42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
Size

625KB
MD5

0db5c9ce28c8642ff313db5efe49f43a
SHA1

0ef56a30a569ed3c76d98cfbffbbe6fb21d8e18c
SHA256

42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50
SHA512

01198071eccbeb9faf5e719f226c11f7d1ec1caeb7d511cb620580f1eabd369955074daccb375b1c824d1a6f10b60a4a1f63f902edf94e3a52a5df94c8e626a7
SSDEEP

12288:QJ/7d0NxksRpWE9FRHSfNm1wgbIxnBw7dzE+e3gxZC6LgjigDy5fdv8fWi+:i/Cks7WE9F5pwg8zmdqQjC60jiHkU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4084	alg.exe
1464	DiagnosticsHub.StandardCollector.Service.exe
5096	fxssvc.exe
1660	elevation_service.exe
4996	elevation_service.exe
3252	maintenanceservice.exe
2992	msdtc.exe
3652	OSE.EXE
4188	PerceptionSimulationService.exe
1872	perfhost.exe
1544	locator.exe
1008	SensorDataService.exe
4384	snmptrap.exe
3832	spectrum.exe
2032	ssh-agent.exe
4256	TieringEngineService.exe
3372	AgentService.exe
5104	vds.exe
5044	vssvc.exe
3632	wbengine.exe
3392	WmiApSrv.exe
4080	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

alg.exe42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bf04f3b4234f82a5.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\system32\locator.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\System32\vds.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\system32\wbengine.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\system32\msiexec.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\system32\AgentService.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\System32\msdtc.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\system32\spectrum.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\system32\vssvc.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052eca9b9ab99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed9e9bb9ab99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b288c6b9ab99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b75d2b9ab99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f90d2dbaab99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
1464	DiagnosticsHub.StandardCollector.Service.exe
1464	DiagnosticsHub.StandardCollector.Service.exe
1464	DiagnosticsHub.StandardCollector.Service.exe
1464	DiagnosticsHub.StandardCollector.Service.exe
1464	DiagnosticsHub.StandardCollector.Service.exe
1464	DiagnosticsHub.StandardCollector.Service.exe
1464	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	244	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
Token: SeAuditPrivilege	5096	fxssvc.exe
Token: SeRestorePrivilege	4256	TieringEngineService.exe
Token: SeManageVolumePrivilege	4256	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3372	AgentService.exe
Token: SeBackupPrivilege	5044	vssvc.exe
Token: SeRestorePrivilege	5044	vssvc.exe
Token: SeAuditPrivilege	5044	vssvc.exe
Token: SeBackupPrivilege	3632	wbengine.exe
Token: SeRestorePrivilege	3632	wbengine.exe
Token: SeSecurityPrivilege	3632	wbengine.exe
Token: 33	4080	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4080	SearchIndexer.exe
Token: SeDebugPrivilege	4084	alg.exe
Token: SeDebugPrivilege	4084	alg.exe
Token: SeDebugPrivilege	4084	alg.exe
Token: SeDebugPrivilege	1464	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4080 wrote to memory of 1492	4080	SearchIndexer.exe	SearchProtocolHost.exe
PID 4080 wrote to memory of 1492	4080	SearchIndexer.exe	SearchProtocolHost.exe
PID 4080 wrote to memory of 3060	4080	SearchIndexer.exe	SearchFilterHost.exe
PID 4080 wrote to memory of 3060	4080	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
"C:\Users\Admin\AppData\Local\Temp\42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:244

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4344

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1660

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4996

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3252

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2992

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3652

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4188

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1872

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1544

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1008

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3832

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2264

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3392

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1492

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3060

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
86e6f194a59741fcf0e60d129fc2e8c2

SHA1
d2efa9b50dd5d4b597024038c028651606619f29

SHA256
5e63e95c2618acf2a7dc0ad3a4dedacedb4a8ad17c9c32a86544e9177dca0627

SHA512
fa7dd9d6a3f3156c713a54cd4a35e7a8c2b7ee4ed54bbd472a94c971eb2c53560736b5131cda14fa0b37ba8800d145cccbe87e4819be765d26cbfd8200135655

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
08fbfcb8e9e3cf66416159c49a1dbb0e

