ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
Size

1.8MB
MD5

3dff9dc6afcd41fd3a4d3a31e7ffe05b
SHA1

e462ded58cfa211456424c646843392ae4310777
SHA256

ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f
SHA512

74437526278a10bbdd02ff1465ab4f69002ddd04dc601dad28f4bfa63f779d50d89ae823ab22359b075848841ede50aff809f371e88be9e62ad8c803f7415767
SSDEEP

49152:nKJ0WR7AFPyyiSruXKpk3WFDL9zxnSNblI7a8K2mFhbrr:nKlBAFPydSS6W6X9ln4lI7K2mF9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
5004	alg.exe
1244	DiagnosticsHub.StandardCollector.Service.exe
4312	fxssvc.exe
3056	elevation_service.exe
548	elevation_service.exe
2532	maintenanceservice.exe
4920	msdtc.exe
2716	OSE.EXE
2224	PerceptionSimulationService.exe
1612	perfhost.exe
3340	locator.exe
4408	SensorDataService.exe
3496	snmptrap.exe
3504	spectrum.exe
4584	ssh-agent.exe
4724	TieringEngineService.exe
3856	AgentService.exe
4360	vds.exe
5076	vssvc.exe
4084	wbengine.exe
380	WmiApSrv.exe
1012	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2ca5811baa61dacc.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Windows\System32\alg.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Windows\System32\vds.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3374.tmp\goopdateres_lv.dll	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3374.tmp\goopdateres_fil.dll	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3374.tmp\goopdateres_ca.dll	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3374.tmp\goopdateres_ms.dll	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3374.tmp\goopdateres_lt.dll	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98703\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98703\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3374.tmp\goopdateres_sr.dll	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3374.tmp\goopdateres_zh-TW.dll	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3374.tmp\GoogleUpdateComRegisterShell64.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3374.tmp\goopdateres_fa.dll	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe

Drops file in Windows directory 4 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exeab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchIndexer.exeSearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b524eec0a899da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009510fac0a899da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eaea30c9a899da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035852ec1a899da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037fc05c1a899da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037fc05c1a899da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008cc329c9a899da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
1244	DiagnosticsHub.StandardCollector.Service.exe
1244	DiagnosticsHub.StandardCollector.Service.exe
1244	DiagnosticsHub.StandardCollector.Service.exe
1244	DiagnosticsHub.StandardCollector.Service.exe
1244	DiagnosticsHub.StandardCollector.Service.exe
1244	DiagnosticsHub.StandardCollector.Service.exe
1244	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1252	ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
Token: SeAuditPrivilege	4312	fxssvc.exe
Token: SeRestorePrivilege	4724	TieringEngineService.exe
Token: SeManageVolumePrivilege	4724	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3856	AgentService.exe
Token: SeBackupPrivilege	5076	vssvc.exe
Token: SeRestorePrivilege	5076	vssvc.exe
Token: SeAuditPrivilege	5076	vssvc.exe
Token: SeBackupPrivilege	4084	wbengine.exe
Token: SeRestorePrivilege	4084	wbengine.exe
Token: SeSecurityPrivilege	4084	wbengine.exe
Token: 33	1012	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeDebugPrivilege	5004	alg.exe
Token: SeDebugPrivilege	5004	alg.exe
Token: SeDebugPrivilege	5004	alg.exe
Token: SeDebugPrivilege	1244	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1012 wrote to memory of 4356	1012	SearchIndexer.exe	SearchProtocolHost.exe
PID 1012 wrote to memory of 4356	1012	SearchIndexer.exe	SearchProtocolHost.exe
PID 1012 wrote to memory of 4392	1012	SearchIndexer.exe	SearchFilterHost.exe
PID 1012 wrote to memory of 4392	1012	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe
"C:\Users\Admin\AppData\Local\Temp\ab25e9038563287542296604eecdec2a2e87c8c13c23dd8ea809661550b08d7f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2888

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3056

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:548

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2532

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4920

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2716

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2224

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1612

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3340

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4408

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3496

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3504

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1912

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4360

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:380

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4356

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4392

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
ca92bc120dadc274828c1b29d51f1955

