3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
Size

1.8MB
MD5

509ade752b6bbb7ea26cbf241a6bb110
SHA1

a27b1b295522c806fa19743f8b20d57d36ee1699
SHA256

3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25
SHA512

1afa9a9965c595515b794ac25c898d6716128cd5ad0e6c744608fae1c2d6468a629b5af2bd219ba313944beb00f206cc5175ccfda521ca80d428447c9a715347
SSDEEP

49152:1x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAVkQ/qoLEw:1vbjVkjjCAzJeqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2376	alg.exe
4060	DiagnosticsHub.StandardCollector.Service.exe
3376	fxssvc.exe
4128	elevation_service.exe
4676	elevation_service.exe
2540	maintenanceservice.exe
2036	msdtc.exe
320	OSE.EXE
4912	PerceptionSimulationService.exe
4816	perfhost.exe
2884	locator.exe
4800	SensorDataService.exe
3700	snmptrap.exe
552	spectrum.exe
3036	ssh-agent.exe
4348	TieringEngineService.exe
3096	AgentService.exe
1128	vds.exe
3960	vssvc.exe
1912	wbengine.exe
4896	WmiApSrv.exe
220	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6383b9b3971c363d.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMD5AF.tmp\goopdateres_sv.dll	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMD5AF.tmp\goopdateres_te.dll	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMD5AF.tmp\goopdateres_ta.dll	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMD5AF.tmp\goopdateres_sl.dll	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMD5AF.tmp\goopdateres_nl.dll	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File created	C:\Program Files (x86)\Google\Temp\GUMD5AF.tmp\goopdateres_am.dll	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMD5AF.tmp\psmachine.dll	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007bea75b9ffd4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d70bdb9ffd4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5d346bbffd4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b6569b7ffd4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058986abbffd4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020fc6cbbffd4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000459d48b9ffd4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4060	DiagnosticsHub.StandardCollector.Service.exe
4060	DiagnosticsHub.StandardCollector.Service.exe
4060	DiagnosticsHub.StandardCollector.Service.exe
4060	DiagnosticsHub.StandardCollector.Service.exe
4060	DiagnosticsHub.StandardCollector.Service.exe
4060	DiagnosticsHub.StandardCollector.Service.exe
4060	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2248	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
Token: SeAuditPrivilege	3376	fxssvc.exe
Token: SeRestorePrivilege	4348	TieringEngineService.exe
Token: SeManageVolumePrivilege	4348	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3096	AgentService.exe
Token: SeBackupPrivilege	3960	vssvc.exe
Token: SeRestorePrivilege	3960	vssvc.exe
Token: SeAuditPrivilege	3960	vssvc.exe
Token: SeBackupPrivilege	1912	wbengine.exe
Token: SeRestorePrivilege	1912	wbengine.exe
Token: SeSecurityPrivilege	1912	wbengine.exe
Token: 33	220	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeDebugPrivilege	2376	alg.exe
Token: SeDebugPrivilege	2376	alg.exe
Token: SeDebugPrivilege	2376	alg.exe
Token: SeDebugPrivilege	4060	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 2704	220	SearchIndexer.exe	112
PID 220 wrote to memory of 2704	220	SearchIndexer.exe	112
PID 220 wrote to memory of 3096	220	SearchIndexer.exe	113
PID 220 wrote to memory of 3096	220	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
"C:\Users\Admin\AppData\Local\Temp\3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4688

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4676

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2540

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2036

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:320

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4816

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2884

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4800

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3700

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:552

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3656

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1128

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2704
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
77214dc13145cb5138d7c40243246c4e

SHA1
c6452b0ec5af59d5b20d31edb7ad15d6199d3405

SHA256
7bb28a607bd5db2f51267f7963a038c61f4285c4fe0065e17534047b0eab0220

SHA512
112019d84550c88f57f182d6f48c39415b23f37a0a63fdc28c16117648b7ad0ad674c3dcc82f7ab76258f2fd0054948c7af4a3f15f1f2eecafa1f2fd7374e2bc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
2a38464da75089ee8c26bf38e7713c76