SHA1
847cd302b7b9ad046ef104fa979643d3a16aadb4

SHA256
55012b04aa4dbd828a8539d057391c3e59a81c6f8a9334ccfb488781cf7ba16e

SHA512
114eba15061657feee481e1b8792e0b23d759dcbccbbaad1a3b666049e982c7ec8e164d803fdc52c8b8276589dd92a33d8aff3543126c4c979369e351bca3dbc

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
48c80745dc989a0d3a0c37a21421d11f

SHA1
2726f7c928cee56a87af794c79b61e4c57ce2f78

SHA256
267e12568370296bb4f8b4eabea44881e1a1744cf5678927dee04e6f4ccb847f

SHA512
8e2960c6808940f6679aa2c6ec0ceb227797b15eb453bb8677b961b61a06403efd9a77433746213b6d1f2f1c46af1a4aecd124dd16266ededb1eb4fc01038bd5

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
9692e381e45338b7c9d7c830acde4838

SHA1
55831b1ac70e67715e998dc1d2495d8921a5a91f

SHA256
7a358cfed111b40f378e00365f66a4e8867b80563f7811641caeb57f0405eb1d

SHA512
8289610c657f2f04a5a87076f6f9aa27bbce3738b0edce9b4fe487b217854c02b9254e0fc08003c8b718f563d1863c509688b136d3ee1a88101e71ec6f4d4d83

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
818c5772bf4c937d57ad96a86939bda4

SHA1
de551c8e4f6c8484b6cf94c11f31cd6c9efaf4cb

SHA256
9a0280f6b2e67296dbbbda03d27610d30abf107f6b97de08ad88e5a118f46178

SHA512
f81699b69ac4bf7e58ec35ac4bf51cb8be4ee4676c5a7f1e08c85b83718c19596ae322cea10663aaeb8968ed496dcd460dcc309bb4d2b2717b1cec05325d2ac9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
2afaffb470d9a13c943da67abf50643b

SHA1
86f8a11cc9ba2416175dce065d64c47d044612c5

SHA256
dc6b24be4a6876798b8af3db0db6e29f25cc6d9c23b8cf9a4a92e9bee76ad979

SHA512
143557e955beec79ca9384f2bdb1779c078a487b8bee128db3dd766e3921a50c5fdec29aec416aa3c6091b5bb5572327114bb9773578ea3d7f9cd9764fa01bbe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
03fd6a9dc98cd404479edc2d3a502a20

SHA1
cb70aa9a1f3e26113d4b42770d5f9bae6e2b02cd

SHA256
e446c10e1e46c536ae08de0bc9ff3f81df80df2a085b05007915d077a6011177

SHA512
76372ead7b7038ba3068207c8940bb550eea5b0c8aef8f11e55135c9db7cabb61d8e1e9b2778b515280b1f523c1a395f8af2c29887679333e3d15f210bdae007

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
1939050bfb7b641d4fbe0fc06e794038

SHA1
47b02d208489d7d0633b375e572060e8007c76b8

SHA256
bb49f41c158fa19ca057782b26de802442ec820e8460ebc45e8374e4f9902298

SHA512
c3879ff53a210eed555eda9b5506db20f5fecb221f7315f5c1037e64eaeeb6584bcecef9ea343cb5e84b13b03fc329e72249679d4bfa6c56116814b09a598ca8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
c114ff605dc15da6603505b255f8cd96

SHA1
5fb46d92e3e1e593fe5d5b0d751013bb47a47ea4

SHA256
ecbfa2aca90c74eb6ded2505d00b3c5f584492c102979826ac7d41a6ac950931

SHA512
8a71744ac0a81a2aee19c1b4affe609a7b75fd2f17b955607c8a825f344cad6df873c7b2ae91310368fd4b1fa24e39ebb89284aa3f3736c69ff7233c45f5cd22

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
c8ce10cbe015f2ef1304714238993afe

SHA1
02a722cb1dd883d3d4e30cadf1b96bace250000f

SHA256
ffe11f0773d0f83445a713e9553efbc594ceba7689675ea4af9d5efff1a7cca5

SHA512
3a5a927f585ce65f254609525cbde8a3f3949032f6bb2901250ccc2d72a006a7e3c4ad0ecc0078fef826d8526eccd5f2efcb75541582e9fc248786aa99a88453