SHA1
760782d31608d153fb171a7262bf7d9bf6db723b

SHA256
d17b2b62d08963a17df894bc24bb5143e1822bd705633418cc077e9f01220fbc

SHA512
c15a15295e0a63fc7e21e911fd00b8203b23c2433714cfb2d585e2370d2b205eea0cd53b762536a6d8dd4bea0c16fad82392f96a58ac6b3d4f2a21f6b12b5314

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.6MB

MD5
be8d124c8a25e4ed1e105c335ca65ed9

SHA1
962aa3b477e37d51c5c57038999b5baf0559b926

SHA256
5cbe4679e76727cb150e31641f526093c584bdf889789c31ca484cd75bc7db51

SHA512
689efe5587d4c14b5a9f5e7f9bbf97725d7d58ef148edf29bfdd0c91cf1a8ae6c9c9f1074a6f8b64387d1d14cc2310fca9df857870b4e029aa5b5ce2b6842018

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
f30837c835dcacf529977face326208a

SHA1
91463f290253ae39f7e65786d0499a92ae230aa6

SHA256
da540c46b02457f9e032245445e7ba12ed1860facc0474504354059340f0d4c4

SHA512
2055c41cada2f744ec5f9719fb41d7db9180166b7ec7cc62f778865182942dd8c62421f75ee05f3d64b2456d4f993af95c890bf5d8d8cdbdcfa5e9409a1b147e

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
09f060a39d86354090d4c7dc11096f0f

SHA1
64be6f7820404788c39b77903f6f86b49e71a4f3

SHA256
406f0282dfda0ab0576c176730dbf53ee90163ba54a278507d6c444c381d398f

SHA512
67905e4ea1cc7c1854a0b8b7da38c7185dd5b20221c03bd8e6fcb6988c16570f69488e98d9b6f400070fd9573c70819b7735b26782b05e5eb043e30c11c116b7

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
f730631b4ad465b777ff9c1674166154

SHA1
e666b3b698789fd371807d048b352b2901be56ab

SHA256
6ea41cb55e0d74d2346c3b4d77e663551945a0f851f1b4fc27139f8b0b116b46

SHA512
25e085f16f8be95c7b911ca78f5d54cd5be38e8c0e438fb79a26262b80857a18b0bb0593b9119667ca8af6aabca93b6bc60dac51ef0a236d92476cc60c0c2d99

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
5917ee237c1cb4d15031fe7384b25656

SHA1
568b99ae410e28e00f09c1f15b194732bae75003

SHA256
b252bf5fdd5be3ccc3bca898784af9325bcd829a137d8fb1b0947cfa02dc524c

SHA512
9e44c1841bfb39caa3e471a8ce86a427b31fe9bb00cf65fbf83a6801e90b3e61a713a3da115e27bb725ceb5c8be37ea9ff6fb593d9e09911abe3698dabfab799

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
41ace61b6cec1595f38c011948a66c82

SHA1
19b14107d6027b07285a1c5688ea1847431cff28

SHA256
44c2639c45fc827a1e63e75711da0b8be95d4f40cc72cef6ad9627ad26b1a974

SHA512
bb12dba587988b01f9129a06ea23342a7504cdc200cccf3113a41abe12940cd64c12d872a58a6dbce9aec8886953204211e4664ab8a3727efe3404b0a851fe2e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
c735d7c669e9cc092f952272ec0f2880

SHA1
81c0d02aac4c92b773a06aac51b00238be24dbbb

SHA256
349f28ac64ec82fb90f0e967e3d43920d57f8167cf2d03decf54cc88f82de44b

SHA512
4f7fe3b870b7fbb86238d5310a41403cf060867d7dba4741004fd4fd85a596a922e2c1a10120afc0a68afcaab44eb93400efeebca2269846fe7c3f5537856ea3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
61eeaa1defc41ff381b4915bd9ba0a19

SHA1
6cd55733f408cc1e18e25e3f81b42444298bbcbb

SHA256
a53636020148a121ce5cd99d7d6380af6409c87b6a72fcfdb236b6caf9fc0e5f

SHA512
111cd52ff9113c79087f03cf2fbf1f99ff7656f307c817bbaf60bd4bb0d925c12cb1a34b67d65b14c59514aa60416e84aa2754a018f3ce9abaea8db0260e6140

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
45c0e2fd24e9246dd6a4e641ca87fac2

