2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 20:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
Size

625KB
MD5

115f7cd9a7343707cf8d087f76a7065d
SHA1

795abedaeaf023ba9a956c955c4f81b43b5716fd
SHA256

2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a
SHA512

61f153106258f9fbd287d5d3076f43361d6113f5a14fc6073b21610a65161cb72b78e7c7a3a707b7d7c861c1f8887b1815b6c087507ed4312a870db3799d94a1
SSDEEP

12288:N2QGt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPh:kXt/sBlDqgZQd6XKtiMJYiPU

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2784	alg.exe
4868	DiagnosticsHub.StandardCollector.Service.exe
960	fxssvc.exe
2016	elevation_service.exe
3480	elevation_service.exe
4440	maintenanceservice.exe
956	msdtc.exe
3476	OSE.EXE
2340	PerceptionSimulationService.exe
4852	perfhost.exe
3432	locator.exe
1912	SensorDataService.exe
2992	snmptrap.exe
5072	spectrum.exe
5060	ssh-agent.exe
1944	TieringEngineService.exe
712	AgentService.exe
3444	vds.exe
5040	vssvc.exe
3320	wbengine.exe
4952	WmiApSrv.exe
5032	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Windows\system32\locator.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Windows\System32\vds.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\55cc8f12d1b02b8.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000398f46bfaffcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f7be7bbaffcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007dcc22bfaffcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000b7744bcaffcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000008a57bcaffcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4868	DiagnosticsHub.StandardCollector.Service.exe
4868	DiagnosticsHub.StandardCollector.Service.exe
4868	DiagnosticsHub.StandardCollector.Service.exe
4868	DiagnosticsHub.StandardCollector.Service.exe
4868	DiagnosticsHub.StandardCollector.Service.exe
4868	DiagnosticsHub.StandardCollector.Service.exe
4868	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4212	2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
Token: SeAuditPrivilege	960	fxssvc.exe
Token: SeRestorePrivilege	1944	TieringEngineService.exe
Token: SeManageVolumePrivilege	1944	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	712	AgentService.exe
Token: SeBackupPrivilege	5040	vssvc.exe
Token: SeRestorePrivilege	5040	vssvc.exe
Token: SeAuditPrivilege	5040	vssvc.exe
Token: SeBackupPrivilege	3320	wbengine.exe
Token: SeRestorePrivilege	3320	wbengine.exe
Token: SeSecurityPrivilege	3320	wbengine.exe
Token: 33	5032	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeDebugPrivilege	2784	alg.exe
Token: SeDebugPrivilege	2784	alg.exe
Token: SeDebugPrivilege	2784	alg.exe
Token: SeDebugPrivilege	4868	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 4760	5032	SearchIndexer.exe	110
PID 5032 wrote to memory of 4760	5032	SearchIndexer.exe	110
PID 5032 wrote to memory of 4580	5032	SearchIndexer.exe	111
PID 5032 wrote to memory of 4580	5032	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe
"C:\Users\Admin\AppData\Local\Temp\2e553e25b9f0f2594d8b11ce619d671d46bc5fea2f206332356bb694fb92c13a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1104

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2016

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3480

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4440

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:956

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3476

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4852

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3432

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1912

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2992

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5072

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5060

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4336

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:712

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4952

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4760
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
999fae7490f264942d2e82d79391a91c

SHA1
9d6d10f670da0af4ce5150c56c1dd4d25f9c3d8f

SHA256
fc1a295d43643549788ea19de686a5efde6c618ac00b1085b6d2db6102ba8c50

SHA512
87174312b445f1b93a63dab70f830b6dfb1525722a99dbd76124518de8c277aeaecde1bf714c8fbe7f830ff40b6b54ab7c20e1114253e64da7bc5ce65816d02b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
cd2ec7781773085e3c545d82c7f41f63

SHA1
d65da8cd75c5243161845c0aeb50fda27d5215c4

SHA256
fdd8be0bcf2543118a17a0beb007bea052b7b8f939c24d60a004ab9a09300574

SHA512
75666c1090ea90181f78475ad92686b6349fb3632c3e0b030020363cb682125f9681a4846eaf8e743bdcb5afe6bde6511faf58fcaa9e313c52d5695e01fddcaa

