7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9

Analysis

max time kernel
139s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
Size

625KB
MD5

ef1cf16f9a813e380d083f1d137bf91e
SHA1

6b64d1486c103870e079dc9f4ec98deb1297100e
SHA256

7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9
SHA512

1e2c3275fcdc992f0ced0b6be5575dd18b98d41ef50bfbde1177fc9412db6484c8d07a43c52a1fec728480144391a218184e5d66c8400ee2a96efd85d7f97cc1
SSDEEP

12288:P2+FqXCRQSjMU3O5s+N6NhOlFVlVsTot16+DrgAPs4F2Y7YJba2EUYhsp+yQRi/o:+HSRQ5UOOU62FBnO+E222YJbNEUQKGOb

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4792	alg.exe
3332	DiagnosticsHub.StandardCollector.Service.exe
1516	fxssvc.exe
2732	elevation_service.exe
1628	elevation_service.exe
1860	maintenanceservice.exe
4432	msdtc.exe
920	OSE.EXE
3216	PerceptionSimulationService.exe
1624	perfhost.exe
4148	locator.exe
4628	SensorDataService.exe
440	snmptrap.exe
4316	spectrum.exe
1548	ssh-agent.exe
4812	TieringEngineService.exe
3528	AgentService.exe
232	vds.exe
4844	vssvc.exe
4984	wbengine.exe
3396	WmiApSrv.exe
4036	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Windows\System32\msdtc.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Windows\system32\wbengine.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Windows\system32\msiexec.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Windows\system32\vssvc.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b508b69589816891.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Windows\System32\vds.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Windows\system32\locator.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{A1342620-C3E7-48E4-A8CA-2B9DD9AE1E3F}\chrome_installer.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4562fa18de7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075dc95a18de7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007eb534a38de7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fcc11da28de7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4b272a38de7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d8903a28de7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d52701a28de7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3332	DiagnosticsHub.StandardCollector.Service.exe
3332	DiagnosticsHub.StandardCollector.Service.exe
3332	DiagnosticsHub.StandardCollector.Service.exe
3332	DiagnosticsHub.StandardCollector.Service.exe
3332	DiagnosticsHub.StandardCollector.Service.exe
3332	DiagnosticsHub.StandardCollector.Service.exe
3332	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2308	7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
Token: SeAuditPrivilege	1516	fxssvc.exe
Token: SeRestorePrivilege	4812	TieringEngineService.exe
Token: SeManageVolumePrivilege	4812	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3528	AgentService.exe
Token: SeBackupPrivilege	4844	vssvc.exe
Token: SeRestorePrivilege	4844	vssvc.exe
Token: SeAuditPrivilege	4844	vssvc.exe
Token: SeBackupPrivilege	4984	wbengine.exe
Token: SeRestorePrivilege	4984	wbengine.exe
Token: SeSecurityPrivilege	4984	wbengine.exe
Token: 33	4036	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeDebugPrivilege	4792	alg.exe
Token: SeDebugPrivilege	4792	alg.exe
Token: SeDebugPrivilege	4792	alg.exe
Token: SeDebugPrivilege	3332	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 4216	4036	SearchIndexer.exe	112
PID 4036 wrote to memory of 4216	4036	SearchIndexer.exe	112
PID 4036 wrote to memory of 1116	4036	SearchIndexer.exe	113
PID 4036 wrote to memory of 1116	4036	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe
"C:\Users\Admin\AppData\Local\Temp\7c37b41e025e5fb149c09bbca3260456e3cc9c4f4bdc1780cd5aaf8e049419c9.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3332

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:392

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2732

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1628

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1860

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4432

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:920

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3216

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1624

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4148

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4628

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:440

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4316

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3620

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:232

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3396

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4216
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a257ead53192a54211a3954e1331dbb1

SHA1
6469ee052a3f3ce4d2377f4954fe3bfeba19a24d

SHA256
1ac51a58984a1ed6a5f1f0be95f3255afcd8908fad9252e1c9e0a6b1592f5b11

SHA512
afd695b01d9167965518ed7494b31a0962c90c1028d8ba298a9175c062099c86ad7f1cb9795ce7a94851604f0b31f8e4b8c00f5d09859d69a292c4564148f65b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
87777ea2ba0003513e2c0f19c9882bb2