SHA1
23e58d6088f812ef488540ce8195871062955eb8

SHA256
f5de8ca64cfc17ef0a205b7359298f40ad45cced0daf6ff2450f2236aeccbbcc

SHA512
40872ecde01ca45463b4db3267eb5a761d1e70b7b96ce0d71515ec5d59f47d9b852ac7183f7e2dc618d754b90d5e90fafbfde7f7cb929043b46caaf9713bec18

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
3551c2fab9f84366558fd8b4380b9851

SHA1
8bd7b94c97dafb18b922272eb5a461a13a0d2df0

SHA256
b5897fb7ad8a2defcda91fcc9e36493005527355d697cdd8ca0fef2951ff4248

SHA512
74a97086657ee0ae52953e2c5c45aacb2968b9434ded9047515ffce680dc3a2e6d27254dc0bd30be666c848e1b37b04dd509b1223fdfc9ec1c03b71b6e7a1739

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
44ca9f0ef383e8d2e0b8499494d6bd4c

SHA1
d5707864004408f5e429da8f4d320766bd251de5

SHA256
604bfd6f686e6de3736910a300aa9f9b4bde5291ccc901d09395dbde35ba2c12

SHA512
169fd2468c18df5269f20e2497565fd510b42ba8398d968873bdfc75071bb9d9c49a1cf4eb05640ad5f68c32fc834bec91c0eef3246649cfdf16328a223e9b97

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
5d325509ecb577f0fb3fc85c03d0fc98

SHA1
2541e30988a91e9fe4cbf5457a2e75ee69c87b60

SHA256
0291c7793b170f561b98e421712bd2672e6a75460602eec40f30a4f7358c29fc

SHA512
368960111f4204b42153406e6fa89ab18e3a47518efe4dd0b8578f31265547f8c5d238d4c321b1c2e45bcfb69369256052ab146df9743ac626e24d2416218de3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
0e11f21b5f9d89fd6b40fdca518b674e

SHA1
2e69e1aaa2ae4e7d7c1c650345f2164338ddba04

SHA256
ae3021511c27abb5d859b64f541f66b584d5110617ad0fa256b6d54420b3d20f

SHA512
0ee9740de52fb57e62600138b442786d18aa61a0e54f8a7059b6777b6e9cd4c94ce1c4a66233ee2033c3c7a769443a254622626447b6e0ce4713ae9b791888e6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
6d1c482328a21e3ff49a4ffe8fa21b2c

SHA1
05d5c47470a86c9293d3c0835528e900cf622b4d

SHA256
8fd17a7e8f4c60821f6c46cd7705fb07e3964d53aca2ba44d9762c50270a5340

SHA512
bc7f861266f84625b20c080bc2938d5fa425a0ee8a6556feb76d75d8e50d4920addb2f286f2138243b70214eff15b4a67f6a50af133350bd09d337527d5a9c06

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
1bb7a8860df47c0d8f3dbcee2fe5b7c9

SHA1
ebcc97e317952c1fd95e4ae1696f3634a29c95f1

SHA256
4cbde623d54e5a9610cbdc817c6f4dadc7e3cb940a8ce3b4737aea0896a1ceac

SHA512
28050e680f13f0d7f9cef7e7ff6cc1029cc7eb5e3d5d37750ee60fa704c20aed8aa207a12c7ff0a775adc19c1237196e4654d742915a4ac73dfb534cebc804a5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
d34ba258c2a04da1ba4ac794fa9092c0

SHA1
7872d702692cfd274099fdb20f743e9d003b383b

SHA256
b36e6466581cef76ba7123f7da39c5a1b5d194ad837308167cce259bae427766

SHA512
dfc37b50b3fa228493368e1f36220a546446a2c7b1bc75a0f1051fd2b6ae1292dffcee8213b65a06f1dc5f8357a3287f298ada5f164f8d4b4661a6202fbf3c4d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
5ea9efd8816167cf362822c9ffa1452a

SHA1
416966114e55d048c6175da449fcf49e42e5085c

SHA256
94654a8fe4aea5804aa8b2e6072bbc475cd638c4062773d6879e39f107f32630

SHA512
13e63595897e39beea29fffc61b2c24641a30ffe51a37e3a296b205ee0190187aac27eeefb95f4062391045a6fbe007a29f478b025b7cf8e63c9d0d7b7042db4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
c91614826cc1b75b6896ef13026c12e8