SHA1
2f8e8d82c2dec494c170bc58a84d41e2e0a213a1

SHA256
30314bb7246d760e91810601fff7de79438958aa5099e927c6d7b8920c84e5dc

SHA512
f65b489e26308e9e4cf84a51fb8f4e992dff959ede2bf8a7d69401789183960818017dea8c51d5448238d383caf73cf57ea2d8135e3a3c37837a12cc9e8959ac

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
022734d4af45f84d11c3ee8ffd868fd8

SHA1
cc0b37af4e06aedc299611f01913e2540bb5c04d

SHA256
a405feeec782981744e23aafab6e038e259fbfcef40dd1ef3b1101087ead715e

SHA512
0687dc4429bc86d143a2fa64ff2b3fe8ca3bb539a3019a772e97a9fc35271e95204f4383b6d82645cadbc2835f3fc84b7b1940f0622dafa74a5212ffb8c0066a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9edd291ac02b83a9265c2e4b8d307e28

SHA1
d7bee8043e97fcc955db166e9b02be77945eaaa1

SHA256
10cd801134200a07d0ab7f0128acf010c75c73ffa5b8cf5a551452074635f7c9

SHA512
828de385556bcf96f6c32a762c152f73d24a94c59999953a9334a5b99097f40936a44a6aaef6ac094d9663262cbfe42735fca3497d90456d3f3820ea4e25ae34

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b36d47627e4292e1d33e6bae54a78c08

SHA1
bb851c972d35c0c474058c5fb135c5cdde2feed1

SHA256
401b7678322b87dded5e95bdd8d18448d8c5592d470f3c3764cc6191781b4d66

SHA512
a12b889b1de7e18b2e9e2d7eac3b0cf9cb040670c3811ac846474f892766e78b0679e884b25e72ea5a26170566c9ceaa4e6b2bb0db0ffbda2465fa9b251c4509

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
c96e3b71c4707349755eefe57d1ae82c

SHA1
516913d492618d2793b5ed7cf8894f8bc900d39d

SHA256
a6a7a2e4ecc4502b08b35252240318bde36e13f597b795de675174cda3f8a505

SHA512
82396ee861adcdd154d3bee559e1b672353965fdb0be36293aba744747938f93fad6d98f97fd9c230d376229bb60b87d4c8898dc5ef0d65d0db1ef0dcfcf9f60

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
72e0e5fbb2ca01be072998b4bf90b88b

SHA1
00ae7a2f9c5642a60aea1631e7c4b1c44e34cca1

SHA256
454b8203989e7a3b4aa7cbde077e93349ff987cefd4a45f72b481e8e66c00f44

SHA512
27bf026f97c258bf4e02328a05b8b460785cc890a9512b484d286ff237d4469b2df5811bc437626b5d85b0d6a05c570be0e079b68d7b440560b3fd8e75f5ee06

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c9fde34fa18e36dd746f48834a04d782

SHA1
0a96b7b7e8b519d5f0b7bc2b4e3dca1d50c4fc86

SHA256
e57af8397a422c46bc0f24d2d4a45c765d4df58cb065c65c26c1c34feb840812

SHA512
925140c36c4ab42e69ed47269125615f12c25a78ee0edbd8d76813bc0efe364ce6c52bead50779793b23a69868edf5c31b130cd14b21e871ade1c34378e23059

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
6dea80cdd85239a093ed999d5f2b13fe

SHA1
99b0e57b5c4c7bb9cfe641d70e8e0aa7ca1284e9

SHA256
dc6548c274ff4808f3a021beea8fcfce11e233d83e9b4446fa85a982d004d4db

SHA512
89904f685655c72cb302c3d075bf650a9706fe76a4f04de96de1082823493c59235b228f53292612ae6ff29f34afca36ec93f74fa7dab725f04375faa5e34bfb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3f2de2725412f9b70dc25704b830df7d

SHA1
e70e0eccab95c9cac512fb186ef5a9a288fd6c71

SHA256
9fba59af716161fe386c968f466831c9be52837106fb9881d063b6f53e3f5310

SHA512
4d4a28de37ffb560973e9f4271a18383024ed57e21d27162a427009db7140039ac3d0a50b8c108344ee105c584e8c3ebe0073b8a0770fe1a216d90da52ea5fe9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
258e04b0f84b7563242a206195a19ab2