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
0ce70615cfb9db3c618e9bb75bbac00d

SHA1
53eb7151654bdd809d77d9b47ab2be015fa58fd1

SHA256
3865889d626f4657f3a7428065259dbcf8e29b56f6a7cddd5f4cb53643bd13ad

SHA512
d373100e84c06edd2c477acd1791252a3dadcd096439a5f9530dcae08f179440b812503f78db3319f7739f9c305eb348db1ddbbac208b43e7f117880bdf66b94

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b93aaf0bfc8381fbd3feaf22ac79de11

SHA1
f4b3f2e3a39a12220d54c23dd1c47f0cb89cc391

SHA256
f86dda6af434c4865cee71c60e52131bd83d3d0509e55fd67b888bcc55559098

SHA512
fb4479c898a7ed0e25accd530f850b95b9647f6d69a502f5e079a4833e65534c0ebcb5a721a1906e2d36374f2773330fee691703841a64a41b1533bdeeeed96a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b59b8d9d9a1c9f984feb3f8c603fe024

SHA1
6e7a6190899615fd7420b178d472859954f248b3

SHA256
571ceaef71cc2c249fdbaa781950c709efa521df0c7cc22653be032f33bbc935

SHA512
dcce611c5d86313e84508fd44c9deacde06b0e0a8e1d7d2ae60cc98b3f869e158c258a3541d5d4ce977a9d517d9869d974ecf7f3454172cf6cc753d1eb03bc44

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
c0b10c5edf4167477fbbd7c19bda1bef

SHA1
f4874293afcb8651e1c8b268de51e21a7b2a6015

SHA256
2a9a6c959d3655abdfa485097b90c859cb109746e92bb0742e61ea6eb63304a8

SHA512
e7c8493df84f067418845c0470230602cfa76c77114610b6b12b0116579422d970146524132781fe6d6e18fec3614ab392dbb11d887eba0017553b42018fac7c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
709c9fae6c48ff700b2bbfc9c59d7e69

SHA1
7b44086d77ad251c70e3351fa7734b50760277f3

SHA256
ca589023442716643b3652870412ab7700c66b648e51d51daa88f86e42536999

SHA512
d964086be1c78263730d3697e86c9f4a98e4141e1afbbfe07f3b6e5f8f88f12f7540704b3b11b6f379b584b3df7dbac8686b8ad413ff58494bfabd14e75c3bd6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e84140a9e956d696e9c4c5651d9d1a27

SHA1
68c73ce23bce60a97d2e8ed7d9c46e5e272bc217

SHA256
dedaa4058270ced6ec7dda08afdeab5739b4aba10c4b644311c37688c514f395

SHA512
5ea96287eebe354a2cfc7265cdea28d79c402d1036d0e0a07036a41e071de11b372f6caac79a062e2c801580de250697ed9ef8d431954c813b439a2340913c42

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
37192da78b724eb9b4d6a149a8dccb42

SHA1
8c72fd521fba2a897528d704b554d76c1db421d9

SHA256
d7a160590eb41a6f6213a74078f45fd1bc08ed3e2ccd86cf16fa6322f98b2103

SHA512
f36cfe64063e83ff4853abd31492c69c6aac38c06a170874f23ffd61d2a63146e44a19a539962ba70ec68b9c95aa8df4eef99a61c87e55b28f79cb2ad8fddef4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0962c8b22385233be5dbe4b7ea2a97c5

SHA1
0ba57c2e44ff682d7935b8a0900c2f6d7c330c5f

SHA256
378d5d83095fca36682621fd14499d7bd6cef852c0c79085a679baf3cb95f0ea

SHA512
b71ed63de88636417162b801148d596426569d041de34a1af6b4999386e9890a6981ce15d94658455c3cb8910c1779023002e6d1c0ce31c9ed1e043acc31623f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8fed81bf297325b5f5927a1fc8620af6

SHA1
07e5b557842bb7441b5b6aa5c4f680e16ef0b914

SHA256
48a39b4d20292fa6cd966fe72500dedc3fd664cf783b60bab6438ea130da8d81

SHA512
c6defab9b4a724e67005d151896a8f6caa86cd43d528f868b3a1888a6b90621e0141851e56ac5be5ced66701dc047568b7349300be84cd55ec0aa5d11b7c3784