SHA1
fb3e5d83c987a81e9f48716f77327bfb7d0b6c10

SHA256
41073fb102a38cc66e3fe6cc39aa7a79b7e00121c1cad82f025a6eba3aa072a4

SHA512
4f59f56a9a962825c8289275a8d76b2ac3df41b03cd5a10856fab54a78c5b73228e790965ee0fd233c027e671d7c5ae656e1fe1c71b0ce7362aa693cb7ac3420

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
62bf9647586393623fc87a632066a717

SHA1
ee54391a42587d91b7a5c8f6917f4a4bae64e891

SHA256
64324ea47170c19632ce8f221a97b4a9b679698fd8a712a4a12a9e0193169577

SHA512
00990768858b830416b1dfc9fd209871d48e347d1e966ea5208fcb7f067715b3d69cde87a06780fb58156e8ff879ea4d2bc2cf0070a55d6aab39eab6e85c67ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
19e6c7d68ae1a0d325b819efbc76fee7

SHA1
f9693691fe8a59ad8c3d02020ff09cb21c05f7e6

SHA256
abee4388a818ef3abba34e6b9ee3377d183f534635f3dd12eb239017f1522707

SHA512
84580742018457409153f14cac86b577ffbcb4fd19d59ff192e583f0cc719d5e0eff74cf77aaab31addae9047ad1ead325bff9dd5503fa11df21b689d39e52b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
44e7a8ef32c9ab8be9f623d4662e2d10

SHA1
42fcd6fd2a33844edc7f969e307082b8c95355b6

SHA256
c4f5af0d18febc4fb53d91e9613eb8f3d9b72602e8ce9af36a40b3b0774aeb71

SHA512
114233f63a429a7db65fe13a31ee2dd3d54e1346130c5068645e6b8f1802513e6584c4f167b02476adef8e1d49c0d321c7b3a633a3c1d0d91ceb0a9d3fb2aede

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
c2b43127e28c98d58d1ff8b55ff46073

SHA1
a06bc142124c7386d51c810b0bb9d3c6c6e72281

SHA256
185f94729c2d4afec7164133bf0a785adc51f97363fa1eabc067baf0e90e6d84

SHA512
db44de24801234d9fafa753fb599e112bed998d0956d87d506bfd7477559cbb0fcdb7e0fab7c084671df60e16810cabc1326c2274b73bcee5a6d670924839739

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
152d349218f8c3dcbc8a78381de7ce41

SHA1
755874356f79027cdab6613292cbbe50c3968cab

SHA256
3f8452f665193edafde217ebdab0885f3241021f16914f672ea4de78115ce75d

SHA512
6cefa7b68ce919b7a667ce76330114d7ecc7525aac40415f74b117974c36410b5fd74cd66219b9bee3f3f55ab4ff7c56c83058f49bbb662dcbff4a44f92c7eea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
eb11b640b071489a60035e03ca0339fb

SHA1
72d1cac1d3866065992cfe0eda24ea00ed233062

SHA256
dd21f695e7195849f2c48e52e9c1f5548e1178442cf4bf312561c9bbba8b50a7

SHA512
3f6c3ef7b1347b2eb6cb34185f2e031b41b69c6b927679b11fee12023c0ea8df69bf20ce70d67f68df454af6398b2aeb4c28ba76a7c656ce6e3a84941b7b124e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
4e84a93795285be26aab71d9e280447b

SHA1
260723b2446ebc633a43fc4d925698c93f3c9f60

SHA256
81a7f34d327d5e59113a9080e8aef65881240af909705be6dfca3d22fd7819a0

SHA512
5c9854146b96b48fc8a19054f293371e04a8ab3f68c5815dac07f8106a6e4cd58d89eab7f7bbc53e191869e3fb9a7d3ce83ac6a8c41e4183f6668c3087352dac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
03b90e5c9f1e502325041f9ccdb4f3fd

SHA1
0ae7aac353a3df4b78d44854b060ac9589343465

SHA256
3a8a3cf9c5647f09db7d05be23dbb07ac990eefa7fdbce4f02674b56108de48d

SHA512
009b22a64baf257c0ed98ed119c2eab4350eb00e15490baccb2e5468200426fedd542ef06576e846105e79cf391c5f88259ce3c1b8e774d61fc880af5b28e825

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
64c89e75184dcc3c4fa453d42d44426c