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
bd1b0f2bd1d71ba7020a1bdf0098a76b

SHA1
67bf81fd424efc457664ef06763926450f9cee8e

SHA256
0e077e5282d397af187da70db20620a72444ea46a25a7f8134901e4a0e761d68

SHA512
7093c2bdf8558e1ea00fd177714a0fe4b7ee875d64ee1485123548d133b06b4b321a5f9bd127e05e4e6c846d214714016a6b415b6aab72cf8c07f2ddbbd91348

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
2b40637bd6b0a00b03d0e6c256a1879f

SHA1
ed006bca0f3fb606f843ac09c148973df6f8bf26

SHA256
0b52f16ae9455166ab7611bd5214e2becc61f73784fa5898daff4ac5acbe2bac

SHA512
72546543c2ef54fb070a26389920286aeecb865edcbb4dfc56be311cf3a8c5bdbd353109348eb83ff8c7106e4b215cfd96c0e5cdb54480f27b4944c7ee22ba5c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
457dc3addbe21d67b913dbda19a4d8f5

SHA1
03226d0e6f90ac2243b37f7aa06b9ce0b1697940

SHA256
f2ba04f4853df9fe03cbef8c61e5faf962f929dbe81bda57fa1277c4b35fda33

SHA512
d254034585f1b3895616286eefc35c342e1acc1552c8eddc740c7178d257dac2eab29fcd5ec07cb8690a4981b3cf447d586ca17f2eb1641af262cdab105988c2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
4ff5e8e76f57aef3eb28a69e2630c6ce

SHA1
6633767b2682bf4ed1877f1b237518de30d2bc2c

SHA256
8085824531b739485b5c9e7cb86e90d8aabda516a42fb20443a8709041eb4cec

SHA512
a0a5750fd4d1eb7643d0f46248dd457fd3a5c3407b7c9bf0ee3168ea510bab60baea86464feb34fb2ff5ebfa2d743ac899ba67b7824e3b0cceaef7c41a3622d5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
b19e3fa87027c02d3f18ae85b0238f80

SHA1
c70af1f24cc8d0633f074c1f248d60140ec79544

SHA256
b2eb275d9506e59e449c694231fed8f7b7eb032457aa33b515f139c52e34008c

SHA512
3d15035585760fd1114bb55847b5995e00913df6161b88f2935eb775e95f3609e7e41bedd2d84ec1fa906e726c2b349b650a23dd3750de7cd2b491d3bf6e450d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
35d97681e291fe2517cba11af2f88ee1

SHA1
cada50dff63dc500b1b0d7456806459630fbce5c

SHA256
c28b66f37006568791c291785c119ab1571f8bec4ddb39136176cbc67212a051

SHA512
c0d5e4299c8d6bb0d45d672e9e557d762f9041036ddcd35407ed8fee6e8a4838d7025876643eb35aa86f9254829531d213463c46f9a3476e326cf87bea2991cc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
d11ca3cbae1faf1864d8e61828fbc5ae

SHA1
38ec956f2dd2c8bf1cd4707bd2d088cd383f2460

SHA256
956e4ef6dc65cc41eb636952d510b8d5fc0dce14f878772b2acd7c580dd6a1e4

SHA512
a51638f1e228ff8832531a8caea6dc0f56a05c52a557aef14d6ad51e81cc80bc9576a5fa550a76963a4cb8f3ed7b0dca749003a36b6e63c14c4782dbda3b1b5c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
b45f75b8117e47ecacd80415239df3f6

SHA1
1078a8eb59cc4292b49a87f78da51e3747bad34b

SHA256
9a151420697d408994bc31e109130ab527bc46f278aece19eb010dcb8fce7b9f

SHA512
b55418812f608ee796754b1bacb9fc8b61871475539bbd8f5732b393be07a3a66e5902f124eb430f902996387570c7b4b8ec141248b07875d7c2cc6196ab0bd8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
403ae2ebee3ae42678983acc63524fc6

SHA1
ee03b1f6d2062c0353e9105e4799a2b31a13a4aa

SHA256
d0d10d769b3e423a805eac69b281689aee78277fa2c1dfe36db66f85ad88d7c8

SHA512
671af2ad9eb654cd68c82a749934cf437279b169d1b43cf8efbad2e4ab3a10895afb40c73dba41778223ca6b2d62f39af20f3dd900d621ae5133184b0eae3781

