1596	elevation_service.exe
1596	elevation_service.exe
1596	elevation_service.exe
1596	elevation_service.exe
1596	elevation_service.exe
1596	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2228	33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
Token: SeAuditPrivilege	4612	fxssvc.exe
Token: SeRestorePrivilege	1564	TieringEngineService.exe
Token: SeManageVolumePrivilege	1564	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2064	AgentService.exe
Token: SeBackupPrivilege	1136	vssvc.exe
Token: SeRestorePrivilege	1136	vssvc.exe
Token: SeAuditPrivilege	1136	vssvc.exe
Token: SeBackupPrivilege	1084	wbengine.exe
Token: SeRestorePrivilege	1084	wbengine.exe
Token: SeSecurityPrivilege	1084	wbengine.exe
Token: 33	464	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeDebugPrivilege	3240	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	1596	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 464 wrote to memory of 1904	464	SearchIndexer.exe	SearchProtocolHost.exe
PID 464 wrote to memory of 1904	464	SearchIndexer.exe	SearchProtocolHost.exe
PID 464 wrote to memory of 404	464	SearchIndexer.exe	SearchFilterHost.exe
PID 464 wrote to memory of 404	464	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe
"C:\Users\Admin\AppData\Local\Temp\33f0694c55cf969d94d5c25a3775527379b017ee679f484496c28837c608755f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1164

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3240

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:412

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4468

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4748

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5032

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3588

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4672

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2580

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3180

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2028

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4440

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:976

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2656

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2356

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1904

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:404

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
3445c5fb928c3e519eaa307934f0106c

SHA1
994ba85189016a9c905fa2f069b03ba76ecf7b15

SHA256
3dff9266afcf5e686e4a79a44a9a0ca66386f8c5a46563dd01c94f5eb4b72852

SHA512
8ddd74de8f8d24d5379ef9147565995eafd1a8d14fdd24d333b416340c8365213d630c6f57c8f5bf3a383a407d6d0919be457296f65fe2f0cea396f0d865b513

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
11c2bfed7ca7b501a2ea33cde0736e67

SHA1
d881c64f2263e74cccf68b96fac8bcb47970df7d

SHA256
86ca933d0a8219d90ff1e35ab7137a02c7207b209ebfde6c11fe848c8e2ac16a

SHA512
3a8d265de5e36753ed2d50ad49c4fa99fc4f44e61e6bb6844c7008a6e407818b1467daf65cf1a132f37a5e9714b8e4779825b65db579f58ced00a23823897c79

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
78e38d334e37171f3f30a2506e6d83ee

SHA1
5baee082e2829dfa582c285f5e28ee3f3c3fc40f

SHA256
dbda2ce7f18de1c078dbf4c8ffda43f4e476fa763f4ab90ce585139ba5dc6e4f

SHA512
a05e827f87b28d6c42e9cb045ae64834c0a7790904cd6b2b3194208cb8a2e773fa955ec86cd29227a4f367b1fbb1b1f21e26e1e104739b95a5d3f2f015ef3b2f

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
b5c3ccd2102dcd21784524612a3dd735

SHA1
3aa878d9efd674ffd7c44a76626be5c76734a600

SHA256
bbb3833868bb4fcaea2b9316f415e80b7047724243dd070e1cc60ce67b8f94b1

SHA512
1d31e49c650d8b2d134e195168872227e15c512b9c08584efa4beef8853743cd2c2c6c46ae11833f7666a2766a348e75f75ba82333ae79979c2f91b9e5f5927b

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
6364c6043940905446149580399e89a5

SHA1
bd4ab467101c834d8622a1856574ea60d5670273

SHA256
c14362f42af2e32eb38d6eb095b3bbbae2d11d215441ac773f36a17a8a7a9eb5

SHA512
bd4a3707c4a31cd3e37690ae7bf4d022b8fbc9a3315cbb9158fc38092db58f0cd229e9aa2fba99a563de21114729b95cb645dd874c9855c6704d9440812978c3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
15220339ae1e4aeb781aac74a7376f6a