SHA1
5e1735b0998029f41eb5246475e52d27b54c74e1

SHA256
96fb5797481f12fafdc1bbf8821da1e483c03475235de75c3197eb5b21ceec46

SHA512
e1ac6fe365a2eddcec023b53c4d9364c498da70ded64e34c1abfc1f3dae3f1a20e61f312a1f6cb857f7b1502e424a67a9f31aca28053b938c5023d8e4c0467cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
e59bc3695ec4ec05ef1d50e435a474dd

SHA1
ff9e2213af0efbe16d8b3cbef5b9e4e41ea69c6b

SHA256
17ea826176d93dc77f3e7ef9da6dc480c5cda3fa7a7201e72ae39208351acd81

SHA512
36104b88403cc92ac8ea4db4fc31e25ab20cb81344512b18c2cc7e31c5fd17a7796b676aad9842822b06462bf3bd66b8710843ae0b5f3f0764b0800ab4fb94e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
b2d3ad8361d83fc2eceac945d01c8db4

SHA1
4191d7181a80a5b400fee37a796bfe4a7dc5ffb0

SHA256
ac730d46cbabc57fb4a0e07ab2621e93a3f4e434c3130e481cdb968ae0c92af7

SHA512
fb3568ee078d4cb7405ca688dcb346e0dec0b4ddc286ce68e3fe76e152e176377e57d9976651d2b99f5c45a748f90ef509efe088ee93388e69a87130a76a2512

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
27ac0cd8410e8538e8ca4a557a0ebc6f

SHA1
285031c0846cd9ab356dcdd8d24a8762894d3bac

SHA256
d5226e8ac8c5cdbbf325ca94f2ef3ca7b9b1a7e376ac1a54951b11b195121fdd

SHA512
2589f5eb1122527832a7dbafdc78aee9a3b02fa158515893ba784b2834a0137a5e710830ca42644231a15d7b1f0430b4e461dc5e34738e191a2ff808a2649ffc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
9a46388efa4b0965405881e1ab5569a0

SHA1
88b36c8699442fce956288f5b09d79ce71e85dc8

SHA256
31b61ecf7cd4cfd0afcab3e641088d58c4f9e44db5050369a6d8e5ca602f3714

SHA512
a65bb11518bb8ab463f1ca762eaed65abc1a3235f31b025acdf731366f0ec337fa6eea997e70e2097eeb1d3dc1102e176b5fbfc60b4d8a1195862bc854950a12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
0e8d13e388a1d13f2290ce06a9efc225

SHA1
003436c8054796c29bcab300b7896493d41f6a00

SHA256
d9edc9cee0c4aa8a99c255d8ec1a464400134e4c6c6cc3e5be980eb67fdacd89

SHA512
d483359ce34891403a9f5027ce85e6fc91b778a343a86a4397c548edd804a716899caad78624647d7f1e503655a632e7558d10dee7b8cafffe6b22c9fa77a62c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
4713b7844421186043347d3de5833526

SHA1
57dfd7c25348b606db80d45db85730f1baca5426

SHA256
22b36fb2545ce3998ccf9525e102992ccac10e18ef6df0cbb94f06794aee4f4a

SHA512
849a903e3aaf0e9561d2231ad1c97c68e3767fb7bdafef9e78fc338e1a9c66bec26b928b01c277d09e9cabca88267bf139360fe10de61b13ed41bf8a75f47f39

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
776c1ca23490130485e375480d768dcf

SHA1
092f7e8e3cdafac4f63dcea51516b3ab1da4edc7

SHA256
ec42f75db8b3652e689abecc40e0e5467205075e8c4dd7ffdede19ca8933df7c

SHA512
03cef1592d57711743d2e56761c4ed390c58522e3771d38a9445436dbdc74ee5e848418f411097c235d52b52eae001092c9092f9dd43eaf8f8b9dda85167dfc3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
7ca83b2d88657756c2b29b5fcb97a8eb

SHA1
45b3be894487e47a1044fdfe7cd60b5bbcd0f795

SHA256
f7fa8ec8e920522213b26359d1abb25fb8a5879b37d417de8e50a305098761ca

SHA512
f6664dfc87fbea81d372096189e1a026fb6f2929bb4c86a302fe5da16f99a30a08fe0cce0ebc1c5575eea16b758b369a4dd02141aaef125c802b0f50b2e09675