SHA1
b2c257cdb09db37463d4d6cfc1f9082a7821e0b5

SHA256
912c49a59d2ab827849e48c0afcc2a4fce1244fb05bd134f4c844f9d4fcc1499

SHA512
4569a3d8dce525c4f0127142937cfcb917cdfb11e6bba45c5bd84d93e6b7be36e42a65c5335608d09340556669e791103795c230aadfc3d71944d40db53b7ab1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
11d8611d7fda02dfd7aef787e00d69a3

SHA1
f4c0d85fc51960ba13f580787954eb41fe38289f

SHA256
ab4e838c8f4ddea0703f50ad6457e467695b8cdcf78e0f1c37077ff9f34f9fbd

SHA512
75047c0dd7946e4ae77efa29e6a6f1e8bd686f5f0a1ce3d21b8a64948b38926dfe2a8dbd5973b5bbc3f4932bc2c94e5648201d761bce15acae2aded0f3f78bf9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e399152b11bd76fbd0d9855fcdf35efa

SHA1
8c32c08e7a99bc4ae489f671272eb84293a3ab9e

SHA256
b0b087f936112ac44560f94f23a72da84892af2415277bb5a9dbc42a2de86577

SHA512
a4f0b3de47ae946aa3ab2e678c79bc58f56111a15a502af2ca31a8d454fcb712a5437b5fa95b1f2320f3e363e9886a5b305c63542f3099c8d760697fa08749db

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a4e747f5bb16710e9bce5fe8e557a51f

SHA1
07ad2bd9f605147bd79da272773badc252e9ef9b

SHA256
2c41df06ddeb1e0b1ed85ee7c37ed25395ba61c8dd78d50f7d1ad4f71cff3afc

SHA512
7d3d85f171e201f49f406ffa88c45445a12c64fb7aabb406a77ef2317e9dfcb5ac0ef135f04c5b87b0f83c489154a5a72338434a1cc079c6ed629d87f91e763a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
8d05bde727592deaf9c7ba312f3bf30f

SHA1
c6e2d992f672d4da625229476d6bd26a64bc19b3

SHA256
5115c64cac4bd6c2830dd729330736342bb6fe0ac7b9b94f48a85352d23e6bf7

SHA512
e62ed0eb09f6daffd443dc952f648aaf084802e334bcb5ed04e3af96d67821146982a00bb607542cf5c853ef93bc90159b1a01efa381c1febde4b2671e2593f5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
cf32e5a4306dafa5365f7cddfdeb0f94

SHA1
d7aad7d6882c7e134e14d8387cd7db7afa415014

SHA256
33d931d87f8de72c8230c83448b11b3a7d25649563047a7ab8f40b5db7798509

SHA512
9ea6440a2e2e57c3449e34e172c423707b71d9c9fe7a4dd1ffd27d4f429449388bb7aef0f90ab200ec084dff7233002c4dfb6e34141130668c7a5bebf3853187

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
513a8ac4734c70eeace5b24cfb7abcb5

SHA1
0fcfb683991cec402bf2ac40d9ff423e8d6fadb0

SHA256
d9a5bbcb2ea9a941dc1273300b5b1b11bba099c932d57fc75a8151295b3b86e6

SHA512
5a3af056aaca5dd0fcd58d553607b78632883add12c2a602922ac4dbff0ba7eac2af8e8475e77a700bebd73924e682bb780868cb642444ad924893081c87a5dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
ea72b397e3aead1989c714cf173aff53

SHA1
81deacd0d57da1a4ebaf9bf2fd95ae2bba89dd16

SHA256
9acc9daab82af7e4ccfde1087306db75fa923d321801d9cf8a4feff7f5e4835b

SHA512
1a2ffa4fa383dd22f2114cd10a733d3d9dddefd2405a70910d9ebbcc787c380325451b443d7a8a1f878d73b868b448e333d0f482bbb0eb31feab584fa7582c67

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2dca3281390f579e0d86e88389d7fc2e

SHA1
373385a491fca7ecd085cf8b669b6c289ec6ac4f

SHA256
2453ca050ea2df773304ff32726376e49658f67fa1302a0dd005bb45523e736f

SHA512
7ac94f409b1dda34e72fc6a5dbd6e8e07fee9240d907094816e2255bedbff222b1ced08da9649ce2d092567a103253ea628f5284859344f353e319b8cb21d8de