SHA1
1dd1de3fd6bfa802ef416893fe16d5fd28c55df6

SHA256
b9f064d4d7ef127c4b0f594f61984894a2eac361d4f286a6df95d540039578e4

SHA512
61b5f16136c65a64693df4606ebdb91bbc0f8abfe33c5713ed731929c44a9035638cd0f73aac956155c875f12b46cc9b41acde38fec9dff97b5eeedcca6d77ff

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a12f084245692d280bc44030ef183bb4

SHA1
99c2558331ec5da592d5c07b0fca0973a27cbe03

SHA256
764d92d34ec5b8ee9e80fc10d52b3df8bb86fb94136fb21573b87eeecd2b893f

SHA512
f49fe2e702b2ce79003bc9d903d6074aa957a1d5b8725956b3a9dfde9f72cbbc3387813c5435001db2ba891b3936062a12bfb76b657bd3fd1ba695e04f7923aa

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ecd01371b7c36b105397347aa9b629f9

SHA1
b206507fabe06471d91d738c249256536a141100

SHA256
824cd7d8ac292e60ccc45981a77dde59ca65936181558a4f28752f90aa88db3f

SHA512
c3753f9de2963ae3e49c1a6f90088263601c2b06c6101c8e722aab62d24d841704e9eaba7d42bb78c6df61436d22bd15aeae98a51b9518506307e4321b811c39

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
c4d74b76cfeef931f12805fd559f20d9

SHA1
f506fd8b84c14838a7678486e3502aaf81326e8e

SHA256
958bb2d626af0ca7e9da6c7475f0040d074acd680f8a5196e9c2ac5b0a271188

SHA512
f4d58cfdcdfdfeda122cb220f35e2f6dc54a5b4188cbeb812006ef808f7464d77245e10f93edff5b4d2f583a23791e3c7235b1a3fd8937898e740d803b228db7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
555eaae533ae6beed0271203a2d02db3

SHA1
bbf3034b95bfc469bbedea8d07d53a0fb7b0a2d7

SHA256
10ac4bd3156974481d3ad6531cc292a247360143cfb47d692ce9aa84a1ec3cd0

SHA512
086ab10f9d6f590729786b41ec91c80c4e6e3d2267b7225af7ef6f19444ea37b087ba56187280e213fcbe8829cc6192d164498a5282301f0d352e65699fbb24f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
04448004f0a4c64fabea88f185b8cecc

SHA1
042b0b656de6c0fb65f1f7f5f82a259b38d0507c

SHA256
3b0d2aeac2db36e867c5335eeeb13626f5c6688ca9b1402ee2e28cd007735d18

SHA512
6f41226d883d2ef5a513717fb382faad5e749385e81d8b292c6838b1492779cdd5e1387d41fca242a5095d4b96ebbd4834240fc694a686d2928af27a8fc49f12

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
5459d1c487049e0dd6ca8e8d8fc7abe9

SHA1
c0b78b5e7bccf8c494770c4347d38aa93c0e607b

SHA256
ab4f7cc51e7aa7086be6429f0ab3196eb82458410ad2f54e9a471d2ad72a3fb1

SHA512
bdaafd53fda1ec1a456eaab1600f56468265ad36f7439f7a1ee5c191bf0220b37a544583df505a8266072854dfa8f606a3e33c749c25bff9fcdf54e923373f01

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
4e21496ac23c9796b44dd4202c125452

SHA1
c6654c79ab134766c9814ed0fee81f0ee8434bd7

SHA256
b0c0786e1ffc230cff207d2bfab0451dcecde2c99e59f583cc09f7d383237ebb

SHA512
06558fabfd7b8eac5d7051ef36843210a4a54d6f044362565b8ccb8686b7f126b942417650ca469f071b9a92176b5c09889b2ad350525d64278ecda21009e0b5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
b9c9a3ceec68c5a9ab87e1abbc1bb004

SHA1
18dcabb3667caf971ccaba624f17b9e331b0d0dd

SHA256
3257627f4b103ac9e5c38170a91569eb45077bc7b1f2ba718b9c438aa3e3abbf

SHA512
9eb8860243e5dc0e98c49e5d650bd499fd4e39a557459162c83541355bcee01e88d5c7fd8bb9dde66c0cea7555573d00af09e50c286b46e294af8fa180b85e62