SHA1
899cb2790086b4cb8b5f17c9f41c30ba6712d023

SHA256
f12323921fcf1575fa002c25ab02da15af1a4169decb04c1a3690e4e3ea28e36

SHA512
b8f8673eebf0f2cb727aff4781330e8fa7b493d6aea647baa55b2159c8a120ef8f83421c9fc12abc491a402f926b7e9db50b50d9c07c72f0b333d1194821b1b4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
d9cef5d5ed54edc188ac91754c62b578

SHA1
6a24bffb81a0c2c9b2bd834f5037ef3af289ac65

SHA256
9ced3742915d24461d31dbdd98e879e56c68164eb33de8d185433ebd03676bf3

SHA512
d17297c2e967c6b1bfc877fc6ec7e6b464ed98d09d4372025fabf5d5e1462d68ff271cd0ee01cce5ef44dc32e15dd705b220e34b7a3e08246929cae0bedbae32

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
b581456156b67a517348cb440791a81e

SHA1
26497f2f5bbcbcf02d07b0d5610732dee285df40

SHA256
6501df9f63f5b8034092f742d355a358999da618519f562cfb22464740411cbb

SHA512
64f8f7b9f6dfbe2abc51efa1328bd63697d58f0b9c36425d9f176fb6329574b383f7ed545f8df479c6660ba782f09fc4540db79e308eeefde64884ce95c8189f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
8b581f4efb95ad52b63a59ce174da192

SHA1
69887d5f3eb26e0bb3befce0a7b1f917e1173a9b

SHA256
91b7634a7e4056303f88fb3033e4408c98e3b23fd49c99aa086531ea418824c8

SHA512
f3cb95ed9833a896fe8b9ae434c6e5ec212b6b9132be633cf60c5cc57ee346652e671cd2577c3fe686299b8e4b731838ca6521228cb01334eaa7da1f350ed81b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
97337945cd6fb2773674da02b965359c

SHA1
818eb030fdc31013613c9ad9ee3bff3a5327c5a0

SHA256
94b9b0c238b9792b2c4687d08e385e5f737c1b97f11b9a6b65c75d23779bc758

SHA512
e56d5eb2bc659f76bdaf468ddfe8b8086bf8fdd83dc37f131b381daa3c8e4c2c8b6ba55501d30a0934689e4580ce962cca4199f7084e02d7045999fab9219ed0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
8827b8b167a502095e1a6c16b58424df

SHA1
07e6dc05240f92aead562a379ee96266c77c9fc7

SHA256
7c151771a40160829087d68d8eec84e62f1751af36eec8bf5068280aedee2dad

SHA512
624ace385de3f82ddb99d7e107b8a55987b572e7d1acbcf2efec304b4a2cd34e3c2d9168de7fee7e5041d99b9ecaa26e034d3e413e7cf083040561b5641fa518

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
acba7fd6137a3ec4136585267749e8d5

SHA1
38e80a242cd78c6df4db1f44eb54dae3eb97129f

SHA256
f9f5b0f2e6a111ecefd5219e465c8330f5cbef6917e9ffaa8e32acee86507cc3

SHA512
0302e474f4b34bb1b54712788e0cf44a7a963cf3ce90d040fb97a1c133b6e80fa808e53535b9a0c21c9fb2c3d6892d590780881bb06f12d751ea1d38bbf7dcd7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
1a97b165fe3100327fcb4447ce7f8f15

SHA1
1626efe7ff632cb0e70553db8fd6d8ff4c1279e7

SHA256
ac8ae11eaa17388dfb3d83ea90203a3ca7af6fd8ccf63aedec93ed30916dd119

SHA512
eb3b13bb2b9a4b8c7123f1eab0635ca1cd2c0c50efd994b33c7901d0d52c93b65bf34c93b784e166928453b0abcae94a004e9d106e2e9f721ec11b3d55ffd11d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
62c87b75587d5862409b595437fdaa50

