00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
Size

1.8MB
MD5

480e12904ff026ef1091217a8eaf9327
SHA1

1df11455e02e630b9e7c1a7a0b9f5d28c789a0e9
SHA256

00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b
SHA512

fe1d5a513eaa692600c831e1c2d97b216978fce0a2f93ee5ee56b0f828fabb20815032e79521f2faad8bb9c0e7cd254d100d48f650c6f43be18260c9f878599a
SSDEEP

49152:BM9QPdxwfE7WlFwKAfzuTiDFUFkdCks7R9L58UqFJjskU:B1PdVQFwKZCFgYC17DVqFJU

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3788	alg.exe
4704	DiagnosticsHub.StandardCollector.Service.exe
2460	fxssvc.exe
3564	elevation_service.exe
668	elevation_service.exe
4556	maintenanceservice.exe
3976	msdtc.exe
4916	OSE.EXE
1896	PerceptionSimulationService.exe
3248	perfhost.exe
932	locator.exe
4016	SensorDataService.exe
1848	snmptrap.exe
516	spectrum.exe
4028	ssh-agent.exe
5064	TieringEngineService.exe
1836	AgentService.exe
3428	vds.exe
4000	vssvc.exe
2468	wbengine.exe
4552	WmiApSrv.exe
1748	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Windows\System32\msdtc.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Windows\system32\locator.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e55c9eb6352c8123.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Windows\System32\vds.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Windows\system32\wbengine.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Windows\system32\vssvc.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8EF2.tmp\goopdateres_et.dll	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8EF2.tmp\goopdateres_uk.dll	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8EF2.tmp\goopdateres_kn.dll	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_82781\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8EF2.tmp\GoogleCrashHandler.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8EF2.tmp\goopdateres_da.dll	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8EF2.tmp\goopdateres_ja.dll	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8EF2.tmp\goopdateres_el.dll	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8EF2.tmp\goopdateres_sk.dll	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8EF2.tmp\goopdateres_ta.dll	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8EF2.tmp\goopdateres_lv.dll	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e650287f104db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6c60487f104db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b97bb886f104db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea3a3987f104db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af53d086f104db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c23dfb86f104db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000003b04e87f104db01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4704	DiagnosticsHub.StandardCollector.Service.exe
4704	DiagnosticsHub.StandardCollector.Service.exe
4704	DiagnosticsHub.StandardCollector.Service.exe
4704	DiagnosticsHub.StandardCollector.Service.exe
4704	DiagnosticsHub.StandardCollector.Service.exe
4704	DiagnosticsHub.StandardCollector.Service.exe
4704	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2740	00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
Token: SeAuditPrivilege	2460	fxssvc.exe
Token: SeRestorePrivilege	5064	TieringEngineService.exe
Token: SeManageVolumePrivilege	5064	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1836	AgentService.exe
Token: SeBackupPrivilege	4000	vssvc.exe
Token: SeRestorePrivilege	4000	vssvc.exe
Token: SeAuditPrivilege	4000	vssvc.exe
Token: SeBackupPrivilege	2468	wbengine.exe
Token: SeRestorePrivilege	2468	wbengine.exe
Token: SeSecurityPrivilege	2468	wbengine.exe
Token: 33	1748	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeDebugPrivilege	3788	alg.exe
Token: SeDebugPrivilege	3788	alg.exe
Token: SeDebugPrivilege	3788	alg.exe
Token: SeDebugPrivilege	4704	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1476	1748	SearchIndexer.exe	116
PID 1748 wrote to memory of 1476	1748	SearchIndexer.exe	116
PID 1748 wrote to memory of 4464	1748	SearchIndexer.exe	117
PID 1748 wrote to memory of 4464	1748	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe
"C:\Users\Admin\AppData\Local\Temp\00f9cccfed0cd0b6e88e64a78456a5c6bd30e53a6b2af847626ccebf587e620b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1156

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3564

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:668

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4556

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3976

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1896

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3248

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:932

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4016

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1848

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:516

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2800

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3428

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1476
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
23624262784750e9370704df9993ebed