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9bdc63c52489c3ffe4de3a790e4ef2dc

SHA1
99b7dc3227bb9b8fa70baf4197739e91b242c83a

SHA256
ded347952ec59f68064668fb55330671214925d0881f5f7e7663ffefe260ab57

SHA512
78adc5057a9223e9a3d36823c6f41c204ca554a54c746786709b59babda99a4d131a220589aedce34179f390f00a03e7c5243f56c7896b2df744404aa81995b5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
8e1b5bd891443ec251aee2c0d8b53e19

SHA1
aa31eeed9a7c6e6b23f6596e1c4d648aaced2699

SHA256
444e0da3acca2769461b8d47ffa7a54a09f30d71c80c9531edc248174164d2b1

SHA512
decc210d53fdd829c8561505905912c1b6bb4086ff31e980797c2650dbe2b62aa594eb99b3cda88f5e65cf806901cb4da96c7b05b5c9d6780820004f44fdac72

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
4bd0b26b088f9df16cfbc15dd3b16dba

SHA1
f317865bde03397061c90467f23819cbad9a8f4d

SHA256
efcf449fd75c27db9f2ea6fd47c3dd253b5bda134c5557a4bbe43532ec377197

SHA512
38df1763989f12c2fed50b9aa7bc6bcb682ae3949dc4b682b2323a8298c749aa73aaacea9ffde736acce0d1cbb113f34d02c24041a624a47de5a6a8fadecb165

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
9cae0e8e2621c6f27e0a4fbf9e22c50b

SHA1
1408574bca918de5359bb4f3a5fe4797b385001e

SHA256
84bd44508256112a3e47e54441032c8781aa60cd7b9d8d5856140eb0b1b9b9f7

SHA512
854b26c281a940de429d9ac54f360adde387c47c9e7357bd7b8a93264f64e09918f173c64b9f231e61230db1bff25978b7d501995dcb3836541617f509aa9783

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
992295467746d7761340f396e27a331f

SHA1
c4770c7b5ea190bd62b7163f3785df2e8ff3cf83

SHA256
11b3cb1b2084d1976eb980e5eb88648521e74cb47d5d1385a7523c500ff4b540

SHA512
73c5d259d30a5caf4919e434288fae06115e7b302699c42eb4dd2a1fc39b454ef0c01ab40d4972e8391ae6c9cf32a22205902d3bb82e570c8cbd0cd0030ef02e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
34a2cd123e5e979496cc550ce12445b7

SHA1
dd71e6798be2fa37d5a9b4ea62a9e7bc9a053605

SHA256
ad01d2ad8198417eb1490cb71d96c03ce258c6e0742df1037443366bb8a9892a

SHA512
669dd113b91a31c6d11b092423b383c10a9b71e62d6541a46352f840ddc341c1b47b221af0dff09d2e90747bebe4c82ff5c5b89ad9663cde1763e876fea701af

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
73f562fe15506c75ee6878fadf9766a9

SHA1
8f709eb42514d9fa7e2cc45397296885b51ceb0b

SHA256
9b87f0dfa923415dfadb00f14a4046429613cfbcf12d3a1b0b41de3efa06eb8d

SHA512
505966c4c4d187615b5660152afee08354b5d4eece433575e8792d3d82cbdb725e6df9c321567f065df102a57758610834152e2611b1719506a5b0f3083fdbbc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
eb0334cc03faa5bddb27b45d6bb480c2

SHA1
9890e6bf431ddd68984660004edca703b8e102b0

SHA256
5faabde28fd876b1be4942a20eaf691c0f29a91c7c850d2f15788f1539e1bb8e

SHA512
7cb439fb1def2b4cf7b3825f3c95e293b06a54c515aee90a357844a2bb2b5aaa35f833a8ef20e12b1f24b4ed8b4384d156c534657d2556902d6506cbe80ee596

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
f2eafb4e1d569e82af3050d8dc0ee3d6