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8c96edcb0fea5e741c505a804225d961

SHA1
3f1170209db061d6dad58f970c0c06420507549f

SHA256
382ed62afc11af8c99af3c9feb441b84d2fbd1a41904c077958ff6d4b2ebcf65

SHA512
ee118501d53ed31570c84af41501cb19943ef913956d22f5553f04077ca224f1dbf0051dc755d9f4ef8e683e77b59880b5ff9050c9edfc9ec265ebd9f4720198

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
78ca879c032ebd64f4537670eeeccb85

SHA1
a5d55bce94095461ae2e02a17ca34ac71f346064

SHA256
8d0207c5438e467929eeed6aa601e78b11a712af2476f0c1d2b2ad97f4d3fd04

SHA512
313371a476b0948d58483a38d82c9c26f093cce0c3e038c6f970b42f0f68754f51367b19afb810ebf56937edf67cb0acde0ecfe5dfd3bd73b0f1ab6301bc10fe

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ed9f94d36cbb72fe3ce2c04bdebdf3a0

SHA1
74d9e102f861fd29f7f5150e77c6049e21eaebd0

SHA256
c74e86ee699756984d2d850afe9b71adf037c44a34147be3a9279f7518ae3567

SHA512
1856791dd15e01dd8606d5377570a4ed8c6e85b982c1a81be4b9ddb4a50feb0ba686681a847b61702c1648049481bf514a606b438b22da9e7ac4a0f7f8fbb53b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
779e061e2f40c3ff9a9656e7a96bfa22

SHA1
1d0ec549361edca103c42c0188f0e07389bb90d6

SHA256
b5cdf768d238c3524b5d2d1837bcb5a8dbf0c3c2bc51b25ffc2ed0070dd51958

SHA512
31d5abe6e88c224c03112705e82892c0b3887167c63fc160677c289455c319e351996ddebe8d06423e013b5b6c84a9d5ca00b864ba04cd44b143367d6068b3eb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
92e76c84b3bddeccc92358b31253cb31

SHA1
5dbbf42077923dceaa393e39ee4dc71ed433e4fd

SHA256
a471a03ac5fdd4d56824a15ffd6e0f63314d276b905c3b25802eed0b960522a2

SHA512
fadf84a97653332be257066b56bc0f76a944aa3d39e003118ce65c18ebafff01e1c21bfeb88deb559f4138027d66d779db9f0771a291849b6dd87665c1484a60

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
6c834326b46bb48a99535d78473dac44

SHA1
4572f41804bf25e472ceea3aeea2a512269558eb

SHA256
fe983f9d6e3309ae4ef7eab72cff19750a8ffc72b960ecb7a1e64c2287accac3

SHA512
6479b1f5d13814617093d817b00279cc42029774404f9893357e902881c30d9a0a918152c6a5f6172a4a192ea0518d4c2554027ad0992a60eeb82e3869107624

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
2100aa7c5b615def4016f5ebf022fda1

SHA1
6ae4396892bf6ebb470ca69da46e867125abade4

SHA256
74e8d80810e91aa5ec35a609ee584d3d61464c7408fe9602b228df5430266202

SHA512
1593bfb8c87c7bf94937165d5e32297456ac3740fa45abbd30b052f498fc6140d2cf3c695ee77a7b47c5f3810a56289246ccfa6180d305a88fefa7704d3b984b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
13d813d47111744219c23ef890ba9491

SHA1
365d2518e082f6d7e823f6d84025ffe377054a28

SHA256
a0dd098fd9110703da636000281bdf2c0a8da325983f6013892dd111749fe99a

SHA512
7ee09b8232f8144fb38be558b6133edd20e7aa6e607bf92cec62f0b49c9012be2fdb12dd4913522ffa4bbc9f43727cbcbe6bfd8d99268aa59b7322b3cece8a21

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
9c9169de9e1798570afee070d4e101f8