SHA1
b9c30b5c26ef9963030aad44249b9ceba81a931f

SHA256
f287ce66980c1ede83866fb1f82be6021a88c31be4f4ee4d44b079dc6194a7ea

SHA512
cce65e26a0364e96055108789232c246e54e4e9f7e3b1e4e47b95268cce46b05f7dd97278f17639a3c31ec6acf05bd45fc5216ed8bbd984b24da44728248e1c7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
d805943d4899678d71bbbbcf8165d29f

SHA1
9564aadcde25b2e84161adbbac0a960fcb28d991

SHA256
e7915d16f12b7803c57ed255b3b31392b466795a83443e32167ec8c2ec3340e7

SHA512
add388c049988f9662a4e6f57672cd163737386a95c212c9e7ff581bf19a9cc1b6dacf23f196327e9b03b7cc1353e854a2d148b31f075ccffdfae2e4001293e7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
be0a054d12dc281c2036f894805642a0

SHA1
dc66ff205cbb2ec617286bea45c13382e90bcf51

SHA256
179f0d4f389927fdec8cda58db8959f4145613b33895bccf32014c1687f28cb3

SHA512
6bd86b2e600d126887efb55600f3a3d1bd3d086a707255d202d1e8c3bbe36816ecd393e31d6499a135b7a247e72b7576b054220e02c87db97f32b78377b5ce52

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
7a77a762e9cda30359fd58a22fb001e9

SHA1
c7203da2e886a3a6833673dd2c51575d5087e908

SHA256
667354489aba054ba8be5f7a2c4e0d497d17a253846622523835b020236ee205

SHA512
2e0d3894e8fa188124a1b28d16fefe4af1e0309bee7368c17f944d60d839fefb921b94524e4b6a195f36d07f6847d8b5cf1794610d934dae95a9b3f46d7d2ad9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
6ff31fe6a04318238e700190daf06bac

SHA1
8daff266b9907f736bd2e3f435927aa9cae9a370

SHA256
9725213f89d16e8992e7bab1a70efe2f10c7ebdd34a53c011c6c4f14974b8134

SHA512
0fe26fcd970991faebcc6b6577b457e2f3fb61f189d8179c52ad087edaf32967ba9e36214bcb5f56b531a4faac6494382943c0473f3de7c416d6edde53d25aae

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
d7173f6afd378990ebe3a682e4dc94f6

SHA1
5e0773f5651245d36b340415250ad267162263bd

SHA256
3571661db8306c128bf40fd986d085d71340ebf06c2ecda33a967626f4e177e4

SHA512
9cc8b477cb1341667bc4eb906299ab0674be65c2a50a49fe27d9ebd88c0afa3b9999b0b8170721d4b56e204445d45a724deeed42003cf5e997575e9defd295b6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
f2757fe2bcc30dbe5485d899590746e8

SHA1
072a076f496a3a1aee771a168362735f5e6defd2

SHA256
d454b7abdaf2784c932baf1da0dda6b4ba5203a468d9d0ad0ffd7542a5690e02

SHA512
6a9bd1473bba934da8461ccc7b9650d12139c8a1f48d17c3a5bfbeaecc2684d6a934825c318f561994519718742fcb96f81daeaa7c7f77aaa19973e32f49d623

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
fa2e2fbe1cf801faf339da0aa99b9d7d

SHA1
dd64bb624ca7b2e9f11d0d2244264a497160e579

SHA256
a6a433cc9d9527e54822922feb740ce2526dcb0c83e3c3b1717a151f9b55b79f

SHA512
bb4cf55fb7397f47526b56c29bbff6db8bc30b8083350fcea969ea98b38d47e3bde0313a8ad5c25f9de99844d5f30769930a14f1c44a986669f17ac7b604dfc4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
f466116742e8dd27e1f95637e95c727e