SHA1
043405832a69644ef0cb19067dc1e99ad247e3df

SHA256
264aa12b86233bc8a8bd6192639e74b70e6569e53634e0f5e0a0ec135a99f9db

SHA512
0b5218ec6cbad7f9b69363d6b2aba6d39793d77e1cb2a84a5f5561d714a0ff9736be4aae6cf840a1a18c8b3a60763225279e6aabd61707fa7677275127300bd9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
d8047d411e5a275f70dcfabf92c96f4d

SHA1
1429495dcc68db4c80b62666a35c16c0f1be0ab5

SHA256
6b6e7dbe440daf0c0362659f64d7c08cd890e78e52ad52cd4e1f239f32064f5d

SHA512
1c11314e8b48241bda47010f61e16628f1f45afc332bc831650f6eb9b7910709229b032e03a7929d001668f1c57e63f9a50b594c545ab43842107dfe4023373e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
53dd0d3d5ff29924c92c810ab1bbb56b

SHA1
eb764d9c60e7f8f5dd41694b52ba4539efdcf3e7

SHA256
31bb0681628c0c76d4c67a27b384ef8dd8f55516917abea23cc14a28dec96fc1

SHA512
03724b7db1d9d02f2dbd52802a0f8a6fa349ea981d873a8cedb55ad23b67051a4acdf116b384944c08ef1791ed20eab5e08b652b0e3dee815c43f70c59b9d676

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ae95fc1a79b5e72cae752cd74ffa48fe

SHA1
051fd46353e555e0331df2e45bd11e681591a514

SHA256
8e8dc1fb5709f82c760ded498a3f7a5035cb683fca51f3fae4cc3af2428f6f20

SHA512
d874aa02616ae04b2a662fd61de80a06331721fc4ff097931d9c117533ab639e85b64bd3399db1277395cc095b58643ac01c55b7ac308f5c9ceed1c5ccc5d960

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b7fe03cdfd6afe0c813c14d79da49aab

SHA1
0f03001d46dd771ef6ca7cd45ab4738f11e247dd

SHA256
c9f6012f0ced77a41721a28ffe079d6ab664d52af31eac3d2338154e6e8b0440

SHA512
54a6adf1ee1c58313a5df45cff45a3ff505495e335d46866205d911c272d598e5b6969eaab9238da95a50576d4b673103556df0e85223c5110bf9d160204af56

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
ed364ef25789073185b6e353df361e48

SHA1
54225f4047c7189db7b6ee2f6e40b138a29a33ff

SHA256
cf4ba23b7469b8e2c71a8a22186368a88add7a5be3cb2eec43a0496a8e9b7f63

SHA512
5ffe2344fe15f65f516dc5fe141ac4922603a3220fee535b3c08cfd6e26cf59014e6adddb1d8b99840ddb86583c77af463dbb245ed6a84819c18fbb5190acaff

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
1ed3d0aa59b23c669c3c7608e16fef56

SHA1
5f7ff5eaa0d6bf6c4d6f0f9ce7e68e1d5bc7a55c

SHA256
5f8f708783777601efa1d8d9e217cb0d996167e574127ac0a60453327639e1b3

SHA512
a3ad653c55957a32719f1e5c0384f10b2dbe3779d764dbf6ef702bc7167e15c862d6984fb7b20b033e1e1c5ac7c188db9409f8031cc4c947c2dc155a2f646e0b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
043e2b955d62491839a88140560f0255

SHA1
726d503cf63ff4e9a3829ae02f56ad937f7ef316

SHA256
35a5cddc5464260162c7a2be3119aaefc2ed557e09bbf6819b63e8383ecff26f

SHA512
966132fa0dce290eac5dd18bceac25260486e6bec3c377d5bcb0afc189319dc54cdd59a4f5fb3413076c6ce2ad5cccbc0076c31ec5bf9bed50fc06c427cd7b0e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
cfd8079914cbd1b65bb654edac049cd3

SHA1
01fd093e68a63011cfdfc0dba04e12ec57887718

SHA256
aaa40cf578d10269a83faba710c534d6499ad684242fb4359d0938faed406d0d

SHA512
e3658bcd0b95f365688c2394a78602f6ff0b92654ed6017e02503b8c2cc0e60e7b161be979e60536315a52bae71017ad1a8cff3ec29d72b41ff5c7c4479ef6b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
10d6df76e120cd3110e420fa0b5a245c