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.4MB

MD5
a7dd901ac08c4213130d7b094b8aba46

SHA1
05757ff7b91d1c567a30d03da46b19689fb67eb9

SHA256
775d1b1a2ad07f047aeba3abe96ddc006c9f5a77aea3a438d04c23222278f486

SHA512
d0f04ad8918c1f7f979dc1661d9442f6bb7716ed1258aa08c45223577cdef5a6c107fc9914ec6215f4bb95803db7e947fd0bfc53122afc148362f1026cb08b81

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
8b24f39bd649c982ebe9c95a622109c8

SHA1
0d7172473a5b3ed262c5bde5318b0d4399cb2b18

SHA256
875b41bf61685dd54ef5c954e0bb1a03913f8521e0f201ffb1a5ab9930dad606

SHA512
650e3d7337a02f353f733f494b9f7b0bcaaad2b8d52a4673c6b3a26c7d0f8e9a04597af91ba31732fa68d70f40bb862a6a00e4e6697d42bca4dfa4db76199455

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
6ec4b0e39daa8b789c102916dae2b4f5

SHA1
8152038f9350e299349126997f7bd570683841ea

SHA256
9603bf7933bd9cc56f4a667711d6d9b0fed76b4d941f98a53c9c489874fd7257

SHA512
c148663c9a11a967016031b4714839276f4d83a8b00fb1ee508eb50468197b35ff15b4e88aa00193e14854e9bf9047a0aa6e4c193a091685c2c6c83fd3788a1d

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
b3157e39cf830a1377bedfa261f7d9f9

SHA1
3e574d063668a9ccce60889dc6c42a6096cd591b

SHA256
2f112a5153b0bc357819e036d73d12b6b7f30ffa41848aeeb6a1a32efdb60e87

SHA512
873eada322ea9dcc28958e6036c0033b603631b70f14df278762ef701fa092a82771f9e6168cfd57d34c4e8da6fed8625e75bbc8c57ce562a88569c2b2a5769a

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
40c27bb702ba5e8797563e451a17e165

SHA1
0169befdccbb8c04acc1688ea537c4938f4aaa4d

SHA256
c2f2968fd9e2201d2f09f25ce8ef5497ec1e35a13c0662e4300432baca0f8efc

SHA512
2d64588b0a85cb0fa8f2f4564489bbfa8970c96c8245563fe3df26ba9668d0614ce6ff9472f563426d69dd5c7c80e09f86516e11b12d73682a62ab4c80112c16

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
d8737939849972bb1da347daf68bb153

SHA1
be2f4fa939078fb29561d65cb4678707d9af9cfb

SHA256
473044d42d6d263b4f145a11b62016085670397a279e13e83e13252442ee19c5

SHA512
1cb19d7c2b91acf5a54fb7a6d2e7624ffac0f1edfe0333cac218ed68d33b9f1cc11ebf2bc9b5b19394bb3212fae7456a2a6eeef6fd5733b1eca1fc69b94d806b

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
24619675774843ac6f14bca6c470e135

SHA1
08b85addbf7874a8fe8dc51940494e63fe950258

SHA256
3546f74c084f19f3113ce5c05a016ca0b860096accea9d196dfe6c7454e40220

SHA512
988c17c1f94abfe3885ceecd6729ea97985b5b475b6bcd86a6fe0b2a84d392fb3973e280f93ef80000a8aef6a86071c521e785cf07048841cba08b5d3e7597e3

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
dd72d0af6f6a5c53a8ea3c11a562aa5b

SHA1
8c0889397110b7031d23060bb18cdf98db9d23e6

SHA256
efa61af6383d3056fe0464c3ff2273c3af4b0b1c07c369a0e8e20373f8fb833e

SHA512
e43458f192137449992d8e24bc19f14ab228fc97a89149c80e8c84c035b4b7f885809978eddfcaf098cf9f78d089887b66d1351964cc1127d5a6dcd6c12184a2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
610825099aef4fdc5c25c3fbdf050d3e

SHA1
08c629f9b2991387755226a95fd55edaaf957973

SHA256
797d96a717b28e42da8f49d29237cad9d0a96b038b4d09edbc83b6b19d401013

SHA512
8c10b1ebcef1b227129910199cd847de83dcf2aa858f27891ec944e045cb44574d60de55f550a3d28d7b84096d67e5ae779e8c3c5f635fcca9d46cab80cbe63e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
ee49395aea692c3e6d43ee330396d5b7