SHA1
89a8300e7c6e3efcdacd64a9661b0e7aada1f589

SHA256
13cc5f1b1f0faf38a9ea961f033522cce0c283631e595b3bf17217cae1271247

SHA512
27e6b8a4a1b3a3b065050a37d06c4ae7047ddec17660b02618946d9694842c8eb5b3990551d7b191042f6298ead0b5e83987249cd027b7092c9985cd5b100f51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
6d51d09cae03e209a60f5aeec6c99b0e

SHA1
17126b47c8fa27a795787ce95bebef5552550e44

SHA256
937f002993cfc7a3155bfe1776bd6a981fe9beda030fd647bae1527391186a4f

SHA512
4a6dfbb7fef296e185e590e75789420400dcf8d99146bc74ee17ae6334f704b7c594d714cc6f3208b2379796727851c80f665b9f1cd0597e47121660d06cee34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
75b012c8e1ee3622fa01be1dbdecc557

SHA1
1049be79e14d038d2e79cd4d3144747ee3c13662

SHA256
a75e8cc0ea6d884db26150d4506900f3841df215c6ac7c9441a83611006967e2

SHA512
aa6b7da8c7429a588f69d951e1028f4d35ab5b690bbab9093a67d17644dc1be24f27a348dd8255ccd87888282e9e34f63f9ebf86eeda9528c9d2275437844501

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
3ea9bba16b9421abf0afa11891966709

SHA1
3dfc49506b9e8fe3688ed13e542171db27941158

SHA256
d28c34bd210fdada0636457128c55a66e9d90ce00bd56f6a55f88e2a09acee2c

SHA512
ef836a0361c4201d9203ddf0e908c5dacbad38dca7a7681cd6cd7f5922b1a41fd94abc9576b9ec7448a63c721a5895ef3d2767fe534c51ee2a12532e8ae83bb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
6c60db716b670d5deed2e96f1f89a4cf

SHA1
6a53dc88b2b14333bed6e064e4fd4fbe219be246

SHA256
ec712da99cf08bf45816adaed117a38818e6b9d299bda4cae73dde281503a896

SHA512
712d7f6dc6aa701d92d47fe83f7cb67a9eff355fb266a72e4ff22fd478537d440130208e8c42e77d6284306ba675cdfc5a3462004e87d71193b5741c370ad87d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
cf4de2fca87393ca96e3c5f94be12139

SHA1
c4940831fb4d3a537906e1111ab6db168438b9e3

SHA256
5da804ad1ca0925b1d95a8fff86b1c28a07fc170696438ce504970c4db6031a1

SHA512
4b1d263a679e19d8f7364cb519c25610b816f0d7e2b8c82b1ca492d81fc924f97b003503b579cc3b5b76c1325fb9372cc53cb19a3c1a519e6ef11c4a52cb65b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
d789be1e1e4db47d7949f8a765711a97

SHA1
fecf9c5371f55262d406a5287ce9f5f96dbb26d5

SHA256
43c051a08ec657ab2e79d13bb962a051915527a773e05db8297aaf5057a16f52

SHA512
df0eb195c5461180ee3ed30d3747dbec2c837b3dfe62b43e478621beca6db7b95ce8b1566ad6789cfaa1890d0d8642f8dc73d6f64d287bfdfb47d2d3f94ba77b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
2694e16121273b801128e1ff05078aa1

SHA1
2b3a1132f79af8f8949f3c1f33a6039ea6ca5cd6

SHA256
60bfafb11de1deaebe9c0fb17217f9784f4c434f29c262f40a25292744cc0dc3

SHA512
e64d055f9f6224e03399f8f35590d17268e7cb6119f4669dcd70e5087adad1f8f44dd6218582f6cbf8d4ef210af9b816d2cdddc2d18091c28313f914df3c1fd9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
b7ba74714b49104164beb9505a2cfb0e

SHA1
5977185b0c57ff91552022e16c669757b8f0c98d

SHA256
2199cc24a50093461ca6da5bc6d6598e4de2dd5a02efdfca6785ed256a0614ad

SHA512
0dd16ae98d304cc5e5387328c53379786a1159e3318a5a17792077ea949ff223257ac44b29411a0977742efbe9647c8685c05b2f0ff711448733302287a58d29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
320a8287849b501d50ac976f8d89ae56