SHA1
ab7b8d7d2a025eeb710b33b662d7839a20005779

SHA256
1202c17ae94a5e0b204521f7ea4234283d6544b284db3c4d122e0686c0081953

SHA512
824a320239126783d5c3b587ac28bf1e72b4167058e26539faf6a4c4c21a060ad5ac6505c7291cd0a6372b89de51daa2c5b756739dad4bda1fac9233233a844e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
7fa54e5bf2b4ac299452a846cbc3bd17

SHA1
10696d914db064025a920b359ff8fa15f2534505

SHA256
dd7696554bd0ecbafda4cedfa230e7d05bb08488ecc19322dada9f1b44cc09f7

SHA512
272c9db1eb98eeec96f3e1363b26d528edf9f29cc03a9d285f02ddfb6b95f7619f6a04c311b210eb71772f5ef799418bb50dd2923f888594e771946e727cd92e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
312d43264a4cdf270983516e9e9e4bfe

SHA1
4a87031bad287ad0577979982712aa7655ae09bb

SHA256
8eb4181bfd25076c18000ea8bc6bfc1880aa8571c45ef97651c35f788d99c6a6

SHA512
65bab428d35db243ebe18e43d169b8801e812a64b0f99c7adb68320ca91bb2b7519a9d27a89bff55dbbbb6d5f9fb1b983c8da89ac7a454b95cad79dc46ad38d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
3370d40e5f401cc329c696132816a813

SHA1
3077b6bac50bc444b019dd376b969f6b6ea0356e

SHA256
acb9f8e769280ccdc98ad1724f1bbe478bd58ec5b2db04e95a47f55c95858a84

SHA512
006ab21f7d4a554917b0248dc3a5a396d7d66bafe684aff612656c284d1f3e09369ef178a2027d31b2aba6641a4ca18ca90ddc4856573cbd5e15044fa6d428d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
82eaa889191d817783194ccfe6e49d06

SHA1
2e0230ff85b9492e45d517562c91d1fb42874ef9

SHA256
173b95ff99451b10b2db9aa8ee5bbafd17f2b48d36d0d68db046ab7d7776ff03

SHA512
946edf821aeb0ae2ea5737f23e2364ee02ffb61e37d499786b5e55419cfe78578c128ab3fbf5d6028636700b0d85ca8cbc27a3ad01ba240c4ad01c2a2a4cbcbc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
c91e36fa64ce233c293fd0c5acd55696

SHA1
de28e3ad5c1efbad67630b580c6092cd463abd7b

SHA256
290608023610b6adf3acbf102363937151c3741534eb7d0e887a75715d546f0a

SHA512
00cd0c1e08abfe3e8c0b6724a4a83c9bf2c96a8d4ccd1185cfb7e66aeb9e9ff96f29bf94b65119eb8080f3981b45cf6aaeb56854cb5b2b392d7efc6360a4d012

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
a88e096fdd44a1394ae263689dcc37df

SHA1
b165243a4bd2df21764851a9c8f13d72ffd0c0c1

SHA256
0d8e7ad1ffe4f862e37fa955ea4aeee6929c60165a17be3c910cf4de0294be78

SHA512
dde6a9842d4e92658a77cece9e8ef190f4138ce32f83dc6eb358d8dc9dfd88b3062a98df2b4a37c9a6ca7f96d08d606985c949ae21f67ebac760ea1eabd43bad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
bd9f2be567860890b86d67977fbde9d1

SHA1
f0428f33dfcab8aa07de2b1e355fc8e9114719fe

SHA256
1d3a05aebd338b5ab98727335cf69afdda20288580e11c131ef061f995c21fd8

SHA512
05c2583a1409149cbdf1230f5ffe3316381ee9b1509c0709474f694c8cbead4e734de9a2a101de687fc26ed36b46f740efe9481f18a0cd2b712f9be2f1a3bab2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
6a21e4dfd5122e24a66d454c27d56b71

SHA1
8ca072494e18422c61a168a36a80e1a0c59ebf58

SHA256
f7508c169937f3a0279d35e4ce311f17ef6951881de89dd8aeb0127a4f82a564

SHA512
f3cac70195e0d7565822d00f4a3cb0ef3c4893b2de94dec2fbbf51b5a4c7d161589e250e564c58a24ec3f4995c9228f1214bc6b7b26494c3184d151c098b2ddc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
8e5d0a5f43503038effa178fafd8343d