SHA1
6f974fc9edf138542b339f28904e8d4640aeced0

SHA256
4ca76d15ad29d246ecca4de9331a59f539d71a294053fa1067fb01ca7d79c82f

SHA512
9908ade719329ec3c5806d95d9bf0fc824412de1580fe1d08253ad98cb2f33ad33f60da93b66908c16050295fb972f8fba2b00b8270f6128ecb7ddfd6e63729e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
df07c3b4602b1771950ea63ecdbcfd2a

SHA1
cc2623b2850445827abea902ee45f42df155f7de

SHA256
de49d13fef53c8173d8c365f0a4da997ac15798f91e7b03ed11331af6cc08390

SHA512
7e98570c61dcd0a3e293fb8036646ad7a6863d92c6d5301e769084a1c22463c16230d7106ca9201c922c5152a117aa129e81c71bf10f8fff0cec0f0d89d9714e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
d257951da81b7f2dd0cbc1892e521bdf

SHA1
eda8d3f664b235ce46a06e5d4ee21d709d75e127

SHA256
04bbda2a7a8e844c4016ec8015b2b49cc7f7d69c98744bf4dfb13945aedc2be7

SHA512
ab121f7de34a0014893f13c303231c0f0eb8004468e2301b9853fa55de725037ce5bce2cda4e83807295b32d387e4facf99edc524279b317333a714c8c02be02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
18690df625f6669b6778e0384daac176

SHA1
5cf1ea606f0fb8572824a3bf00a858a0baba590e

SHA256
8c0505e8a1b56d025f101b5906d5382ad9a217e3259762e149a099c9141673e7

SHA512
71dd9b0efe1447edd7c083ca99a7880cfc4175552de2ecf3e9759c8e33047870100d89d8e03824a3b4e67a08c4fb802caa008acfeb2ab3374314493d24cf8bc3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
222078535ff2ad795b8f582cc8fd144c

SHA1
85ab9e7cdcf0668e9273acafee28d3f75d227804

SHA256
73f9597d2d065a5de9170ade463fd80207d3d2b89bee950e2996f2b762db56a3

SHA512
9ce73965668194fa36dacccc85a60998038e4ae634a31e400f59fbfeb08675248323cad4300487534d1bb767c1cc63146e0d12374dd83d91bfebf28c6c669c75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
ad11fd8bca4828c96f40c75b7932fa42

SHA1
c3cf8a5008d3aa0034f61470196deffd6d4c7da5

SHA256
4cc77b9c9a8ff91194ad3c1e91b098ba30ad1dea03c4e3238394b01b70144745

SHA512
ddec20a32f903246e6e2bf7232ff2d9f31f0aff8125577b0e0f2a24424ff28c37297dce0fd41a511677da8a4f57837367b9b9ca407fdfcc8bd7c70a0dff683ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
06116fe519b4b6686165e9f658666b24

SHA1
d14592048198a9c0424dc973872480e5116884a6

SHA256
57f1acc2564f2f44c7cf9d61be5af269eaffcfa273a82eff226f22347c9f0ac9

SHA512
61d68eeea47a4cebbc8cea6e62f8d4d8e5a7dc9db0b1b84c416a81a8b7f52b22f9a711f1ea3bc4171726a87c899444beec0352bc4230a13af7a1024b1cc1ee63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
76dbedc66bc81f37e320b4a3bf0f26f3

SHA1
b98bfc541347a8eed1497369ce207050db1b4877

SHA256
1ce8f8328bc4df4c57ac9b5b4079db516a025187c46e09c2d5cbd3b794e22045

SHA512
a221c4a1db507ba1831ea3ab345b55f01a0044b9da471512216616e5f22979d8e8be57e7ec7569370c26d913cacd4c17c93af1f9ad427527ad903a2a2e9944d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
0e626fb85aaa2e4a0637f265cd9d2934