SHA1
0c01d1462530091cffda839bcfde75e3473d3a60

SHA256
3d3b3f269a878ed4d9555e7b7e65cc4189644aebd16f0a68f8c0d4ef57fa76d9

SHA512
8439fc14a7877a9421e3d87f5c9421999b754c18820b3d4d370f1e88154b78f5ff9b99bdbf45f09c04d38e6c14ac38c1b517fbe731b93932335989ed2dc2c857

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
5107641d6e2eb3b9d410bbc64cc89de9

SHA1
02c2c98c7bd203c11f99bd3a3e242eec33e9215c

SHA256
9584655a3965fbec2cbfeaec8a87d1ef6f668eb984615b328c84c9933be228ed

SHA512
8df5a072f2140971c6e36a92ddfc07249f4f6b33e2bc21934b0229a8703cab1e670ab7af6e2152007511c1d3a785e6202d8c8fd6bd18508701560213aaaa5030

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
d3e62c565a635832be1c4177f4544355

SHA1
17bdf160389e7e49383ae027835b9d5c39300152

SHA256
9d6ffe10415cb1d589dca0b70e987e211a40aff069e70eb6b7246def960c3239

SHA512
d6fadea6524cc61b8992e5a958d65c79848c521ce415406edd24458410e5fa9b14766837b4e57f7b5f3b95c23fbc9158e99336ff461fc8acca7e86e50f04b6c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
25ec045e498524c55e5742e42cdb05a7

SHA1
56eb159082515aed167dd4b000f949dee436efdc

SHA256
261af8a9053b16b14fbe47434c9254ffe981ff31072384988dcb91b03ee6e65b

SHA512
feeeb3b3040df6c22620274a589db047f5abb4b8f12a04b7b93b122dd2feba1f4562a0e1ffe790f5ba380581b31333bfd810bc302be08d8f77bb1ee1f1cb6982

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
9a02018687baefe58ad3e342bc00ef5f

SHA1
1a0b8ef90b610ae9bf8bc949c778a1b8da598e8d

SHA256
54639a0c032f3c72f6baccfa728b64892d8bc11ec10b48be7a15ea13ef5f7075

SHA512
7cfef15b91184082eee1fc4b6b0fced26541c88b098c5909aa427022d14998e84d21749260d43650cea84f7275b90edd328f30a91e5948d8434260638fc5aa18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
be1ff6d6d35f6d4a1f631cf05695bc37

SHA1
18ad4000c8186ad79a9ec0d17f7629f03138c290

SHA256
0aadc02fcfee93249ae9fca2d8289820a25a0a5fafe3e68a42406613c2f1713a

SHA512
2da1dff5edce97278daa2d7c49f0c49320962e65d1a212fa5b77adb1a4c8a31fff9d51cee9dc12f7ea573c788b7a9e05ee41d84e7441d77fd3c5dedf7034c78b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
0a35799bded84692cdbb5efaba3eb0f7

SHA1
31399e2f88114c8f9c9c91e1407e5af128a6d5bf

SHA256
781aa1d910c59625af9358f5b3ba0ed502f5945264364b5d588777698e277eb4

SHA512
fccf24614a318f2480fde93358c068154dbbfcee5923c2fd0bcb4e960fef8496900bc59a27e891be4a3196337f4e2dcac4c50ddf0fdf5ced6d4096df9bf95a7d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
b8a512537c66324b6f8641cdc0a3edd8

SHA1
f2cf8c0310fb544e382722c6d6af44c29a73ab9f

SHA256
ff0a7d3f84e4008628e5b842181ad2fa15004afc7c24f1a8eca90a9f66440ba5

SHA512
e90e26d579da8e8c4e6db10612f876218397749a718567eadb208c6dbfb808e5f3ba529bc48fd9151fc24aa4bd048e2d5eb0944b37f0ab4ac696bbeec5452a0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
299938ff3d5ebf267fc3557e2af972e7