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
96427374e2f85bf3e185c866075632b4

SHA1
3946cb2ec61548490562090e3569465ea793d5c6

SHA256
37d69dd0d5b719829da52f307ea16194cbd3297f4882c7cf34fec34b5d707445

SHA512
802a2a9c362b33d0889335cf2e5ce88e40f8c3740e2a9ee8bf518367f7b5831fe86c13a93931d048124264774700eba4a15f4c2ebd8c73444639d1abd5d58606

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
ae108a9cd6feb3fd490f4e10d53ae424

SHA1
3bb20ae0cc4bcf604426ca87a5618a986a3b7738

SHA256
51ca1fac8350ec92107edcfdda18be6b327926f8edd2fc7c44aeaa9ae0fec614

SHA512
e84031c5259657a58a79611c16571baea1ffada10356da90dc3dfe307a1283c73baa5f60986603f9ec282d2b0660c86bf3d247408be67dc8fd25e1c936093ba3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
9f57dacad35c760d37746e4fe17c8d43

SHA1
0f166e84a1a0b42a3ed075ec275535d04bb13aa0

SHA256
693103847890192eef3ffef80f849670dab8200e7bbdd194f928d717be664c93

SHA512
ea0da2ce029ba34233cdef28be43362bd866d4284453543cabbfc5a9d712eb64310faba701c057cae6c183b7c3c948cd71eeb2d8b8c98e5bcce3b995961c67b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
add5c599f184f426d6d3edc97e13bdba

SHA1
9e8b222a1fc6334df0c4648207d9ca34b52a4712

SHA256
8448c339738a2f683eebe02b1781bd789b335ca93c121535c6a3569fd77697f9

SHA512
e9909b84828cbc1ee9fa694a2544de57832489c34cad7f65635e0c506fcb56439e705bc80a199a81b23469afc0b537675d74ee05b0e394f029258da50c781f76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
e69bcc3445d593c1dec79bae4aa10f61

SHA1
01c125d8a986dbb93abd851e87638c0efa6daaaa

SHA256
db341924b721333b74c6163d5cbfb24999b45d0176b4814942625f2a57535a32

SHA512
2f8232906878600d6227ecf494801a6756e19b5181ca478f86d3b8a9155f7b9b0a6cf9e9918edb458ce891cc1d85c07592aaec507fc7501ea9cb63513eb5bdab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
a0dc21f7f15391920efaef047a9f9eed

SHA1
7206e09f3dc6a52ca947dd6cecbca4fda1b48df6

SHA256
cba4da42db91efc747904f5f6b9b6a26dab468f0a4eb07e94e7c9e8f640ada24

SHA512
b47cbaedc779362468dd3d8aaf531760856afee81987e52967ea7c1d4eb90ee63439f51b43b52792ca5077eb4f7b833648d006307652fd88019ba55952759a08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
69ec25eb942c8b9d947fda2ab55bc489

SHA1
163d6690da660c8011da42473fbbbf87402a3c3b

SHA256
1c6e68fef6911132d1cc9ac72ff0aa539b0544f64b8a3367ef560ddeeb8740a8

SHA512
a55220e9d4e79a0df8fcdf3d6dfbf4f7ccedd7bd52c16ff0899fef31f3b535f3cead570e0020853ea1e426e7b24250086f191456d93f2314f38a27ffd835b349

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
1351a4c2b79f5c75b8ea0a81d1248828

SHA1
d539e61acb3d96abc59111096a48e78c8184a463

SHA256
b7e8b1a435483d5a09c6b7ef2418a0eeb0bf25e4878f040d3b542a6b5bf447a2

SHA512
61784588a1525dba6645a373a611df1f65d5b44c422be1e58d6453e96ddd6f99510e917c4e9df8946edc75f938e7f9dd05ec73437b486c9fb215c853fcbaa0dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
2c19090a92db7e5e7b799f72646e9c7f