SHA1
ded5604a8143d24268939c1dde5089c32b3b1d4f

SHA256
b67e9cd7f5156fd129ab6322c7d76986301da57616feba42856c485e0984ae66

SHA512
2bdc8d2cc2295b779ea1971734da68aff027ae3e7baf3211722e813056c4340eb9045fb76201fd8db3cec9d5010e58c09a4e2810b20c6c5444a96432e99a13de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
1f06ba83fb780373db39aa8c3495080e

SHA1
b2b9f842b6b67baba2086d19ce98cc153426fde9

SHA256
dc7c8f3bdc96c24ee638064bbda69c792cd0ad1d712066f36d275bd82deb83ca

SHA512
7faefc9ae63c23fdb2218f08c82181abeae53478377e815334ec7ed9a7d65fe65a5a2ab1dacbc63650f971192a7122e70c3cd6985a0218dd79d4ea356ab88905

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
67522c057ba4ff03a9d6a870b1382da0

SHA1
8c444cb7690624a0508d7031f9cb41077eee88d3

SHA256
5d506373412a49e3d266e6b4a99512b6d7a39fbeb3e5eb1f8a90ee4bb2ca706e

SHA512
5199203f20e09439bdbd21bf65c2fb6a5506ca465db457aad7f165df9e54da5af7f95257817bf44010dc8da2654de4a39b66ecebb02052f30e761095507feed9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
62d24261959a8a03b25d182f982acd3a

SHA1
f3c3aa5d031859e5d701b075532d80ceaaa40626

SHA256
aae3f0db0a22307dabe5b3a56c30385e411c6f1352ec7cb021ad2ebb265df21e

SHA512
fd327403f785d653545fffb2bf9a49ca5c860edb73ee02acd2ac0c512347ca0704081fbb3a973faa56a8092b569f51e5fa3d44325cd0644ea0dd473d8ef11dce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
68f9d31cbc1d496328f7ed6e003caaa0

SHA1
307e5b248a5a687a23254949482b72c03c1ae0bb

SHA256
a0284b540974c4460adc3953b11bb404f1166c9476ed37f4025ec1045bb4402a

SHA512
4d0b36f59232c8450b800e03116322933ba5db455a4142d04c5b17f8e393e7deadf81fb8961f2066d5bf0f18b193c76e4919152f0f27ec3beccc15a43d139c58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
f8b27fb8debd8b9e75ca1771009b67c1

SHA1
33de9eca4c055fd1ee0f38d745d347495a8fce32

SHA256
3d34c74d037f54c7d80375333cfb4598296a89522aa2b57d75853e174aa29595

SHA512
468a83ef1d32588194241e19d01a35f9aea37397d0340a59a47afb141c18c05d36b13cb24f9078b9119bc6d7cb91c2d0c0f7560408d2c348c162ff298e5637b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
a126f9c468260af4416008f56f3f93ea

SHA1
6e30971160b0fbba12cafa27fbe427165c26fea9

SHA256
b27734f92a5fee1e74f66299f7099405c0dfadc54ee68586bfdcf04cc4810881

SHA512
c01f9e3620b9b6c4d5c324e1141a43f1448a0ef10e37a991ebaac4be7b2b1b3044938437fa87941788c99ad892c992c862997d0d80558652032018a6f2460525

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
7108453341215dcf3c75efd81b6c1c84

SHA1
22dce27604e55c73baba42439bfdd73c8daeaca0

SHA256
6f086f9339509f1e1aa241c486b9b3a958c8f8609bec7bc201b13e6c94c10440

SHA512
38989556d8f7519336245bb2d9f60f91f845ab9e9c865bcb217911fb5dbc99fcc6c198d258c969fcc416690b9aef0c4aa2d54c0f55d07e43db43fe5987c4309d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
94e82dd5ac00dcd2b5c2533a5b06d5b7

SHA1
57924d0e9d35d018142e78f2eeaacb768774d7c7

SHA256
a32302886f06c4a55b454c9ef53669ab8a56e599adfe172b4ca03114cc2aae03

SHA512
66f1acde3f58277592fa4508bfccfd38ef227f09a66a446c1c6bf13df7b69242341e148f83eda59a3ff4bc2b88a58dab9abdda3262c28085e0587431ac7b481b