SHA1
a513c315780b507befd34c0fedec14db4d320b63

SHA256
a3b03ec8207b6068bb77447238b4f611ac1cd12e730350255a15768cb957ab0c

SHA512
febe6e442ac209e4b0bbab8698a97af67ade148ce2a7749464322be5f5ad711f0becef4b7c38d5e2eecd9a5750fe04183b98dfc06d4a03ef73fb56856fc23de3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8b8d4e2342103e0b3e478e7cca8a4cc9

SHA1
1f1daafbda7a71e7abcd34996149aaea1b6ac3a0

SHA256
13f21f5008d986e9e0f572a0c953835a56ef7e651ae6b2518543e2e5035089c4

SHA512
0608fb17a8f27eef238a756e019097c88ecbf8cf796674b01ecec04ce62a52fbdac97ead9a4428cd38e58a9c5c9150fd737711872bef82c23e878b57375487de

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c3878c65b095f17ba056ecd17d5a319b

SHA1
8b35da74ea0d3efb5c76b2a0c6003fc9a494295a

SHA256
66c00033da8d91ef55ad896e5b4b64e20d85f506eaa418de9c95fd89c5a5367f

SHA512
b5f7d6bebd5504a0babbc8ad5cc08cdc722d02567a13a1e392f5c4876ed319964568c5d21db1e816aa673a8f28914bb4feda70ead57125546738dca69298ab9f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
d4db906bbd8da9a5ce0fcf448375a4bf

SHA1
f0a3d947b1c6c4b552e501fb506cb14d60635b0d

SHA256
86379a9591a93c3b8ec737ee6c94117a7e57bad359eb3b41c66f9d98bd629379

SHA512
09e1ac95273be16bedde9a7d70b825d23ccf2bb504ce9eb429ce15159e072fa316708161093a8079c54856c8f6ac53aee1c0c67aa120a39add50ac08d654afa6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
e69cca2d24b4b5ddb42d1188d375eaa3

SHA1
1ce1aec31ebe357036ca93e75f88041cb1e1eee5

SHA256
02d23a8044cd025f352068f759b5ff966e366772762ab01e01d70f5aed13f5a4

SHA512
f9f590a8e2ee66543dd38ab0dc1c48748d4fd2998a8ab64356fdd384eb2ca84b1927d56dfe53322a537b3e05145604e3829eb00a7c6dd7be183f2265aea6c4e2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
b5a2a1360a237a8e0878be9d86913824

SHA1
896184dcac3bb915d076a8797fb708cc6a967758

SHA256
a84c40c51df4cea9c913f50c898f3e1a9e06b408728f5fb5d466d596aecab78f

SHA512
15c6f4ee328b9f774c52fb9a3c23d816da307b2b4e1cee740cb4602134929d0b31ca21deb2805ff2676b980d8bbd65b271be82ea368e0491e2b456db053bcef8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
2cb582e0732e9990f8b1661fd88ce4a9

SHA1
390c4bd358bd18a7b0aa91f2ce4106cb8c31dbd2

SHA256
add914415c41f407cf6dc7609af78eb37d8cffef134d64d6c507944e404d7b1d

SHA512
2dc40e428c2f10a61f0789f901138e232b03d459f57ecaf45bd2149e1f664408a5fc29f9fb2db1517aaa4b6a8abe4fead8e80eaa05451d27f7394852324f75ba

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
352dc894f6db7f099a04d65014588dfe

SHA1
6e9a82d26f5de9c0a1feda69e6910c06c8b9af42

SHA256
74acb419bd15ddf07bbd95fc4e7c0f80812b05528030cf6ac600b85bfe68e08c

SHA512
47474416f5c97da63ca17528220cd57928cea76cec75ae269b5e5f85ead6a9dd4e1160c0f7fd54c27b0f483406961cd77c41bd5452bf47194bbddf8ac9082126

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
86a10897d1d9567487496ae33402718f

SHA1
b1568cf761a7e504833deac7abb379d30f7b4923

SHA256
3c29171b615735773f6f1f79a3624f80326cf7cc0bc138ceb0ba9d4659487256

SHA512
9cca252e87f5d5449d3df079bf31427b91b1248429ccbe6be984b2d8d1590273c63422c250f2a4e5a3e07a993828db4935c9d5021cb7a5d8832e0edd54ec1d6d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
807d2566d2dfc8e90367555e21f89706