SHA1
0eb2ed6845c17eec5d0022f3e5d8dc7efc2596b7

SHA256
6adf9a334c288aa2ecc2aaf0b5edabf90b8b92b83eb4f79290153459520f1f0e

SHA512
bea69eb593c46cf0c94935cd36ddb51e2af579ec108f7888b46af0522e6d4dd9060c5cb50eb04479817a66c210df001ec46ef389661166971d98bc201d6c78c0

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
5bec7bf22779e9d27907451708a155e1

SHA1
839445c510c612a769bff4446f3c25d666470b87

SHA256
f51f4e88ab04f1cdb28bb9e036fc51c1ca0e840957d78a34fab2728a27ca478b

SHA512
8ae81875b0ad9e9bf33b214700234c04a9622fa39bb67a200a640d3eb2d2ff5d34599bee4a21a0355abab5ee5e0e31f16c46ac8add435dec1e253a58f8be87e8

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
7c854bc0743981965417de0ca3ef4390

SHA1
a81e553b249a6b29c192ee3f3e387e501b50ab32

SHA256
a98f90e1f19871a5d34f2684b22b10e52c3e903955348a0aedb66dece8019890

SHA512
c1394081b0a3000083a69893aa285031427e52b31c8e0353701b60bd4e9572b14f48b3ae93b32b141c300dcda91238b22c7ec7dbe87edb2ba5bfe6dee023ba03

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
545735b15a50dad196ee65ceac2b54d0

SHA1
68a4d18c3731cef589197e2e76a3b7fd854488f5

SHA256
4cc249cfe28f328395d030791d042a572b8b2d3db8a0a4a34f5b55a16b78ee9a

SHA512
6fb892b2f4af05f53bd27af90e50999bae9d5a6bacab15563e8d5b1c659299b4f8941ff5ae557106a4f5527d47a0f4878fcddb88419ce9ccf9c9fdb32a9e4546

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
f8b5dcd7ea693b529fa5a77b03ee28bf

SHA1
68687e8624917e0cdc64e70230a269f9790e222e

SHA256
b2723c17b049eb6e3c0c71d054d4cb28e1bba42e10580f54264ffaf75780fb1a

SHA512
be57b31b3f9fbddbd1b9a75bea17d7333472be2850534890fbd72c7ee6e384e9c5356257b08b028fd47ed1fdf56b6a54e14d2fbd4e91ec0d9ef1d6e90801e7f2

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
796d188878d1f910f8df1ea182f17e5f

SHA1
26ef402dd7e1bcb21c857a97672f04e7e78f34c3

SHA256
b053495cb2d3b1a6df27c97be99e05101f111fb93c57e11dab239194e2f683da

SHA512
c135a79fd6a12333597c2442e0b353b85c92cbcc508718ec5fb07ff2713feeee49089d1f700e96a62c423a8b1023e74376e4123fc7ee1b288dac1de6d7030dbf

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
6df7e104346327f74ff3cbad54615757

SHA1
e5b538ef26e4afa0b797785b48dec4015fbadf0c

SHA256
5d8e55a8470622a8dd209c003d522a4dd3bc064dda96f4dca57c60b977897dc3

SHA512
ba8e4c9187793a85775044c73f38e974c4625e2b940ab84227cf1fb0cfa7b78d6bb361a46b130526283c4418aec35b1951df25822e7f5f5bd149fbc03579283f

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
12880256bb6d11e5aec5f03a4cf0aca4

SHA1
2860dcf6513c4f35d8fd48dca7c5f28636df50b0

SHA256
8c5832e7b1e5476cd90567f0afde9f1c5580ad193170498fd08a44d962fe4d5d

SHA512
f3081b0c3562fe2fa3b0b4624c2e19555cbf2484b2033bdefdebc1417b9396806d30b824c36059f90be87c656d60db50f3a4ea726ca7c636a6d6b9ddba1b2dbf

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
5ee4393d07f9497030881ff8a38c0765

SHA1
c761df2e0fde68bb5765871460b19a203dd9881c

SHA256
23f4ce505910232bfeeb490956c1324c00940dd0cb42907794e6abe53e55dc04

SHA512
724cbc5b5ddc2dbaafac631914fd7246c846464c6ce9ad33a3c2385c9a33f9d03dea9300e859410b560f0e2e5de32d29d475a996a0a58d25fb29728967783877