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
ace39c6a3663bcc858798db1be09ab91

SHA1
bdffc40d90b0e6c032d23b84eef001e31f4a8a0b

SHA256
c447c6bc67483c33b86085c6a71019f197be8501fa0534cd77828bc6797f8176

SHA512
5dbf47ceec4ea05fe19baedc054b809d64c392866f6ab7880dae123e7a327fcfb5558bc32e29af51a7bd3e5f619b817af2e0e0a49712c2ae8bd013d21f1fe000

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
dd82e2cc3f4676d5c2db0315c6b17993

SHA1
65000a81a977017e475114f740720d459ed5eb36

SHA256
43830f5460ae83f1536a437c9477279d826615ab926b03396fde4b22c3273180

SHA512
b05da89f519a49a2089196f89bfb4b44f7521648f66a9c4054c54e8835a19b1717e55a22254c7cdd363a255548674a9f36bb8916757b54a7eb527147e1255109

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
cf52e75f656316d8ce5d35b1eb04b0fc

SHA1
dfbbf2e71ef22b544f33a27ade06308d00e9dca0

SHA256
0843b3d0bfb9d811902a1a4acad5e7700aa35ce9745295280672fb298ddb7fc5

SHA512
c1495fab7f8db7d4a0103ac3d33f860c2ab206b6e5b23d7ea7f88919196f40c17919a2ad41af5b7bb320d0bea095e1659dd5522c10b4ed0103a9dc6718be0cef

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
e8ea726aa7295fbfbd51c9a9821f2347

SHA1
bc00a6409633bcd99e7b1259aaa33ce9d4787dcf

SHA256
3b8d619f3b827e00cc3eb138b1262b98bf1bef09be6e284007e868d6e40bc892

SHA512
86ab3259bfaf3de0cec772db5d12726333fb9142d1c2d56ff32b499e3e8cd9ffdbd911eb3a4d3878a6af9e72197b1cf5256260867845c2d99621ed10d45a2409

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
198f54feeccadd24329963c15509b7e5

SHA1
7498e0f4ecc5d3e9eb4f3877a94fe9d7431947d6

SHA256
8d5fb375a4a304998fe0372374ea313989eed31f8ea4730aa6958ad258b9af21

SHA512
683804fa5aba34dad34d441ce711067ad1d76e4c73cb763e2db076bbaf87663ca67ea1d286032dbbfb94b3e6506d79726d942df7466211109a8ba28d90cfd07f

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
144cef560f9cde8b30b19818f1cb6bcd

SHA1
1b4d03074b9eb49b194d8c3550e1cb6dafb3b279

SHA256
f5602f8ed93c370104ede27ff58c416292e4054fd3f09459c761a1ee896aebc5

SHA512
12a577686bb0b2730d46c7f9f3dbdaf7c8c5e02576ce0d5be655e083268ab43bc491ab5842a1632a9844b4279c76e03d3725b3fc1e41b7504d89a54a57950d0b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
7155dbc87f9693fe8e15f844e2f3d536

SHA1
cda508008500948b528810f4d2440ea2108806ae

SHA256
efb6a9630d17961f9be0021fb0d4c5423c64b659b2f1058ef21f08c3227cef48

SHA512
912264570f7c50b53c3f7823f725f801641dfe4e69f6fc2f678e4f76b9deb6c4d6c3e923dab5371da991818274186beafb277bc4d700fa2dd6847e44b464ae73

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
2156836ee5bce259dabe4b71aa5505e8

SHA1
cc3691ef3abc366ef93ddc42c04545e1c3218efe

SHA256
eb6da845bffc2542a18687f8cc07f00c439131000540196d6a98379966751ca2

SHA512
40b59000eb51d1326cbfd45239070946ae3c75777e5594d7a40384e569c4bb8993edc191cf45af568453b210c85ac655df76fc24e203f6807e74d898aa25d96d