SHA1
80fb569caa26b7fedda677db709a8aa7ab64248c

SHA256
a3e5091dd06f098918379337737d4523a358dc3f952170f9644dbf8821d49bd5

SHA512
3506c8ac6180d1747de0c1dd60f60193ac08f051a9666aedec0b295d800db161dca0dd7dc670707336c6a927b486de555f340bc5fc7bf7c71acf1900234ebcad

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
dff7d123ad22f501ff4ec00ae7d04fe5

SHA1
e0eb94541d45de1b2dbd75398a424da36b332e47

SHA256
e20537591deee6d94386bc6b1bb0f5bd729cae52d26509568cad4713bdd1e6b0

SHA512
cb3cfe0047691f0485dfeba3e46c91d4de27d6b46d1695a4e180b09752356a232fde0b061d4c9a60221d24d6f652ede88247a1e2e351d6ac3d149ebc11a47df2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
981e823f78b618c90294473218394a2b

SHA1
1771d1a7beeb852d4fde5fc7d88d6e2c70d8a51b

SHA256
f035294f803430dcae71f842ae059044fafe5686fd5afa37bbd90370dd619f53

SHA512
5b6219678fe56d8dc80e78121ba84eeee80de339ded83eb3798b99983248009a2f3b73f2025c831df32603bebdf6f4f81691994046127e10b290b43d4b33b4b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
b3f82058f6754bc58bd6d7bff6ef6479

SHA1
4f80c16d38438101fe8d5520cd2fb4327a002e66

SHA256
3c848675282f0a2b4e6c6abda36303d6a3196325cd59a8137380ea455730f77c

SHA512
d5041298077df3fb6098020b89eeca09b0d4a19c56d67f5b80dc61a1d0fbfd08a851d1ee4506d1c301ecec6db59d52d97664bad7983e934e9cc4b74cdf1a2d3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
2b3b237102bc5d967ac6fd8081d7475a

SHA1
d16d3cd05a7cc3c432197ca6e4c8837a0d492252

SHA256
b690d9369ce70fb3e05623524b0e71281cc0951a1a342f95ac55f0445825bdd9

SHA512
9fbe2304a820939b2451d9cadcf37906a3828b8ed0d2eeceae3a7c262be88273b082d8692f6d632e0299161ecda9a91213c44a31a4c60c12df2fec29b4395c8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
b94d0e1103df3cfab003ec92dc8ca3f3

SHA1
bc087ca1350a7b27a4f15a49e82e4dbe7c55dfd3

SHA256
847c24717faf70e09dfe402d8d33be576bc1b633025fccd248f85d1af2dd2376

SHA512
409c0042895a8916700366928bfd1d926d97d5df9c1382593b2242d5393795efca139287912bf9e0356e02a0d2b86fede68f1290569747fe5e931b242e62516a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
06af2814b0d0d7b641c95e79d4c32755

SHA1
be9d66cd2460572e5923d21f10a44657a66d5e6e

SHA256
42a6a4af2c12f3fe8c826139a9adfdd41e5e37b17f874b158fc1581cca4c12da

SHA512
14a59411a97a868466160df4e5b76f93f4e778ec3a5a1ac71713f7ba79a22c52cda332866c7e027fe1c8625de6fe6c8239448316f27d8d3d33a98380e30f251b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
a9b2ba86297764aa238f0190a98c952c

SHA1
202f52a356de7693a469f90d87d69fef6926cdcd

SHA256
519bf254a9bb52de26443ed6ff54da637396c9478250623adb0f0a7bbf89280f

SHA512
655f7fffa533e7b35b3bcc4fd135cf5957cd277b765e32adfa8f27912cd7c861c8dc8a05708c72fa9c180d861eee3a4f2a1a50c5cc3dba7d49e00866d0317f15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
9af780cbb5e12d7d380a913b29df8d09

SHA1
ccab0878e9b55b90d5a9b7999c4cd9c53cb91bad

SHA256
8c9bbe49e2ea50c66f6be8f8b4ce2f69b7eb53886a2a26a8f8055ab190417466

SHA512
f207fb405c586aa693fd286a3cc47fb4aa65323647b87388c5397d9cfab04964db37cb10d1805b53cbc31b368ed24996d43ddbe93f9d59d46b40b7db9cd03a19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
0cf4cc771cd58b8553f53ec1abee91c3