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
ba8cbedd67347a95f9b9be29e796e33e

SHA1
812301e21cbb1532e9077e792134df0595a2fce3

SHA256
5ebde5f2f3c716ac49a5cecac7ca1fa16ddf0c2a287e24f0fc53b55bd2c8d64d

SHA512
17ae21f85a7465d1b1812d1ac277de1acea208f1a95004783031356eb7f9e3d8b0b1b0efc158090ec8457acdcb09cfc219d4037b820a33ec40c4059d0becdfd2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
e339ff9f8cd872fe50d4ba0e04bf224b

SHA1
d3292e8a114b1f993a874aa58faba495d8183e90

SHA256
9cd90f85b3fd30fc044d2d781798312cca877faf649072c452ce26b93f844021

SHA512
40327587a4e17485388727efa6b200abe1f2e3b79d43e3b127d18773c2cdf92c98117b048c7e6143430cb4c7f350dced1f86c635778e8c3b873a6b438e53049a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
07512fcc701a7b4ad3675e3e54c09f5d

SHA1
8e50afde8d911175ff3aa54d1f9d540226ebfff5

SHA256
08987ed48419a60fda799fdd68dcd45ff74ba9105313676998ebc42756108fd3

SHA512
6ee487f123c62bbaf36974d0348a7023166da439a62373aefaaf725f57a2c58f626155a01a8f6ce461c5f9c33399d78fefae785dcad30c86667f9efb02c11896

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
09eda6d89f6adb5d87947fd52b53c903

SHA1
897273bbe4a29e5382f2076700a99ed912b62816

SHA256
952327400c59632d7d2cdd5899aed25bcfe3fac8d163084980a2b40b14babafa

SHA512
46c4a9c6a4d6dbcee710defec04da39926ab292b4c43336dcca80ee34c3daea05568723cf1ca9d9ff00a26f000117b2af990668652c4ef7a50331b63976e4268

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
f46bfb8a2e8544084afbb93f11660732

SHA1
15ac3dd726ffb2d52db059425b4c818b8e43ce3f

SHA256
8a50caa254155ab3b9e17d0922f1a440d00fe9d574185dbf35514f4f3951784f

SHA512
7c28e9a785aa70eb19639440dac583de1552cad12614cf8d7495442cbe6469a15f89713c13628556b34849e06d781f929de4c221092c3d5d1c6e6c001ff07eff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
edb966c8756a749f533d214479124e98

SHA1
d9239fa7029488c130b68742ab63dd7856d5caee

SHA256
006d66b7019e49427acf1266717a2b738478afe4131728c509877cc283682db7

SHA512
64a80772d8b22718e970dd6c350b39d84c9cdf67f85fe3814fe454e64b1ccc627f3f3e218d4a1e49d65ac9096d35ab001b4ce7504c0185a7160b5f1adb04d2b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
b23ec53f0e97f5d612367d07729154a8

SHA1
66042a6cb06e7860e2187d846ea8086f882df77f

SHA256
5bb9f32bab8380ab19c7b49f37ca5587c0f43b57b2ff85bb2afce10cdcec1c66

SHA512
eaee9b9dc24a207257497a6fb5be74295436604c607b2753243a1f4ca108f47fe7969b3da31a83aa3591bcc2b3989b07c9e63f6517cffef936d3047dcadc3bfe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
7f50926606f03801ac6b06456df0b5aa

SHA1
9083b901fdaed92b53c53c055cad8268a737318e

SHA256
405a6afd76318a686e5e0781bbf24e6e93b68cab3308b78b7813e5dc4b706990

SHA512
440568fc1abc7f0ebf2006d7b6b98b1c77b51aba2da325a186f9aa720757b27f88e402ced2818c5d6fc8e16ae2e0de5047ff648a404ac345f135f59d978e6811

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
934842f2020d5c66e9a8ca05e41b1428