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
2c6b692400e04597a1f18caef104d3c5

SHA1
17467fe634db8a0b6e0284ad5d74d48c1dba06ae

SHA256
5830d40287205575ed79d955af0416c6582614e9b802f829305f87da81e53813

SHA512
7af2c7071d9fc63b2a25848ee8bb2a112e06d45d2888efe5dfc6e02b5a1f7c01b7c6792ff998d115ec369e1388ca907ea005b045d7600f5c32e771887a2ef52d

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
5e2fabd71fe92d835ffa8b7f53d1744c

SHA1
a955c2b716049cd8b40f030a4cb5b10330904086

SHA256
5906966d227712eae7e85aa69e81bb9ca47c4e1cb1d2db2efbe64a4c83ad63d3

SHA512
0f8157b59ee81aa2cce01ba4c72026125894ba6af807a69213766979b1fe4d48e03f33fb3b0b0c460cc7654bd171b37303bee344b86965e1a51236521761da01

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
d1637542e2aa77218f3158fe77402dc3

SHA1
9404316b7efe7385b47a8ce90a1d73940e926e63

SHA256
1caade5477fd35d39ad3b1135fe36bcfcbd83dfd5ceecce2383ff87ebd2cd940

SHA512
ca15f0e6958fab760fcae724cf23a54e03350aca0ad114dbd54e4f133c1f3fc07e3cf5bf676dc9ff541bf61118a7839b5e3fb8b8f8d65bcc2492b78dc6db143f

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
2a1d78bca1d55da5fd0d0bd6f658a029

SHA1
6e9ba154a6c19302f5270be033f47a8d3566a428

SHA256
b61c93c10cefb3f03ef97ca134a906036b237b113f84ffbd4fe4c5a4cc2aeb0b

SHA512
a0228a2af2a763a1dde58ce3f3bd5b094c78cc81f954407ed8a686bb812927a87c65e668d6d44677440e195fc6162545c601182ad1ddc68d8f03ea890b037fce

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
f035df763c39e27b21c806ae4aadf757

SHA1
b746aaefc93e9c5860c25c09a6f5cd9b0ce8018c

SHA256
58fb4ced0a68ab9247d755d44a9136f26857b56d3dd8597045b0da05b39bfcee

SHA512
5d929649b82c10cbaf8ca5422ea4fb64f5b93af95e270c7fd14aafe7295d3ed01fe82803f485b4ac55329a81d14dd731b60a5283fd0ac06f48c12b4af4281716

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
640d82dd8d6ec3caaf83211f965fd408

SHA1
727b33b68b21db5586ded0ced97e8a06595d59a7

SHA256
1dcc9aac381ac24ca1d5f10f105dadb6660313964823cb2387f27c49ae6854c3

SHA512
4919e378f240ff042f49bd19c0664277a6df76b739f7cef40e7ce198782f8e49a039431db32f64c811ab680450fda3f6cd358d70ee21a97d109149fe96ba1017

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
735ba5836f704b2a262a666df7aeeffd

SHA1
22bc86ffeb1c9ba8d17d63f2cf2cc116e3a97d38

SHA256
436b5c777ce527db6ccd5303f597fe12a0a721e7dee7380900db7285d7cea2bf

SHA512
79e41b8a6054f14acc3b64af844afe401e85738aa2e85cfbbe0ad098d18beb6af55680c67a12cd5208c1cecb6db8029f18ca3c65e2f8078ea9ca4202e796453f

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
000411660b0f27ad1c6e61fc9c9ff5c6

SHA1
09cc69b84628b2e512da5777ebf2227f0530db1a

SHA256
30f2d8ed5059244795267107f4f461259f25be066f3c3329a86c0536721b4123

SHA512
dbb24dc413bbe92f4e366fa3e021874c3e309a6cf9d335e43372fbc8c6b2d5d3119056b3b51a93f4f829624e0175e9ab839a87ca791e6b5ff62630b14d8f695c