SHA1
7c65c80ddc09e22d622c64c6108f96976222eb69

SHA256
e0b6e0a849d83215051fe26ea82380a75cf3fc424d2469ceb1aadc30e50dd60f

SHA512
228686aefcce8951cb83568b69996fd41b5690045a5efb27ea84f4f5bfd21dc9978620be2e0aac5007839df81dccfff05deaacbd26ac28c534ac43e8b66dda77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
a582a357a8306d50237f24183cd75f99

SHA1
ce817cb3d8ba44dbd1bdbe94a1f2a08428485926

SHA256
e4716cf73fb5a6162354369174532e9b279737cbcdab06a9321627028683d1e0

SHA512
7f6e4a5e684ed8f64c1d1c09d2e9e515597a3adc5f398dc324c0c79cf99e966b8c199cd2ae341af2341e6685388eb5628b65fcf45003cab1c86ec77270bd4989

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
a0ae95abfb093332b112d9dbc3b51bd6

SHA1
91e2c9ee7a25ee2a5c1837fbef4c12ec888ce533

SHA256
6e54c961458165c802c890c70057175f25edd5b07394991a474743887d365ee5

SHA512
64a840600ea664bdfb32ec0b40bd509d7ba1cee52ac61423fd61220ad0026f89dc217d25bdc27a632ebca740a04340b87f026f2427f5f1c0462266fe2d6a986e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
021c0a42be342dbc34e64bf80d2039bb

SHA1
fe9579db2898a37dceab4608086acbd66642f81d

SHA256
d507bf17a5d7cbfef2791d5462828eb37383b67f8cb2ea7693f463a79b4d4907

SHA512
07ef44af7eac046699c3b1e8ec991fd36466de6ddaa49ad9580b360432680bf6603fa3cc3382c9a6cfb15ccc46ba66104e21a97f339db5c45ad7d8ea49a15fe1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
e180b7c1198ada00be49e908b14f5ebc

SHA1
d4593533ef85cb0d87d23aac5fe5c4081489dc37

SHA256
a79f8c1ab35f0182f788753370919d99e90e1c335be1d94035b3847ff525395e

SHA512
2e63ba08530a1f2cafc011bc0aa075f22a79bcff2fb2270385628365a8decfbf123fff8f2223398b0218b8473ef048a8cdd849b2bf920a649b417ebedb278a56

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
4db54b65fcb7aeb2916b98615943073c

SHA1
bf3d944bb7c96e92401b4a47c64ecf482820998e

SHA256
707bc2d0ca975d62b3216dae1e65f7c6bad55d7714ad7c8fa1cecc62b31456e8

SHA512
1592fc1d2303b630f333c1bf280d829b876af71b7cb9827ae8b8f6087eccb289c30be88b74056684adf0b0d167005e1eef3cc6cf3ac89d18198843199b9332b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
25f87ece9d9725f59907035ce0a22938

SHA1
c53dc486a61392afc21fefb1eec92b5a4ae88f19

SHA256
949d455e568df84e4fe7477ffc6c90c4262ef4fdb4e2c87d6692c6be9bd7d1fd

SHA512
e249a5a1f66b88fc7291e1c2dc25bc20c07c89674fa1e845c2f7f6ac8601d04424184791651af34456e1cbfc9825a68061918c6de97228fbb4e80e98e6ca5997

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
0ec8d0c57140ec16fe4540101636d34f

SHA1
588c0a345cb7741143e3c01aa1fe2df9077b7380

SHA256
0d61eda16a209f7d088f9dc82b793cab7027debbe2c9e4987faa0105da8cfdbe

SHA512
9e5df6b6ea651cf40763b5ef5486faafbec096141d72bd0c6df368967b40a4ae5b6ff6b7d3243ccd6cd92667e528f24125a4739af6d7b8870809521182d6a047

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
ab540d68fb227617de65d01c683ff3c3

SHA1
acffc416d644e55b0e63e56d3259a460a5d9c025

SHA256
4e466d434cabbac4039f68a509279bb5403614374d8fe10794710d41c9b177d0

SHA512
9618ee1d99f9a4df10fb9b17b855bd8f35c3b658768ed7b4fb957e1aba1a0052db9dfa1dedd737001971242cf99cec2b04e788a9b9be03b11bbf269848e27fb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.5MB