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
44428173ec9e7b2d7f5fb30bb214fd53

SHA1
ecb4daba7b94c3b99a950f85f3d918390e2a25de

SHA256
309a34b1c3191c741e48f0e02c644786429063967d4da14d0c69a9233f5fbb42

SHA512
a466244d4230f2204f6facd44a0395c9e9756c6519801cddcbc8b8cfb77e2e42c8845f765abfb94720d5e83a7c8e0b22ec7e090c0930a7155d1a2bc8fd22952e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
238d4e6897ca805d9cbd81241cf3f3bf

SHA1
53d401d77ca34c50af33908960ca77d1bc1a9a61

SHA256
0f2a65049cd5bba62dfd10af808c249aafb8b596bc40910d15e30ddccaaffac1

SHA512
54d543d48fe37e6f9ee53659684dfac2fb23507f6ef37b49d5c411348dc4d41ade67ad24b747932e7e80e7306030704e34278cc8d084de6dc9d87c29f38e825d

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
08fbde3e11d9fcadf5e5fb150cdc0ac9

SHA1
fee7ca0950d28c4eac5c7fa4185ce23f78e1a313

SHA256
8b4d86336fe64654e3530672d0f8f323aba1c4a789eb062ba361b44dc98dcf74

SHA512
268b0ac775e2b524a1cd3860f2e87d5a5fe31cd9f3b4f9cf15d7249fddf417aa14b03b56720154a543be7aceab2a0878a98255375966966d34791b0acedd43d0

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
57b93f0c199886634adec041e2cf6510

SHA1
6647788239364e987152ff431d1698ebf4712660

SHA256
96be28c8a3a6fdd191faf4907c04c2c74b5a2a437e45334592dd6ca8b7c76edb

SHA512
3e89f004a2f8dd349d991742003fadeebed4cc28f18505e5268f2312c2fce361f6703af61749a0f91fc2ece071f645cbf279bed3036a2817d4f314b5172d0421

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
e6407f482558882ee162f3fcb02e6360

SHA1
5f0878e6c0e1794686004b03eb12dbd0fe6a5a76

SHA256
b19d8c5afe850c2388ccf525f5ec874bf7df5f1c06a62a3c8fcd865659d1f031

SHA512
715c5d2283a910e7c01eb2d59b78656fa5e8395adb16a02b05cc239eac46fda9d3a2e9a143ace0957bdf750dfabcbae6e7fe07ae80d5fc60c0aec45dda85347a

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
600304a918cc935770bd588579a43cc6

SHA1
591bd76cda97cb7b79519a8495cf9553e463f5db

SHA256
9f3d012d52cc31d031b6c6fa65248f3f574f2b7a6ab61ee8d3a3851d7045f46c

SHA512
ced902df86e67de8e53c4799880629beedcf61aa334aeccd1fc2d7b4b3c74af3d33e4a0c0d1a4e3c920b5986b76e46967e02f5de0a04bcee39f50b9a0ed19f5a

Download Submit
memory/380-331-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/380-776-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/548-247-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/548-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/548-136-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/548-138-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1012-777-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1012-343-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1244-93-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1244-101-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1244-100-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1244-98-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1244-185-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1252-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1252-6-0x0000000000960000-0x00000000009C7000-memory.dmp

Filesize
412KB

Download
memory/1252-1-0x0000000000960000-0x00000000009C7000-memory.dmp

Filesize
412KB

Download
memory/1252-504-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1252-142-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1612-197-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/1612-317-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/2224-305-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2224-194-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2532-155-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/2532-153-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2532-151-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/2532-149-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2532-143-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2716-291-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/2716-175-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3056-123-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3056-117-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3056-234-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3056-125-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3340-200-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/3340-330-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/3496-664-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3496-231-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3504-241-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3504-670-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3856-279-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3856-283-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4084-318-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4084-775-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4312-106-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/4312-139-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4312-126-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/4312-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4312-114-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/4360-771-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4360-294-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4408-342-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4408-211-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4408-669-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4584-256-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/4584-671-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/4724-268-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/4724-672-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/4920-278-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/4920-161-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4920-159-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/5004-11-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5004-158-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/5004-19-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/5004-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5076-772-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5076-316-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download