SHA1
254d5eb8db4384ca4df8cb94707091d4b78ed1df

SHA256
4de78f978c7b97a23106d56260becd29e562eb9a6b24fe3a5c7098b916a8e941

SHA512
5ddf07757ec1ce3a20105373bf3c9d573af5ef52ceef7a5cda81bcabf02fad411c94f1f30e95622d30f8e9bff4ae1387ff2a8a7d2c47d10d076efd71f148b301

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
4ce3ecf9c56893350532847643253d12

SHA1
d632aa3579e835bf9779e269f4fc3efa3e93f085

SHA256
338f4ef7078621b78c73cfaa561161a074d7b6c780474c1c46b8548ee315f146

SHA512
9a38cc947a3d9352760ae7a515aeb07e4eacd34c680722c9255ae4b6b0502af782da412cad50d9632137380bd39ad30175bdb44b8931821b3fef5bfa37e161a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
2c34ad5092dba3592f1553d78de8091d

SHA1
4ec299ed3cfbf2b12e96c3ea23ef2a1de1ccff7d

SHA256
ecd4e00a343338b6bdd43da223365cab375ebd6f62d26aaeaf77362c9f67997d

SHA512
cf99d02b3ee868d9aa7b69579bc5e6d5bcbf986625d6c2bba17618b5bb5522715b2ef3614d20cee0bace23a8ddeabc56a53d75fc253d381d843d415bca13b87a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
6ff56cc751f56d3cf8372f404bd3f72a

SHA1
0029bb20dc17db09c9efb8b912257a3647e5c504

SHA256
792df65ffcb5d6fdbf820cd3ead7eda353d79cfa2b09460869fe9c930ea831ba

SHA512
0f0e28eae0b9afc73d7d9ed73ad9e743d1e46bae24bd8e071fd22511b08024f4f3a759795b8f8d126b20c1b7e21245651af752ba32473628666625f3cce4d005

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
57577269f9e27cc8efde0f78a7998e64

SHA1
af4ba243ffe8b9bcacc72b967eb1c91b556e1854

SHA256
62ba91ed5f95a155ea258fa066948f6f6d935e2774e8526af11784702cdda198

SHA512
c204e3b26114a35c3428449a64f91b1e3a73302eb4f258c972659a9cf2cdb383e961b0bd2781435342b13b4637db18bd477bf781407acee1b163c88d6d312611

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
ec8657de1ab5ee835d475459a0bf8c13

SHA1
d942499052461cd3e42ee0ffede3c3861caedc6e

SHA256
c137160cf6356177e36c10519b7901bc841b9a1fc070c6b4dffabbe4e8e95f6e

SHA512
0ea1d61421557d5daaeedea7f57e8914abc565c40cad6ef6ad3fe5bb8be0d7e068b175a76af997b5ff3c7248cbd49f240a027763457b7bcd9bf64bcdea59cc9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
776ec92e46cb8f36e83da826c55b8e84

SHA1
85d6e6b691421b39ed9048fd838be3584b5ad641

SHA256
9d0fa5a2bdc045966236fde7649ed9c119892ca75b9a228b0329559395feebde

SHA512
7727c953d92b07b04c95b1015f158fdfacd54a2998cc881010038db4ac9b2922b88be22c9ca7f2962c1349fd14373e1fe90a2a5fa46cb039fcf3e3b8c35a7952

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
03ab541cf58dcda1ca7ff74887aadec3

SHA1
580222cc2b1e7707cc50317da23b90ecdffc2831

SHA256
eb40f67cb6bf50296c0b3ab2519fa068593de2976b1c7b6f9305011ab9e7544e

SHA512
39fcf0926ce5561d65a3fd6a75837c23c797fa807ef7ceaef76cec4288897965cfe787f991aa156f8b7501123f92fa92febe582940ad9673baec92dfca3f539c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
3a957eac301b9044a49f99d1f80e8797

SHA1
633867856212de30cd9c76a5e640dc9d3fe80e71

SHA256
20642ac78fb324c17fb09cfc5e051d046059834723588c947c913f8e1a76a0dc

SHA512
a9ae0a01a0cd8eec66f3270af9be78d41870473adf36d78fc17ad2f8a49aa6e5425cde2711d9f3fdaa4641f378adeb5f11d6256210d1b2b98c9940ddb2e2271e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
6a2335035a160450d4ef0145dee9ac88