MD5
995327dfdca426ead3b42b8df3e80477

SHA1
ab3f03b78d0173929a1394833b25199dccbffcd4

SHA256
5c8a9aafc3e583b7d4ae649416b8f15c1851ee1d7e39f55fc5a28694cfa0d9a6

SHA512
ccaa2e4d1096c9455cd166e1dba748b8bc7b5e37fbcec4bdcd1313a5a1f820ae1c8d164430d16fbaf2d8b6db274178f020ecbab983eadf56e1d912a59b177376

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7b5371bd850d91935276976f12f24acd

SHA1
0e2289b32a1203507c69f3670dcbd6a4826ce279

SHA256
0c982dec8e5bddb08d398a53edf48adc5cc4c6fa8caee018cd3e02d39395471d

SHA512
14e3b5ece2b9a1ae4c9f01ee1896eced4affcc2d1c071ce9120201c03913daa118c70846cb121007e67226e4792e12480f7e8764c305e8454b612a2c7e34670a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
adc05919b1becf659c7aa74ff2822727

SHA1
4b5ba07825f9171aff82cf024e31796cbbaca9b6

SHA256
db089e5dd75af824f1f98fcd942e19b6818d87346dd8e915076f065a9cfa09f4

SHA512
0e90dcfbad0f4c0757362a10ee7da48da33876a14f425a282703d253975e73d3f3d0d77fb05ba05008f5d5f4645c87d2a5d80bc9a1c85ba2a9f8b0353efd31c1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
a91a6d0b007fef5bee3b0682042825f6

SHA1
1f09be40f73b59c07ce9b7c351dfd0133a3a3e2d

SHA256
2ecdc43ece323885b2ca743a9c0ba0e286fdc3e7c4fb369caf39e2be97abb6cc

SHA512
de76e4cafca1a4a6e6a8faeb7027623254ee0d88d0aea9aca0a04eec47587f656fda2b3e0d789787e18c9899c06e79a4d6574fc0cddb000e04d455bca5b5083a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5ce66e3ec9877cc2403bcb072232b27f

SHA1
04032a70cf7ba346236f1dc8a345aad1030b5da4

SHA256
4f9f6f422b999e5baac621fee8d3bb7aafeee3864875b52d4cdb44b90168542c

SHA512
955d3f785464500b2fbaf2966ec47e6528f5ec95a8741eae7c3a1d2b5f5faf839e86c14d67cd60ea21379cf87d4735a8cf8766f7270a2b5c82cca325c0ae1cd9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
c5227fbdc239132da95efabfd4c9e6a0

SHA1
274909b6123547dd50a594c8151dfd851a7d099f

SHA256
f04f9154df1168f86969d05b0cc0c96a3a0e7ecac3bb5bbd5ef1d319f472548e

SHA512
c62db71decadadc0a72d888e924f3cf1e40813ec9c3e6dcddce3219aabfb7cfb0d99133b1ad41cdb7790615fbed9180852cadee8a5bb0b4d9ca706dff7756787

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2013e2899f314336c68215390078bba7

SHA1
5f19cc73c0846a58b24345f3d898d6ec3d7ecff8

SHA256
286b78328fe0128141c5e193c0d605ec6ec7ac9343087f4ccbffedade3f4d9da

SHA512
ce6b7019a565a2efb5c8aaa25e6ff90c683343b299786a2e9b85f8f52219be604842f91f316c0ad929270da89b24f0e46d953b84fc83af1e82e3058550f0b58f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
7b6698df3a060724de12c1321c06fed0

SHA1
23dd4acc6192ed296e69cfbd8eb52e51946fe389

SHA256
336ce280a892cf1e24ec207494e46a81ed54996ba27454d4f4843a542731854b

SHA512
dd290cf0f333ac11b43300b174f5109e3c883349a75b1d48849d158cb16de8c54c7c0a8d2b720f5164672259376bb860ee8bd6a149b8769d80b4e3ad23da6686

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
4343f853d259fa1734e8a12595e00641

SHA1
fd982548f544f5f0e57389330a2745fb300b9d57

SHA256
6125ded89e473da3809139f01929697151e7abbb7b5cbf33112386ec1113ad8d

SHA512
8e95d2c1bebf61ad4f1abc3634185cee795fd5a64c851c285d414328170f0995b6d61411b4088f402804126bcaf81b2f26ad19ecc613cd6a7fdbee2acb4379ee