SHA1
8352144d6bb591e98603b4bde31ac41c132adf77

SHA256
d128827c842d848590f42f99193bc9141f97701039e163ee0b7e723f1983ff69

SHA512
7525432ed34e1d5d26d9b00cb63ca734f2e97fd973537702ce551473ffc295f380c7297eb79694d00f17c42381858282b47aaeb21937c8df0c20653506b8627b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
8bcdb1915825fe091f64ce8f62671664

SHA1
2266f0979d602ff3cbdf847806dee83970a8fd2d

SHA256
07cb660516b5c80bd5ffd3bf797b4862947cc14aa758e8da83e9e7cec183c059

SHA512
50d4ed7c37cc9966e6ccfcd527784b2c795eb0b18837f8a32cb9233493a896b76ec1b69d5b9b1edc69f0a13def8371cf4a01166c9b0cecc1286342ea917ba701

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
e192a5c12c1a35cb02bedcf998fcb88c

SHA1
727021906befbd6d4ef0e548f17afd6309568bc9

SHA256
133b8a8434a3496174a24b91f021f905aebbbc2b47211a3cbe20c29c3d3b65d4

SHA512
45c083cb8894eb796a31c8b5525c1e66e46d05e1bde10c786b1a6fb20fcdcdfa94a5299ffcbb3eafd4dbb95107c5376cc61723d89b26534c71343a36ba8e4d9b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
2b09b6b636dee3f801025fdd2f4d1e27

SHA1
e55cce324623f777a1bc8f81cdbc1a8da29f39c4

SHA256
447943a91765790f6f586f6f73dc31ef16fcf741b887ec643ce3b42f10907bee

SHA512
bca488de876d746870545d155ee998c9daabbbcc78a25867ad71a48ff428b1a2be532488653b4e22a8bcdf187908401820171bee4c69a093bda5a3cbcc839ae4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bc2588eb4cfb22dfccf021185c1cb2df

SHA1
8fe7cf027d9dd4f933d29c16aa6996d82eaa6f02

SHA256
7d9dbc7557d26b70f502e19deb770846ab00e11288c7c6188f0b7acbf0bbae68

SHA512
c8ed8c30294de19e39afaee70f68de51c86762682233fabfb45d5ed83fad9c957a0c27e1d826dc2abb0735effd1c254bc6981e05bdb40235ba7fd0eaa5d2ce9b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
1ec22f728bd6a7598e039c067228c745

SHA1
15609683738aeafcbd96026c0e606c6e2bdcff44

SHA256
171e8bd08dc17e501ad0fed0556d8a4bd57c0988bd036a0e9fe906cdc26830fb

SHA512
167dba31d6fda6493ca19a2b3c30e4e4aa64f101caf559a450beb72c7308007211f2e582594d27457221672ee41d94b2c9150e35fdff9cf33e560fb6c9694358

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
69921cd4f532144a4c686a87c0581d1f

SHA1
74d2358c725f333c4178970f2548ce2598071e37

SHA256
2ea16b9153f9fe5c20c6f581b9e696e57cd57ecf94d914a43917cc37a5da159a

SHA512
d5d8da2dcb181c71a2f95ddb22e4d432366b90769feb868367247ca6e7ab4b7eb9b6a489cc2f1976da870c490d6095555f8d4f8cca972a1253be4e339ac3bb9c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
3b316719262c9c891cf205fd74140692

SHA1
d73dd7acbd92eda1c5218832b3d5102b8efed586

SHA256
4a3c8dafc7522782c7bc2be9a43909d2ac3ed3d978ddb65e408aecd7f59de2a3

SHA512
1117c7e168621823d647118cd424f714d3718d10972b7a1cd9c4ce80128b1d982c7e8a65133a32a82c838114aa7bc34b794b4215e243220c53b239b378542463

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
685a9ca3f6117e43cc0aa7c5010f2292

SHA1
d60131be3411f38fba84db48cc4841d228cafbb9

SHA256
660e37fbaaa0c47a1b8b587ff8201a73301d41d6806d770e5842ccaaed34a9d5

SHA512
d96e836d04fc54a87c9c5cc6fefd7b759cdf7d69486a928dc81a5f8743a0089a2869a0af64c5a229de18d96c04b31a352919685707a765249541c097a843db6d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
dcf2ef80b43a1c629a14257fb606e842