SHA1
04cbfff98d486a74b6b136c83c7d4883ad0e116a

SHA256
ed9257f83dfb9470d6d7e7485d53bf735c07e286a419eb5bd37e6eba6f3d8593

SHA512
1fe20b622c90b75c174390d1366233aaccac52b9736158bd28f7d8aea3e958b15c3761b118c3f421bb10fb2939001a09778be67bb06abffa3a487612ffbd179e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
42c40309348b7f8e825ff2db437feddb

SHA1
50d39d28534013e362edda9241d5d4b11f6f3c69

SHA256
17fdad5d427b150f8edbee86ef723125dfceaeb201026b8b55339445c73bf9ea

SHA512
d95052b90cf242435fe5309a4c507aa65e6f9a36dcc40aea43640bdd2cc2c292906ef5feeb8601e67cdffe8473ec46131ba3f1b3c616464c5096b88275d44bdd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
3571a04c116fbe585e6625241ef6ce64

SHA1
fc0ba750a7b8a50844667ce97553e025c583225b

SHA256
3690d6b3663ef8ef8c03ee2f1b638173baf2692b37eeee0acb8175a57d896c4d

SHA512
9491699f173057ee562cc2e9733d84c3d4b8409faae52c174ee5db7b2a12cadcc4d0d0cdea6853d6c3d70663b9f8d0b98e43bd86e6aafa7119693f23a1c873ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
45fb638f2523c8447d174c3144d4abc6

SHA1
a3cf31c658d285619587fd2fe1dee6387c20e3a9

SHA256
ea5606de5eba7e0df43edb2ba6755da7dbbd462b8f79fe362107ba2af0e7a402

SHA512
4eb4673976f7905931716022e985484c42570004b893df5b5b76bd737a7caaad575f08493e47b0e6500befba6de86f85841c5c81a88a525282696889fbcb3cdb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
2d3f4c61a958be7c130e75d427d48b6e

SHA1
17467e02071aa14a3d115db80812b9775a538475

SHA256
2076b640da916a82df1f56d6eff0d25ef67e6b89024cb042ca3c2e60b88aa7c5

SHA512
804314aa69a2bc467165b7659788896b8bc0a662e7662500559fcf494aa362dc3fefd058f897dd62cb612a3cc90bfe276f499cdd4358b65a42fcee88d3a6890f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
e7e70d5279e9ace2b1ea749ab41b9d45

SHA1
422a169c45e5007a918996a3be0cb16ffb351b99

SHA256
e79709065f1e9366b207247297fa33658f3f748975904504bc8451ad046e8a9f

SHA512
df7f38c03b62f9295e690dd5dcd11b4f1fcb010497512056f13aa51a7018ddbb0a031ebb677c7a3481a68e078276e3a5fd00902207cea3c0b0cd68de558d6c27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
7caa5f9bf847ae45294af8f0df6310fb

SHA1
5d7f6ad4c11138531f58613cbc91b28f3b533e10

SHA256
626451af12ff23a6494d6abda1817a450dd40fb233191a009e5f2b897f13fe19

SHA512
3b22af5ad3ad6e7505014e812076403e856c91943c85df083fb3ab7548395c1a88418d2639f94d01d2f4238d71c62aa8faea9d637469ed8fcab8baedb559816b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
5620fefdc9f32f69893ae83345818d7c

SHA1
78526871a058383db0ea7acb1788f05d697a6d43

SHA256
230b79fc1fafb36455b9d057c16d3bbefa62e5b3adfe42bd9c46eb9fcbd15ebf

SHA512
7a141cb12c2d848772f40d33b8561e9c815e05873cf3128b5ba1556a1b19a1273777deeebdac6162d297ca69e2eec4d6a26871c76db1a793d27afcb72d49c767

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
d67d6f4ab5a33c6e0d044fe2315ef5ad

SHA1
2d7df7d9e79af9ea38f8a3bfe2a1ec5f039732b3

SHA256
f923d638e5213c91d257516b7724671d87c18e02165b4e4b903a5ad4588e9c29

SHA512
f07ae06d625f8cf9d2bffe77391a8ab8ca996e27b1d6045cac57fe126a684fe516ffe9fb6614e5f54a4191a0234317fe7ed8461b4c1f6e8dbc1d22bc8bfcc47d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
d1978c8168f3e5fc736aa0b7bc52b547