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
e5153e1f50ea26783a8e44083ee7278c

SHA1
2f4347c284979d80e80e35efb2c1b82cc357c80a

SHA256
146797dfae3854826e16345f4c46d1930cb9037bad0824e568efab9b218057f5

SHA512
bb1fcad953e8e0fe5bf5c0a08026f21c158ea3f70cdc613cca5a70b04001c6ddbb70a08097617f46142af5628db271ccf41e8bacb7eba0f0389ddb674b1ff8d8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
af1f9a6e027bb0bf05ec28d5d724f9c1

SHA1
bd3ad29b1c4629abf037e81e36c2d9264d2ea9fd

SHA256
3a1ce43da1d3a057367ded065a54c51e3f9fc87870b632afb9ca123274abaa77

SHA512
b392e02c8911f85538dabdcb02d02bbe7c165dc65ac2dbcf64536f5356c05f2aadf585eb1692f2aa035d80006c21b6cb5d12cd0e67cf496f9014a5f19ad94f02

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
44e5381bdc22c3cb119f07f3d2b04180

SHA1
11e7c4d3df034e1596709ebf46cc430b6fb58b49

SHA256
d9194d38efeb66d7e559c1803bdb4c73240b221db69a1e91933e4670d5ffcc5a

SHA512
f42e03f22a03db0d0d3936ed16c33b3c576f24b2ea34e7fcca554dd9b13d0a826e4a419088d099505ce526e2b1eb9f54adc4bb447d9d5b78f3ab770b4962e54c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c1bac3f942201dcddf8fbfac5db75870

SHA1
554e2bf6bd1874475b367d0c2207c523dd69c699

SHA256
e5ff2dac59660dd228fb6962fdc7cb2537ca999e99c680ffa783cb2243043183

SHA512
817dcd7e3926d263749473c6b80a46e9d96c3f059fcf3bd6a48b8c679db52a83391185809bd5d8990911710ae5c526356fccd04f1a4634b6a17c1d19e9477e65

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
43cf8c331debf9c19aa9fccb37c485c3

SHA1
85649eeb128304123d0decfa291a4c7e1f1afa88

SHA256
085298a5925c9e9f205e653046c5dead4ad4d0aea4c229acaf967d81ec7e3863

SHA512
b36309dbd8675c190b027e1ba7c081920cd8c204de8246e245bbeff6f52c3fa1ea78248041c42f4169ed20cd8bb00dcdb801f596c99dc8ac2233e2097f1f4968

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
eeb0b67ca1794c046f065b811b193c22

SHA1
49fc07b4a0ce8d197f0cff8b5e92cb53a102c838

SHA256
a82fa828f268c42826b4139efdcc694d9626636c1e08a6cc07cbc5c51d1ed2e7

SHA512
8c58c723d1d0f10c28878777fa53ff6b80d78969360d954be08b9bdbd2cacf569041315018776fe89770746a34f2bf07afe36f02a252f5ceb41da2c6f259ab4c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
96a1473d5ee1810639850c8c21c97006

SHA1
724d4091789c910a6a214a703acb431299075ecc

SHA256
c4b64aaeba627024ee86e6341d3d67517b668864173df6265dfa848fd148fb8e

SHA512
bb6baedb1addabd4b8c564e6f448a5881738f8be171d49a3c44cbbdb69089071573c5e897b9a945139e09a49718c387f3edd23ec2118ed95ee1ffe4dd5900494

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
7ad0ed2b300514c23e1f159e5f6404b2

SHA1
8f9bc6fbaa02050eab2cde6dbb80e98a1f44c6c4

SHA256
5788c83bad358b5891d239d8b6dad02bb92d654bd5d3cb8669a98e9fc70853e8

SHA512
2a8efca1d177156a9bf2873376a89a366709aa98d3c275f158692857290c38f062570247330fc0098295144155c6e9231e5052f7baa32a91344b6b00bdf689c1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
b988b8f8f88be9497d758674f1e47664

SHA1
eb971a6d2ae1af197660988077397d3c14f12fd8

SHA256
d797e18b6c28543bf7f17c565ff50ead557196cb389b814707e842a69b8e7b25

SHA512
c170d18cd1e1e73fe70f9bff72bb58498775dbcbf6198ae3cd722b3259ab8b84b7b2c102f514795e65be4e514b20b01e2aa42891cba4b27cee03b33437b6bc37