SHA1
c03b78d1fec122ea0e6615093b764d3208b45d7a

SHA256
1940c8efa98b6fb5ad05c3d103326c04b287c5241e1a77f55b316c9c8be1459b

SHA512
c7fab35ef8073629c550308cf43be7479ea6018275cb5081ef57b1888974a544198222626031a64bc35a278a0e442634a660649063a8b2c6b349183da0c516c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
7545bea94f394a03b7236726a298f664

SHA1
7e9b968de4c6b28d68b229da43b3db75bfd6a141

SHA256
d016e9179a1d6edf25e3484cf8570686472ab870b006f10e05309c6999a19359

SHA512
88ee0582456e695cd9d0f4e8491dd14b83148a5e221d4c71c94c2364494e70911169f1e55b7aac5c9ad4d5e2a8ba9bf8f0b918719150091ce028ef432ed1e9e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
0c2c9840348b197376abd24dc64af757

SHA1
db50efd4c65cbaf30cd5c0c2c5e1d2abcbb17642

SHA256
4ed95031b57a24db07cc157dde7529ce11fa3655ff9899a1a0431e78b848a9b4

SHA512
fcb23068bbf501ba224a548bde12144ac8335e1c2f16528cb817ccad1bca895c723dd91e2510dcb395ea82c3beb5eac298f8b12944650578acc8b3802243a640

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
caaf7fe3c7c361ea29ce3a9731dae6f8

SHA1
147113fe03201d7629bb1b3cab6bb080ef403f88

SHA256
a7f66513ea91bee163e24bf9cf3b43cc444dcd8b1a434eb017f9d73b828c5d94

SHA512
09824e99a88e0c8cfaccdf1ab40f20a2bc734f8e36eb4f7f26167df3ab02c6d379c041c28df95dedc8e8bc6cad30d28aaaedd4aa485283e07b99ff52b40341f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
aef7e0f208c2b5d31efaea8cbd8242ae

SHA1
0143cc96e4578b849fe5fc3264720e047a637c80

SHA256
c8ff4132e2f8438b410628160a6b215a2a2b86b63534f2b0f2763a80c4e23427

SHA512
be4da1625bc3b7045edde6069f5320ca8f199302b1beacf633b1a9375823b948fb6804e797ddded4daba1291a85cffc9ca7f2e01501136f68477fbee4a9b4c07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
4d696ffdcc64d4f7b8ee74e7f1015772

SHA1
1115152cad3411a141feffa1a36ba32e9c2d0467

SHA256
5e3d469bc194a5b01edfaa187e084d6b9b7e4658ecda88d21661789e402317b8

SHA512
50fc36a8c3fade809203878ef9b05c01bfadca6928e8eabca5cf79b5818c4743ea8a0fa1cc7071a709ff453a4be1fb09ec2c5e9d98ad7da117405f01e7d3bb6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
1363cb336a1048676c58fd75ce9c3a20

SHA1
e99c4bd8ba6d661140ee8311bdbb703c69239217

SHA256
4b5aa09aad031f509e49923d28c6fabcbe27a28b623def712766bc7d6c5cf9f5

SHA512
4cded17be482124252abb4e43672caa7d6a7f42b85975ad52ede02745028bafa7e6d4e1ad226edfed73af2a3c2ca04f3b7e0ee7da049419da743ef48c31ca4b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
80a22593841fd413ebc597b931a3d1c9

SHA1
2a6f2d4df706f719f5164f5fb8c23f4027b53c7a

SHA256
243606cac3837c6e1168ee7b3b717e8c4ff2a4dbce0657a8510ef78705cecb34

SHA512
dba2fa5b5937673abad21e9032632f3d99e3272fb097864b8e7ac0af12f08cca31a51a8360ba5d02dbce1132d98534bc9471258b8351be8ec9a899c6507143b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
2fcf420e176af83f2594503769c2dabe

SHA1
382411e7bdce81f2e433e2203ecb2d31edf2b1ad

SHA256
ef2002f792872a4cf268640fc14dee57ae2efa376ec6a6ffcf65c422dab4a448

SHA512
03799127644d8e885e9028808e0afc49869b2eaa88f709146de3342593a2cade94f5a3b75bfa32f1f4dcb2b83153fe05bcdb34e360d28a718692c396670b96cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
71c482a90ad0dac47af279677dee2a11