SHA1
165c02342e5167d660111ddf7aec4824d3499576

SHA256
4242c654b9b29d641369e5ef83a6bbde9c5f8180415813ea7941a1689be961b1

SHA512
bbac9696d77cd982df8b75a92cbc926b3821bab26db84eeb119a14eca5eeb5d97cbbd49a0d1ede7ddb2694b47c329b96083ca06e7750557384405c300d57665a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
1d0d6eb3eac11a88cf7feda176de0e60

SHA1
b101cd8103e064f02eb1aa1a2df11a4a5b90a4a4

SHA256
96f346e39314158746df95ce6ef257b0c4710dea0395b52c195ae26bd4b1d30e

SHA512
49bfe432be3efe6c71a58cbec6084e39133d9257b85c4712c039a9d669b35f68297f8b8442f8d92bcd04d9f62ab2429aec718156c2560ca19e236a71747cb549

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
25a1d6137423d082e02efe446318e120

SHA1
29706a9d8f8ec5409016458156d26a4c0a40d142

SHA256
f4f6fa7153297c4caa96ffe390891038469787912fa8bfefc03940b14109a071

SHA512
f73196682c34e40faaecfe1f2cbceb0a6bcead1d0ab4c89b74a8e018fdafe2f9ae37c10df7265be8913c5eabe5adc7a3f397ac86c89dbb8e93af866b4c45f685

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
a0d4e5964d4ddeac0d51047ee1c18dfb

SHA1
8607789e72b438ceeb785fa5f4d2118bf35510cd

SHA256
d81b8bba62b92ac2ff06fa03f5c47a1f8572b772c79ef81857825881c7369363

SHA512
0e55589a15ec3510475691a778c7b367233a1cf391c00f62845bac5a453a38b45bec396805d64f6936b5d7d327c2fa05a736f5de483a67aec4a783498bc43efa

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
15e21b3db8228bde07e1b7ac0f75193d

SHA1
18a59d00ad6fdf78966f4d9dab9d3dd3e9d40bcf

SHA256
44e760517231a8e7236640ff09b67ba4a146822fdc906a98dd988e7737708cb1

SHA512
5a4f4851bff1508b45540c213f0728789993e0a14d8bc90ddc7a3b38ba150e7e8b57dead984f6acd326f46701c7f7b0b06333ec4c1bf31aeb3a8081319628d9a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
d6b01e2baba04635bb941191137d08e3

SHA1
cad21e484c13d30c79ef3b41cdaf1a3e2cd55245

SHA256
eb778fb63c98d02fd24693d26c0f9d301476de74762d3f968733387ba184388c

SHA512
31da31ade2c4f6ae5a923b2314d743fc6602d7b3c2c78b62c92ed0f12d2e407ceee7adb5508df55213d53146ed5efdce8ce62d6a5ac9aae83a9fe9c5e6b53345

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
421f21365edbe80f2890da6cea4f6294

SHA1
31d9bd5b4dd14aab01cef0da2345e91f95061f0a

SHA256
9e66b4ab08cfc03e984fd51fb025ef77bc2dfc376cbd0d9583c1e4d38c5dd82b

SHA512
2a6687d580bdb110aa012350898ad525f1cf3b6b389024a10bfa47e483bf3aa37edc1f1ce324107737ab0aeb9342eff64c2854b5de71133b7c7c58a9f1646c7d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
55b3e0b6513829565771c58ffe8112f0

SHA1
24eda66d921a8bff4eef35df7d2c78e083d6830f

SHA256
6eaf6f787cb32172bbafb64e9309c6bcc42ef45822d51efa238c3e65f0056b43

SHA512
5893a449024b1538c44c13075514398b4bb0998fea466506e04efc84264a6b26a7059ba5b6ff9f0d897cd4baff705561aced9cb923535f20a3df87dab9ae84c5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
99f973e557a691dd26c8246323212e28

SHA1
b5f1511eeace59fbcd3a08d39d04a96022922d72

SHA256
fbf482d2e7bace8b8a2a50d412964af01fb7abbe85a233badd890189aefe77cb

SHA512
2a90f57d66a450b413e3fcda033383605af9279cc523cbbfc1705e9796285ff37391cd45d034ac912f180fcb5552efd4ed8ff2ca33d61d60bdb3275c94136e97