SHA1
ff5fcf3cf1530956a43234b532cc0e58e2fa1619

SHA256
75df17902746b8dfdfcc7bba03a4d1981e6d0589aeef0030f3228ebd1bed08c1

SHA512
4e00a83fa1605bb814f7c9d806a7f58793901e052a08cb8c1fb051e95efeb9262ee5b025fd05305a1e74b8e9499342feea86dd5ecfc11e218891d29e282d854c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
0826da977f67e22aa707aa896f6d3624

SHA1
ea4220ccd4255c832fe518c6b16737c30926939a

SHA256
7f6ea88901066a0a1f1d9322eb0aea600d3a49eb8782327821517001eb342a14

SHA512
27bb9e6dd65f34689cffc1d4c722e06cf7b2982522f31def36df1513da766e4849a7554d4e77cb8ba18e774ab007edca1b2c550cce878595d131b43c66596ebf

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
13aee6356c48f926b8a37d761f409560

SHA1
e1a7975e7e102fd99dca494b5156a5aa3df0f781

SHA256
1297484c79fe7a39e4f0e3db4f0d5a272b7d9f2f4ae4e734b8ee433932be8e82

SHA512
571b14ad5e23ea2338c12673f31854759867e7446357f6afe65a4d57b68874a0142cd8acbf96cddc7a1e25096cae6d9494a45b7a9f285e5f9b0ec7ca8407e353

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
624f1ac321ad5bc75e3ad97e9f1e1b1f

SHA1
208500a472038f4d0f5b2bf2bbe23cf477daa9fd

SHA256
69cef108d2de93574c96deb08a1288797c8a48f462185ca980465e6f07ada8fa

SHA512
716fb881b1cbfcd7417bfed7be79c21b50f081b88b2b627a0433d23a41b8866b7715a2a0595005c388907c365e467647fa7f866145056a500ab662d76f29a507

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
415a722aff448721c2d9953abdef7334

SHA1
5637e3ce8c967b8a41f5f48e66a22916c5c3b7bb

SHA256
4fd7b941799162c5fd6928f541606dd895198019b96bfa7f30c48e6d4a6f3d31

SHA512
e6eee28457307eee1fff088d26ffa3ca3f6db5bbe5efbd6752c4f2535292ff058bd226107b5f2130da5adfefade620e2b5b9882c8a1d686d65639a53dd2b1a4b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
5aee4d92021b20c2a83a1398ac4c1d56

SHA1
3ef2c1ee10e3f75039491919b977e22cc73bca3f

SHA256
0cf9103b2e6ca0dca2ae15c17e51e10969a8005c4a5f2c7f81092214a76bd6b5

SHA512
c1c7d7ef0ada0e669bead95a96fc1e1b473ede716fe74e37be4744f4aab43267a7023889d30be01ad8070319ef9101e8e4d784b5aa25c5b7421f4a6a6d910f33

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b5f3624123f79580fef365011aa02589

SHA1
45dea4bf8581d598b338be57a945fbebdbc722f8

SHA256
9dcc25c5bb45d83a226c41b6ac8ff32f8f2541570c2b3cfb9677a39ed1de6a6a

SHA512
bfd73501748204fc361cb730a4a7d15fcc27cbe0c63ba8e10f18249744ecaa9a7f036c816e0efe11283680f88662707270ad9983bcea133b2b9dbbc7eda21ce9

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
79776fa912a2907755e51b34bf678178

SHA1
93c1facba43b71c66cbd8832927bae22e273cbc3

SHA256
c333f2bed7c3d7c27527840ffcea77cf4d6c54c9345fc79086fa7f381512b692

SHA512
32feebdb8c886ad9e64809865691ba9ab02cb16a822797a7abc9e6c93d3066bb3cf55359e81bfcb81bab7af7cbede2b93be9f5e8331652d7b8db284e7468a5c6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
d08f92e2ddfaea68addec4bcc1baf367