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ba5551f0d34cf9fbb47e455c39d3c47e

SHA1
d7c8391907e82afd75cf3db933a3ece7949d7fef

SHA256
16134953de793d22650172e0f8f083cd3977f5a075683b2a5abe084b9e809b7b

SHA512
fcdfc856563726dd61bf42ad83dacd9714fe9271900863903f27af063b4229e53daadea9ade51bb1ee9019123dc36828c388a464c8de0ad9e28827ede959637b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
533c0781646d45f54a2012fff855b93e

SHA1
0a6eb7f0cf0d3e64d41d0f4afa8671b2a272499f

SHA256
89882e91ffa1116320c695f53ffbc4e4c9041f6025d9f1d2edb8903b6d855049

SHA512
8020d627479951c4e6bffd55f67cc67acddeafef47457942b9546fff4d56302f02906fa56834b6acb7b6a2f29354e4a6a8591945fb640a869de3dc3e7e9d3a1a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5564bd05f397f56369ea9dee1fead482

SHA1
1b58d85cc7773687051055dae82fc3b892757b78

SHA256
97fa77008b059bc0845316d396ef020be81bdc28d0652c3cc27af44548b36ad0

SHA512
a87f23247ed65cd52b780d14d2daf729d193cc703afc525c83a00e5eabfc73d450814bea1376e441ed21026eb9b1b7e6e9066ac5a7f7dca4404cdf8c4d4b85de

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c5c1a94b2d71a1b7db71cdb3b9674c8a

SHA1
a30329e46da581edef755368c1d64ad9ca33c312

SHA256
a88ae84518d302ada120bace27c0e7c0a4f5dd93b3a94a78dc9c4d947baa26ca

SHA512
fb3467b269165dc9bfbda47dafd554a7cb6dfd1a40e88b847d3bfbd8b63f1a663b0f7edfa0a027c1a283a940bbcc398987bcd5bf4c505e5d999c96cc00047f90

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.8MB

MD5
42bea7347f3ba1601584246b0be104a2

SHA1
8909f871a7c063bad1d40cc655799682c74b4999

SHA256
47dbd9b32f5884aa2be3fb501a5dc5df136ab560a123e75f8d3e3b8c245eabef

SHA512
fe0e783270d531f8533e3ecde8126dafce385c53614cb61229186ddb13674e7ce1447e49660b703e2e79ae2057b0e5238e6e22d2daf84813447746e2aed55947

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
aec8a69c2b955e159a204d21cab6ac19

SHA1
21828260248280c7a79ef32d058bcc031129e3ae

SHA256
88d33a92f90ab1317a2bd4a48fa632ae29c022287134562a2099034761e3b2ef

SHA512
03879753ace3fc6ae18de8c7926f1c0dfb94ccdfcef5a6361a0dd8cc6301c5a91a15b0eb16edffc4236f839796c85ea3943971403e9f815ee0052de12c1866d9

Download Submit
memory/516-425-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/516-235-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/668-139-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/668-247-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/668-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/668-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/932-206-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/932-321-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/1748-661-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1748-343-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1836-283-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1836-271-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1848-406-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1848-223-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1896-297-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1896-186-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2460-106-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2460-114-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2460-128-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2460-126-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2460-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2468-310-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2468-659-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2740-142-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2740-0-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2740-1-0x0000000002470000-0x00000000024D7000-memory.dmp

Filesize
412KB

Download
memory/2740-514-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2740-6-0x0000000002470000-0x00000000024D7000-memory.dmp

Filesize
412KB

Download
memory/3248-309-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/3248-197-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/3428-286-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3428-657-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3564-123-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3564-124-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3564-234-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3564-117-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3788-19-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/3788-11-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/3788-158-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/3788-20-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/3976-160-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3976-159-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/3976-270-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/4000-658-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4000-298-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4016-219-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4016-656-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4016-334-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4028-652-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4028-248-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4552-660-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/4552-329-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/4556-150-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4556-143-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4556-154-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4556-155-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4556-149-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4704-102-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4704-185-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/4704-93-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4704-101-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/4916-174-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4916-285-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/5064-267-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/5064-653-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download