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
c0222ae7a67a05a26bdb3bee540013f3

SHA1
c02be5afc623e7ae193ed15f9afc99e3d2359b70

SHA256
1a13c86370ec303b5c34a15770fc9fec1801055adda5b7f47f33ef8b71902aef

SHA512
1fb56760f716d86a8ac11789c9413c917cc280c090dc42cd5b6dbcd8abb6096d471102ff2cf378f5e0eda53483064b7103e554430be6baa8976c78fa2c6076e4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
0994240d8bf4f84eeb1d1dfbd195879e

SHA1
6c9bef4ce81ddac331ee6e98329d7a22f3634b29

SHA256
d6f8e545fec95090ea73efc6168453dd1aad4003d1673fc033ee43e5792ac2eb

SHA512
4ecfd8c2a5ba4f7656eb36c52e16f0864eea8faea860da05053a301ceecd83631b36af38f27a40afbde6d5f34fa0fbd44ca948f03993a5225c3f9b7c4c0815ae

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
4b456332802ef71672e42f80fbaae77f

SHA1
f6d5af0d4b77e93714c36d54f7c3477059412eb4

SHA256
6024934f402c053a0d88471504694596fa1b0d5cde104e21cecca2221ec6daa5

SHA512
cb8c92b0372fd81094dafa921c7789e7fceea5c2630632fb429e27acfd1ae95787ffe511e275d23adfe5c7e1df1e42a2fc0303d44f0e91b89b222dce03fc5c18

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
7aea4069fde4cd854b3604f55be85951

SHA1
b930b2e225ea436a89106178a621ddb419c2f90b

SHA256
b991bac476d50a1488850dac665b16e6af66e910b07759c19601c1087b9ec9e1

SHA512
aaf0cabc4de3ffbe032aad7b205b5cccca8a12f666a689125293ae4ce9fd4fea6556acc133d4ce0c73532a754882d6af955044dd7a85808de0c93dcef093e5a4

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
4ef0fb689af9dc5837b194f1864a3f47

SHA1
a6f4a33529998e79fbda6ff8f09aa2b62b629bd6

SHA256
754dc89894eb8b8f7a7192876e8e7193ae93766151073b28b94ea4bfefb79880

SHA512
a98119a7fd78d7d94297fdd3fdd25741ed11074bf1279e73d87077fc2879016c9eeba2c6cec5360fefb4182ebe4a7b0f153f05a7c5ebf7c754d38a5361ee012c

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
af71589cf304aaf4fbb4c5ce24072927

SHA1
263ed3b98d7e449fe401401d87602f12bf9906dd

SHA256
c2228fd139308c137ee70ade82459ce2503d26fae20567141fea8ed6fd45a34c

SHA512
8d5f8b02cbef4e1ba3176258256c01c1d7b0e647829a17f79fb4dced1266d5ef0907d1fcb883cac9d90a13251c3727e519070eb50280548063a9e86a6f9625be

Download Submit
memory/464-648-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/464-268-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/976-225-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1084-266-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1136-646-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1136-265-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1164-593-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1164-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1564-227-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1596-47-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1596-35-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1596-644-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1596-105-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2028-223-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2028-590-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2064-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2228-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2228-8-0x00000000009C0000-0x0000000000A27000-memory.dmp

Filesize
412KB

Download
memory/2228-503-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2228-1-0x00000000009C0000-0x0000000000A27000-memory.dmp

Filesize
412KB

Download
memory/2356-228-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2580-221-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2580-165-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2580-160-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/3180-222-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3240-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3240-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3240-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3588-219-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3588-140-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3588-146-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4440-224-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4468-111-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4468-645-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4468-112-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4468-118-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4612-121-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4612-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4672-150-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4672-220-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4672-156-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4740-226-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4748-135-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4748-123-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4748-129-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4748-133-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4960-267-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4960-647-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5032-218-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download