SHA1
199801fbf6c82dda0500d1af83ae571e456946af

SHA256
53ee7cd95e19cb11f2f10f40310a16570829ff65e604efbddeb3ce4a52e17872

SHA512
4937c4dc94a322930219b43607f26b484026a2cb052149f202865e4002e3d604813e7ebd49ad96e8c327e7f5721d4caaf45d7ed1b8ae77b8f8ad54ab5e2ebd9e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
625f7b502ba471992e5125f69033b7d8

SHA1
cd64e5cbce5cbc5ced472afe2b820c06b852811d

SHA256
df2699c8254179130ff115653e29f0c0d6313a2e957701328c2e68e75272b0c8

SHA512
099211f99d18a35d3a40ff4c3319d46b6611ea389d1b7a758687a4d48c2e986132aab4d9fb5bc220435bea8f37061be67086ec67d7815f7982339da30b112e0f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
495c2a1310d8f38b2522c771512f7d8c

SHA1
1c19da8fbe4ffe2a00aa3f0f1686bccde768ea00

SHA256
5b306e143c47dcd003ecd0df1bc73c26befba6928814ea636f444c3d28d10452

SHA512
22355d5d6086b0136b0f779d0e94610538ce2c287d4f0d5175b96a280c5741e3c876d37c3b7973e7b53e0ae1fabe15f5dfb2b75fcebe2231e29be57256362df2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
acfa12bf1958133f5b8bd83c21e0ae99

SHA1
1bf34a1ba56a78c4b65f0babd571dde2d48447b5

SHA256
68b285981c9ce298b94b2e5832a852e955212ed641322768cf2e92e2f33bb888

SHA512
76ebf0a5a667a42a4ab8cf7523c505dcbc0c7f4972ea1585a115fbf02a7aacd50882156ecb5a812f236707313e6caad717fdfd67414fe4abb11f04563ce4a989

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
faeddd842f89fa50d19a2a825c801fe9

SHA1
0bc2289f218e8153a7f6f28ce91495ba65a01b45

SHA256
1b291471b3873059014f7becda9451a646e495d1e915627d9f8c508dd2ab9390

SHA512
2ad3582de216e9c7457f4b920eb0ba5c489971b6c5a7ecbef9b5e02d52216a2319fb97e18f88674cb0f48894e76abbc29733bd6f9bf03bba4fca8a167422f6d9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
7e652de234ed9a6be5661381b96b8142

SHA1
b7bb98421fd9f4d4a40fa9bf33542c185af0022b

SHA256
930fcce0a5a36e63998853ccb98d6862af9f0b0f72b3391299c63208487ce642

SHA512
04e2c97869b1f84b33d4d6f189a966c2b351eb52de8606ce59af0ee94d0aa80a6fdcf167cb92ccde544e9584c3bb64021f452e4cde75ab14e65ed24acc12dd2c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f6e7c1cca94af98490b3be4c1f30a65c

SHA1
f40c7eb30692b46b5b3006856d6c628ea28a8d81

SHA256
7dbb25ce4daf273dd875f44b350c43ac812456b3001374ff5e96b608a5619de2

SHA512
e29d5b534d5ddc664079e057ebcd4274a6b2c5918e54a84808d6ecc10fb48dbd71f576eea9109b381896ddd3f424f18070c156600b5d8f76d1cc78e3a2bd782e

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
05bc77ce792a4b7460b5cb9547ce818f

SHA1
00efdaa265684359654c51417293465c2c889f0f

SHA256
ceb30322521ae47cf4a478a76f9c133a920dee0aaaf5a05a168628b338dd52a0

SHA512
6335fe275f853f92ccb94406bc5063c2ded3cd69af7210f9507aaf7fb5da30152be8564de77e175a022b7eab2e78f3a003bf3b60311d5ec3f9caeb0870c8e87e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
9cb90697054a8c11bdbb12f0bf7c585d

SHA1
82fe6cf4ba3f7cb2c6a5b1b27a72550eb8f93430

SHA256
5163c3862d7017a423c961657fb6008eb68e091f3a992c020950f636f06ccdd7

SHA512
f892d133c9b8ecd26c71ab3d31ca2fb59bddfcbbba0ee425e7deb8e3e17bc6286f0923805fc39037a180a679c1dd00668cdfdcbca98f0b1480c7d3e05408ff21

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
74d3e5d75c2a61fb8c8b924dd4245872