SHA1
e48c32876efab5967e666caf38062874ec6e853f

SHA256
e57a340867bb826e417d743799486953c13c3a0d07bf2ee4a7b86f8135c54257

SHA512
d6b951248c61d6e463c0283d6c5b29c3b96865c2e35ed8e46d585b3e164dbc85166a8bb1611e52727f6da6a9845340a0d534be7f0307c0536a39cbb35967ab75

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
ab9881f4466e1d456e56f5f4eff005d5

SHA1
a16025426497c0ac479701c06c6e0ac37cc02348

SHA256
d635dacdc1b2486fb1c85ac8b294a26b4a298fce3265821b473dad42895c0762

SHA512
f79a5ed4b1171e287bf7bcc7520105aebdbf32de94844efaacfcd0bcdb890f92d93661b19763be370d207e1b76a296fd3ab6c9d9c9bd662607cef673d3273c25

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
5c5ff93fdcd03c19c834f2bf21229f9f

SHA1
9f782220ab8814997fceba8dec0a10e8b90b5ee2

SHA256
ce43fd413465c298b622f62b3763c6f91385eed79e21857b279d1a17dd4d409b

SHA512
a6cb96db2f85d6a1bbc200168f83b379323208c15a2e76237d97dce0972433cc62f646b847f8dd36487a5a3682d84978dcc469957d176c2644cd23358a2ad6a7

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
165bbf4b01b34ed4c5cadef33ae9d385

SHA1
e1d06b43ad37de1c1aeec075ab04c4e155a97ce6

SHA256
d098a16ca1b493dedcaf2f94b270a2413850ac70de45283aa6906f26843c2b36

SHA512
f4b4cfe77abb3114d0fa2486b034f68664c852e7b4b3f4c6f7483a25277b87d898e5dc17253ae56ddf414344fff9a364d2c418ae0c2a87689d4e293994f43b2d

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
7b12d06bcf4683afdf75a7f88fc03a0c

SHA1
521835e4a5cd11ac69d41d406de72f0b371f3670

SHA256
5cf124dbdc4ec0b1e890725de55d8b4dae351d084e960ad771f3e33264dee2c4

SHA512
29bc02cddd30b91167c5223a748637b206fdde99ee071536fd1aca79c7d1031b5cf00ff953681b14a0f461a33c4d62e277d28099acf41dd60d6e93bce07effd6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
8719b30b14855c7ee7200ebc877498f6

SHA1
eff6f2330d32db2bee0b7787d93a365112367d07

SHA256
a0ed3512591d5c66c68592b8fe71942e7b838220237199b3b75a62d018129f3d

SHA512
a35a8269b8e737dfa052babe4972b4279f6cd8cf4e7238c4529f6ecbaa41d0920d71c0840b2f853bdb4a4bf88101d6092e47ca35468ef05117f9de0aa24082fa

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
f5976068d55eefdd1f58a1f097d0aa8f

SHA1
588a60c7a347d7c0df34ac972ce780e0d01d4bad

SHA256
0ffc7c085d61da6fc2f6a9b190da0a24942f5cf194a0e44d5af5865dc6c8be34

SHA512
d9d7c9f9d634bc1a1e1c7114139f4ee96f15d1a3284c94fc05fa13129e812e314b98df7c3bbf52c8ac4f3593707d242d6397d6d2fa7689879cfe56a8942b8ca0

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
0527a56e4f094223b230e58a8b494d54

SHA1
2e6e8f9be126f864815b30af73322b10fdff4d97

SHA256
3bee3c1e7d82e4bb1454a6c7a629e3e065b96b635cf3da9e2d97123214dc4a36

SHA512
61755cb21ec250861e777a661d206b4377484bd92f42303c6673ca2e59e4a6f40ed01dbc493b119a9e6f52b286edd90c6ef1b3dde2d02b45daf7e60f0e89238f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
b90f0fd76703f013086669908742a1f0

SHA1
cc34c8286d0f653e188cf3c57bc7acf79138f108

SHA256
c9e22b852ca2ba04d0fe9202436c1b848b64a1530de800240535c12f938d9ee4

SHA512
5755138799af483da9399abd81c7084eec2483c092ed75ee1eae6382e78704d161b0cb177818064df0e018278edb0df1e280fa183d226dd1485502197e9386c9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
75edc1c9c2580c4e36a5c571a20f88ce