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
2f02186f1f1bc7707cf0a968887fe223

SHA1
7cabfd227b60223599387bed1ed05cf74d69abd0

SHA256
d2c4c83ff5671edc7f1491f2570086de009ff2c6ff39b9f4507c490505c6705e

SHA512
848f7ab478823ead10dfd6235c25e13d4975c74b877c8f618873e2853a6786a0c5996c71c6a7250005bf29489df7d23dbbc669efe79ba63ce0fd1820cc59d0d6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e027386ee233b916852946d8ac2b4b82

SHA1
e7035d99e0d5c57d292313ff9181a29d0c228eff

SHA256
4e93092b6177e876779790d20953b4ba78ecf58218bf59f390190b6316a0611a

SHA512
526587a023ae1c108a3535a28cfe07fcb92da8684d70aa562040a830e2a0409e30b15203e9b234e34cb2bb96073981a0b7abcacf3f6eca7b426edf82f3bf9131

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1a2befda4a16493bcbed271ee0c1c91f

SHA1
fe4121b774f0f573b00b15f461a6b57af701ce79

SHA256
9c3be743a51eac0c71516c856ae409afa4bc46e51e9f48757d08bdd2deb37588

SHA512
0f4974003b67fe16d63445a272034543203e4e6d873159a72901b90b5a3f67398e5ef558e7660de6ca5aa626d0eb1192723dd38759b56083b7df66c96b74b9f0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e4485467cf947254f8f77253c2eb20b8

SHA1
3d3fd6e01819054b738099465dcf3dcf803d52ee

SHA256
c9e3a59c30d9d416077389fb0e48ebf15bc314c3fa4ffb759e192c7100d7a203

SHA512
3f0df3eac112005fa6b2d96dfb72919cab85cdc9519da0a48831a3e48b97013207a3f9644069067d61483babee2a5d856dea626f04fc013de973cedb710f4dcf

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
6a3490c830592ad7f04f9ef57765657a

SHA1
26ceff7e2e731d9cbae7a76bf813191acaf3ac96

SHA256
4d2df9a3b27277afcaa00ad80db262321f570914dd65934c0e999aa02c8115e9

SHA512
3a109b6f49ca8922c404392b7e24430f1367353e3626650c8a992638827bcddd539a80e37a5f24c9c23b74a02c500f892a5c8330fb1c63dffcccd692f7e3862e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a80e3118b38c1eaf275417ff808c88df

SHA1
0384133a86a4bc79ad2e5c3e6fb45dc278f9a13d

SHA256
52bbc8b797872f9329d561929ab4ce6eaf8a1122d34c94b366ceceedc3c91a19

SHA512
5aac5799194ef17b6820a4e605b353a857366d93a3f096e81a638c865c7bbb8b766c8c8d0b650c738566d742d87937fd18466c97c4c0c0d30061ce0afbd4f639

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
a1b5f6e9e6dba6c85a25bc3aca1ec5f7

SHA1
e7facf990bd0691cdfeec9183a9818436a6e10f2

SHA256
8c0e971e5f21a928118942fba2a4a99707d8f1ef04da301dbfd10dcec5a0c652

SHA512
3d79b3fc1febc97b552b8c77b23f1b467dedfa21778f7f154076c9b9a821d3759e69c7dfa8862c7dd4d77112712046866d9d423056471f3f52413c25400dc8bf

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
2514fd23546ee1fb80aef275557f62c7

SHA1
97592fc67a9bfeba69c0810f8e2990f576502d24

SHA256
a9b75521008e6789154a492a2efc0dcd1fdf6611d21bd4329f421b3238929837

SHA512
0a2de933ff44fb9a3762dd5448f36c577b67af50f7c11cd8a1b58f946fd8fecb08ce43df78ea141b1622775e65c144361e126611ba230ca6a27391a5e392913e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a5da07b6fb3648b95fd7f473e74b393f

SHA1
6e6730764311e1690d9e096ce51488433651f5e9

SHA256
6960d0bf42e5dd67f9f1cc88d23325dd029ba9f6f1cb6ea8876150104541e336

SHA512
ef822c1ab4ec961c4ab4f984f6629c0f38eef35626b5fb119f8b1324d8ee25c68afd64a146a5f2107edc239fca65a491a024705e0f1cd0e4ed00a31735f26f47