SHA1
a4f7d77b85950948c1a3d7d32f96746852636ba4

SHA256
b9f466916313e62f0a052e463e8da6b4659f3ccc93f6f70ae4855c9a72fff461

SHA512
7c6233f645779de9c6ddcbe98324454df807a44b34177e740a078b7af6ed2eb2fccdd0edaa16c0e7c61e62b97ea9086b157c51e6cc598374e4ff029e6dc4051b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3cb33365793d9fabb9aa94af6fe6e291

SHA1
4a789052654677dfa3d3917aefcfbfe357298594

SHA256
82419eec52fd9431140b549d4dda45dba92d7ca831f295bdcfca97af17b02132

SHA512
bcae0ae83a0be7a10af3cd892eeb76ec8557d53f96fa8fc4abba88b7542386439e6fd278fe24f35e4273d717d33e798840ec28f52ca804306deec0b6488f2e0e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
43a8e34c411a5f85cc1e82db2c0e3628

SHA1
b3ff5d92fc955df7255a84494ea712316a3f4841

SHA256
94e2e8a358545a7621d42edfde18e6dfa262b9864582c4ee0a3585db4c88a955

SHA512
67b3a55e1b86ecceeee46b6dfb821e964aef38fdd6a4a64e6f60e2c95485cf17caec78e085acf335790bb970921ce319ee205b7241c9f29e05ea955c47e9a97b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
694757278faec0ddb6ea27d8ce50f12b

SHA1
326745e3aa6019a02a5789285888a5cec907559e

SHA256
774140502841f03180b3f398073e94e107ac93c44822bfa59023e124b7160479

SHA512
e0523c4511e40982172ec2198f6392a76b7b85fad3974fa2e19aaf73ee6823480e5d92ac4620c3cffb6af15f13e55bc2564f7a121beecbbc0284ab459d6875fc

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b9e454161162366237db8a3710bbb368

SHA1
52217517e0b941124157117632c67f6356bca0be

SHA256
76518ad711b6832390661257d878efff7249bd978f6c60d7f3b171dd52c0f4ee

SHA512
99d8d5a43d2d78aef956c2d13b33fe7e2447950f066b9f17879f573735b782e1401bdeedfad251aa8d62413440d2b1063105340e13543247d266c52f346bf828

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
2fa2bda8cc36ecb2eab55ae163cc7b1f

SHA1
4b82987fba05409bc57d31e87ad31543b0562257

SHA256
10e4aed05d759e92c41a710bd8a22ad729feeca37b951f4679e05a2bdcf1d7d8

SHA512
e7747c1293641f08d8b4d00debfdd10c521f6c0c736b152a067997a1b4acb684c3c3605487327a08293b5c17793e1f0ed64141c613966801797a7f6157ba0628

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
3d12ea600429e0d1379318429aa7c94f

SHA1
270dd000bd6dd57e0e319d14fe696c79b5616bbf

SHA256
ca35a2680753114b7cfd285930d80407bb0306e4710157a9d67a40b20c660459

SHA512
afc2df0feacd913b092b4f388cb693d126fdd005a7fd65598a8af2ccf57a263301e300be252788949ee831c22f3a461697677ffd8211ed3cb72df761c9323c61

Download Submit
memory/232-625-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/232-215-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/440-162-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/440-456-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/920-114-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1516-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1516-46-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1516-38-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1516-44-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1516-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1548-620-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1548-187-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1624-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1624-238-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1628-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1628-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1628-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1628-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1860-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1860-79-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/1860-73-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/1860-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1860-85-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2308-467-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2308-81-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2308-6-0x00000000009F0000-0x0000000000A57000-memory.dmp

Filesize
412KB

Download
memory/2308-1-0x00000000009F0000-0x0000000000A57000-memory.dmp

Filesize
412KB

Download
memory/2308-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2732-165-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2732-58-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2732-59-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3216-226-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3216-116-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3332-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3332-26-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3332-127-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3332-34-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3396-251-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3396-630-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3528-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3528-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4036-631-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4036-264-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4148-139-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4148-250-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4316-166-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4316-539-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4432-99-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4432-89-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4628-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4628-263-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4628-623-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4792-98-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4792-19-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4792-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4792-11-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4792-18-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4812-624-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4812-190-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4844-628-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4844-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4984-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4984-629-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download