SHA1
7349b5197d6af71dc1003645ecdaf0529514e545

SHA256
0c8c106ff1ee8f77241442446ef395a91c584ea67f1f07fea73100a578f9bc74

SHA512
87a63bb87a39ced3ce486977a83635e04c891dcd07eae38d1598e52b85687d93ebeac5e1f05d40c5ba800fd3fa142605ad9711ceb4210e3bb2eccb7c0deb8739

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
4e13a59ec9df2ae6d1c699d01d550719

SHA1
ee379812b294f6c60f8d35b23fdda8eff40abb7e

SHA256
be5a33448e1b0f1be6de8016e7baeee2fd7a1f831e66bb4ef5811b6d3e1a6eae

SHA512
ac788c44bb3414d8b37165a5e7e541dc032e33d8970b9b6fc4b3d9c966395012394151f1853eae8027de553612c6c0ad5e7d8a54ecf11a5eb5d0618666cc555b

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
4911456dff84b199427de4d8e7650e41

SHA1
65f18089662ac0002c1e6f8417b098bb70247e1e

SHA256
d99e5d855b1883ec62c012b197f9a4f23559c0f68e7c164dc2106fb5a15aeda3

SHA512
db56b07ec9a0171490590efc459624492b7a23b7531b70e65c953c35c72e051a5442754b2b030dc440dd91f9d1a73f38be4443d391004151bcbc1259dc736ccf

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
1b7a9ec070d5abe006a97c7219e31f49

SHA1
3fe71a17dbb4f60d6a395da2807812d204c8c59a

SHA256
bfcb10427f1136017cb382083a5311f545ae0d96080d917c5093d19145c09868

SHA512
61f3e01bf54e260aaab57748599b220d9b4a9be019b0d0ff4df12e2ebf3a53235e9b3def308b3978f494efdd816f01ac72aad4df112ba982452e4c048bde8b16

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
68fe59467a5142afd7def1f9a2a2e4c2

SHA1
fbf1f7ffcaf5e88909e69daa320190fbb9481bb9

SHA256
76efde181d4c5ced8718391b7f5db93a7e5bf720c16d8ddb3b0c88d0fe301d74

SHA512
7613963969b6388ecd546451c8bc4d983a449c4e31561ab5db87419f75895afe2d9bed016616e7e79d0cf440a0dd39a1ed90eaa9cbc4fc98c01fa378644110c9

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
168aa8207fe7a55dd3ce4d61c0a16a71

SHA1
e675c753c412dec1f07980f8844f3047e583a4b5

SHA256
f05bbb8471a2e1f96d3d838c95d7517d714a650a64c4790821010b76b149d30f

SHA512
9dbaf0c0d999780be845a981728b021d3a311adb31790caf0c356becf5ed33de8d2cff3c19f5a8989b411a689d398976c1bf3bf5a20b005a3544104488d948f1

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
469da78d79a982793720962b191bfd74

SHA1
ea05055f4c30064a3a88a95d3c8eef4f076e5669

SHA256
5971bd349558f47b168b3a5df279d6e4ad6ab4aa3fbbec6af0735349c44256ec

SHA512
80b6181376dc5747b7cbb58375cec0405d39932d912f23551d5ea97aaafaac3b572fe311342cca9e55b67424a6ae0bdf6b401ef945cbd8fc5496119f92b8f651

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
0ea2d17592aed867711bed2db3f853ea

SHA1
294f6cdfb8d6399165f27cacf18652e80c62d8f5

SHA256
d78ef269cf681245df5f8f09a057fc9e1e3db3292bd2a1c24212ae7b82a50c34

SHA512
3b58c41028dbb55d5ea85c11b5cc06e186b1d4ea126e0c2c868e987ed27c437939f932e3702e5bc62e9e6234eff602454d84a14755af9093c9bb655119859d7c

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
570469166e52f6d1be6b10b394765b12

SHA1
357885237a33310ff86985af535411df6994c9b0

SHA256
a74175b14922309944319069afaeb90bb13c7c44571c1946ba1bb89d357fcc99

SHA512
950e8ba55527257d66ea595b27d90a88131de5f50975a57002c34cc80260d289922c9fd6e9de36d9b13cc452ef5d7023b4d87352c41a436353556fcc437a741e