SHA1
e2f4921b227b5b2266489aa792b054a5fb8a2996

SHA256
0cb3a41ed66af3ad4a376ff35f5959a294193cb4f42ce3fa66a119092e54a2fe

SHA512
d69e80573263943678403281bda4533d937bff0d66992138d560ab327a15bb133e1cf385164a13b21f8abdf7692a21ebab1acfba7a57dcd8e4fd4f47cdc6111a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c153acdd5426911afdb28ff500ca1c35

SHA1
aec80c46b8079b02f5b167d09cbe3701bfc86e16

SHA256
5b778eb1dbfd5e1fd4eedff5fba7b8e6c8f6a5fd4ad44ae8e70e677b80040abd

SHA512
fb8e500eaf0a422e31c6df6b43dd43c9d06726ece519e380ff6c2e25c092fc84f4c9501d7b5901e6de68ad1d38b8c5925931e69afb0b62ace5658d6665baf614

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f3f2748b1d872c1c6c02ad058c2605e6

SHA1
66cb36dcfd27863e98589ed3018ea158ffe666a8

SHA256
a9d1c4495b90b0f686df10259ca0187bbaedf9ccc5c861385986c32596976259

SHA512
0ec2368166708ead00c0ce3e011a6c2bfed65ab54d5448119af1ec98bb674cc5fa8f3f398f7ac89e43d0f5e008ea7954fdda60f2b5144bc583bb921d10842159

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
88fa6da1e76373911b68b1a894dde7ff

SHA1
d04279a70730009fdd5f502d7c7587d40efdbb7b

SHA256
be21ba4bd1a4e527e4ab6e58de7482c966a838020360f0f28cacf575f2edbc43

SHA512
e8dfd27bbc0b8a1c3aad04d56608be953c08fe7f7733bdd37cfeeb5f85810e8d7783c21968dae802e47e27ba3008f3a4863b015befc14bc23ca9f88567b7d1d3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
0560523c853df727234d9858ba6ef8ae

SHA1
21b0e66d9481747cd97f591784d902e1e253cb55

SHA256
ba21cab69422dd31422e9ddeebdcaf3d30ca9235488912ab60d93f82b69203f6

SHA512
a827fdc928301c32c7eaa59bbb07c3553155983cb8ced373375afae50f984c46aad0ae37a8eae7ccf551e68fdc7c3c72d27802cf1a28cda5fcdc26a51935ad51

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0bf3bc7bcf91941a11805ce43a4b2441

SHA1
3c9be1696fbca2e759e289320bae04b246045233

SHA256
8098c949c04935adb643eaea96a6785e251a65c8c2c194cb1761f279f09ba024

SHA512
ebeff764fbd48bd1d8bbdba0df768b37c8d43736fd0c94ce9b99e9c5f9debdaff936e6352d2272790bbc4206d9c7793c2581795f8ca384b9777fcbe120e99364

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
18d29ee487feeffdcf66169c206a7925

SHA1
20c7934744ce1b8c33ec03a1ebfc26b35d1acd32

SHA256
105bdacd9dfd23947f6b91776100f8cfa7c0b46fb151da8e19d55d9329b0e98d

SHA512
a08f6cb2f5302cf474ec05246d77ce997a752ff557d813ae145f297e7de8e0fed532174aa05904fd0b17fa28f8a2cf78bd494d3f5b588ee08558a156496de1c2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
fc19068c1fac1dc32e618ea12c61be6b

SHA1
9762d7eea644af658bd193595828c4ebca72e45d

SHA256
acffc53d4ed61abd8c59376077eae61a0a83c6fc2afd98a64e388f006e38940d

SHA512
6b313577bcb2e0d0ad81cc2098e1485c7905eb4f33b55863f95dfaac313f767cb12249595c4c80c8b6ab4e9edf8c459d2724d0612fb8f956f0ae4b7b8e5da4a6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
85255a4e43bb5311b62f4ce721c8f0e1

SHA1
f9b2cd580251314cc5cbae61533480ff8d0c145a

SHA256
303a8946c4dcece1c06a3309cffbd058978d27f085fcf162c9ae0326e623f429

SHA512
fe1076f4ee5a4f8bc47ff78df8b563b140ee306123f2851c06b1b21849e9f8f3217b43ddc575ad0a55b2319dc6f2016b40b5d518ea502d1cd4329467088e3863