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
cd5338c3be4925f6af5b6c1b685233a5

SHA1
23dbce0ffb73729075015907fbbcc2d2bad72693

SHA256
c97aaf0b38a4a024df8d447f4fdfd408b566b3a483832f8edd2cd46ef032e790

SHA512
3d5b94ae07565c825de3f434a75e344e539d13d8689949426db5fbb174c528eab3f51b4da79eaab04353915b85f5a48df39d8d1d72b7cb5cd28943d3299c6fd9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
133c51d9e436c7216f753dffd493e146

SHA1
e38e5bb09f02851ad6730bc70d4453bef01ce009

SHA256
cd637f5a0418360c77766f21d94abe59275f6ed90f491172d89db1e64e02594f

SHA512
a541050b336644005b788a5d5b3e06113fbe9158c2c2a5de3983dddd96331a251ab8e2370c307e383d16ba1c309000746e116750678ea3fed5939b789082b47f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
418d8da859886581d92429d66a25b920

SHA1
0f4ffb695a057227344e795d4e3c3dd7e5047cf7

SHA256
9c2ec4e274c2892b41c835cc3b1a13d674fa9be0cd73e1691fee5a4f45594d5f

SHA512
d4564ad1a5eae60bcbbfa271e9f36977d1df1cd6d110c2f295f1780bfd632688daa3533165d22c7b0f737a82b2a394ef06af7c253ce609fc5ee63ea013cadec3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5a21e2b9f13d3d3261081d8cf9a1b1de

SHA1
9ad390b5e89afc8ba19f9db9aceb9884ce262fbe

SHA256
df82d44016b20ac20296bcb691d1ac1a07eaa1db27cd0d991fd55d8b46502c30

SHA512
7a936b33ab8827d6644a1f99d09dc0c4e06c10df0836eb0b51ab6dd27aa719bf357e88d54fcea6e94ef315bf4f515142292aa373bc3be372c5a038052dec6ad7

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
f94bc91c3d5c8a44393188227defcd50

SHA1
e35453fea1378198dcc37161f032b3476ed78980

SHA256
ad69349884e52f8aaa7fd5b97cc185aefecd57e33039670277cee2c9f708f5c5

SHA512
163191483367a0ce78871b41166215d0c3bfd3a71fcdaf0314e32073ab8e2ea5a88626cd28c4ccc3215b3f27d1665142a019b56d0175bcbfaac1b60a6dcbef2a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
421b9bd6cea3e1a646221eaed8529413

SHA1
7346f9297a2d85f05f598273b1ea1d700228c815

SHA256
c4266d8c956efc525ebf297ba47973390d8d4d6b93d76d29cacdef7d41af0d85

SHA512
98e066ebed04bb8e39783d17705ac2b003627bee49aebf5a9579e32fad9edf8aaa9691c18b717404b49e7b40d038c1b56d8bad48196c4576a188e9040c0682dc

Download Submit
memory/220-730-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/220-343-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/320-236-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/552-689-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/552-245-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1128-287-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1128-724-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1912-728-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1912-318-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2036-234-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2036-154-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2248-1-0x0000000000BA0000-0x0000000000C06000-memory.dmp

Filesize
408KB

Download
memory/2248-6-0x0000000000BA0000-0x0000000000C06000-memory.dmp

Filesize
408KB

Download
memory/2248-249-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2248-591-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2248-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2376-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2376-20-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2376-11-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2376-258-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2540-146-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2540-152-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2540-150-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2540-140-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2884-230-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3036-722-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3036-259-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3096-273-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3096-285-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3376-105-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3376-127-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3376-128-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3376-111-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3376-114-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3700-342-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3700-232-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3960-725-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3960-299-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4060-102-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4060-298-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4060-93-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4060-101-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4128-227-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4128-122-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4128-330-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4128-116-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4348-270-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4348-723-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4676-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4676-627-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4676-136-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4676-233-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4800-667-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4800-231-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4816-229-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4896-331-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4896-729-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4912-228-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download