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
e6a8b442fecde7ecaf3a3d84b532e2c0

SHA1
28e38bb3cf508beef1edd68201fe2f184a39fd9d

SHA256
d4c8be4b96e45f4314fff772ccf838de05f54ca2ee8a6bf9ad2955efdf5e8d30

SHA512
2278608654ad81b335cae4e615536c3ede7f8c306e7b7cc82d3f15ce9e6591da8d6799b57b220802ed48bccaa4be02b14e5f80dc306ac1fece91680bc40c1c57

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
9987fb5a14e3c4a5c32d5c7add43a5fe

SHA1
55bd0f69be17bfbd3c6bf9fca050831a487f6c23

SHA256
eb18374849df1ab682fe614e5a541c87e4eb9b87cc130fb0f5e3f984d25a8028

SHA512
284274a34ccf774473980d577a01db98ffd4e41e3c3ce59bdcb2be6e723da4629186e22ac9211a2dde0ea4e6eff1d04e2d2933b5ae04a2a82adc55c3475c7b6e

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
c5483a7a4610a4e266ef90f68abae08a

SHA1
fab47b88881790cbd56b64a79b9c14a4dfc31ab9

SHA256
c0943dbd71b2a3b5842d3d7ac70ca34f4009242fcaf05729f5550bca530d06d3

SHA512
99ac243fdfab600f25526ac959e2c09081f752390d9321e0aa0d5b64a31b90acb003d63ac04f4b3af46c139f7716fe82a3d084ecf8efb4dd25bfe50611a7be52

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
fedb9a00bb27edc128bc7baa43fd5684

SHA1
0db49ea2253d9b60e3c6e307ea4a58269c3b6b8e

SHA256
2150f4041d7ba50761a34e2cf251c5f61575ca86a6797390bbd01eaa13f14ae5

SHA512
7ab7e3577bca3d8e11f8038ffb322568ce7bc968defcbebcb417f08bbb931cab264d59966d5b1e65500cddf2336c151d2f39a56ac813d3e69e9603f72f01c3b3

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
297b9e0934ad36eba7a37f8858e18584

SHA1
db30cafbaabc4e6fa39c26b20f10a9a5e4caecc5

SHA256
c0783d8ff78f27d77cf5eeac76b4ff6fcf0a33f34cdbd638c5c361594052d86f

SHA512
bdb63a23b94038f657c81835a2c45e30bf0a49369e118b772c95df705085560872b2177aae836b8f604efe8e42edc0e0f2445acdb98c3e4faba32d83656cde8b

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
6cac494f8b20e7da0a5ff22294de0e10

SHA1
707ad5491cd05918ea701b1822cb5748e1afafde

SHA256
380a913252a785a82fe16f6dc2fcb19432af92d71174aaa497aba74154345188

SHA512
115c7f70194173d67185c4300a1354f22ad6ddcd6434bddf90a7f42f2ac7b6c40ea2b13f10f261d1eca4e8a64c7f5d0cc146abde01a2c7f05cc279dd007d500c

Download Submit
memory/244-2-0x0000000000AE0000-0x0000000000B47000-memory.dmp

Filesize
412KB

Download
memory/244-448-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/244-8-0x0000000000AE0000-0x0000000000B47000-memory.dmp

Filesize
412KB

Download
memory/244-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/244-95-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1008-674-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1008-263-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1008-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1464-33-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1464-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1464-128-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1464-27-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1544-258-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1544-131-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1660-165-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1660-60-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1660-51-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1660-57-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1872-130-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2032-676-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2032-179-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2992-91-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2992-96-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2992-85-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3252-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3252-73-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3252-99-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3252-79-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3372-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3372-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3392-259-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3392-683-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3632-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3632-682-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3652-215-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3652-112-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3832-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3832-675-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4080-684-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4080-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4084-115-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4084-20-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4084-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4084-12-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4084-19-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4188-124-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4188-227-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4256-190-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4256-677-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4384-442-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4384-154-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4996-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4996-166-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4996-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4996-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5044-679-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5044-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5096-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5096-44-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/5096-39-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/5096-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5096-46-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/5104-678-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5104-216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download