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4feedd9195796298f028399fd6cfb566

SHA1
e9d1007e2f427621eace2ef4f4ee36b1a4a922ee

SHA256
8d562a8e2a61db50214019deb1ba2dc361fe6dde1d09fd3edfc7ff57cf9be8c9

SHA512
edbb76a018d2e6903ed6939ff5c063d503cdf202244b10b3e9f9048ce03c5b1cc5d608b50dc1340d45406fb89592e54af1a2e00fc599197817c5e57681dc0ba8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
fa8349698c2b89251a92c53f23f34fc2

SHA1
822896fd24b322432beaa71035374e90bb8e1443

SHA256
2ca05d437c32e9b0371d3271851fe9994c41c94eb1559573eded4564a8ae27e4

SHA512
42951e56fa130204248aa0aa31a834fe42339f5001fa5d2d2ddf7842a8939b84aa2a6797af587f7c70ff264621a01b92cc9fd812d8984b87db86a5f578a0a83a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bafe5e7bd98bd179f3f5361c9fc7726f

SHA1
a445bd499eef5a8aaeedc1a97d6b2ae947f33a74

SHA256
a491ef1e2878d315e6e6fdd871b399a7157728213a124617bec3997732b499d8

SHA512
0a7d977068a24a0391b1268d28e5032bc97282543d71f0d6db1ae7f13037ac174ddc397fb394a1333cbc6799864891bc86c894214c1b582d6f58ff0337576716

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
89b9d36983e67c4f77f0bd93d695613f

SHA1
bb7f3ebc05ae82064380b279a898879b183d8348

SHA256
25d12c0e4aeeaa79b1a084180535a8be961fb31df08a9803614fedaaade006cc

SHA512
7353c4961a5f4a10e068b420dfc0cd213daa6b40da094856b7ebc340ad36bacb8737703bbd7ed51fa83473e8f90cbb7ba311cab13989a24041959ce72d54e9ea

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
417683c6e37ae29b6d8f0f1e6617878b

SHA1
f1d2f8f64be792630c4d41de36a4b7eacf99efb3

SHA256
ac36c1517f0d45399819d037fba60ceb585f4e53ae09c3be74d90e4b233516f4

SHA512
721554fbe3fdf8518cb30ab8952b25297426212440adf53cd8e25b688e700c8b8fc6653259393c1b8812f201b5e11f7fe37f005e95072e32ca0b58080c8d1cda

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
d070f6242f452ebbfc5cc20e21a2034b

SHA1
f03494c00e6e6872d192077f2e6d1ec17a02cc22

SHA256
86dca0fabc73de686b5437ae17be597a433304709a0eeb90977a30cffa307711

SHA512
62be71ce521f8f4ce25ec2c73a3fc4a1e3d48a14705a10a7bb038ebf588a3d83fc169e5ed489646281b4d7f1d11286de094d4b3ee9beac87bc38fc15f8070e2c

Download Submit
memory/712-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/956-169-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/956-90-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/960-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/960-39-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/960-47-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/960-60-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/960-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1912-560-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1912-167-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1944-241-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2016-422-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2016-50-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2016-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2016-56-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2340-164-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2784-13-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2784-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2784-21-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2784-170-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2992-168-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3320-242-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3320-567-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3432-166-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3444-564-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3444-237-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3476-163-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3480-444-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3480-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3480-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3480-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4212-7-0x0000000000AA0000-0x0000000000B07000-memory.dmp

Filesize
412KB

Download
memory/4212-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4212-454-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4212-1-0x0000000000AA0000-0x0000000000B07000-memory.dmp

Filesize
412KB

Download
memory/4212-83-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4212-6-0x0000000000AA0000-0x0000000000B07000-memory.dmp

Filesize
412KB

Download
memory/4440-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4440-86-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/4440-75-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/4440-81-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/4852-165-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4868-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4868-27-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4868-35-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4868-240-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4952-253-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4952-632-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5032-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5032-633-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5040-239-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5040-557-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5060-193-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5060-556-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5072-180-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5072-555-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download