2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
Size

1.3MB
MD5

e540269df92e90ebdd4777871e1a4d20
SHA1

2dc0438b93891a73df8bc1ada6a4133d3de0ac48
SHA256

2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03
SHA512

e013dad07e384b28fa024aa20a6f50f7d76a377dd0c8af6cf0972ea54f85786c6ddb9bc4d0e4158112057220274d684b3db7f350f307cc83726062e165ad1f41
SSDEEP

12288:H3C7s+X/hXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:8s+XpsqjnhMgeiCl7G0nehbGZpbD

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4532	alg.exe
620	DiagnosticsHub.StandardCollector.Service.exe
4508	fxssvc.exe
3068	elevation_service.exe
2648	elevation_service.exe
3916	maintenanceservice.exe
2560	msdtc.exe
740	OSE.EXE
4704	PerceptionSimulationService.exe
4084	perfhost.exe
2076	locator.exe
2880	SensorDataService.exe
4072	snmptrap.exe
4012	spectrum.exe
4320	ssh-agent.exe
2504	TieringEngineService.exe
1912	AgentService.exe
3680	vds.exe
2244	vssvc.exe
4332	wbengine.exe
116	WmiApSrv.exe
2200	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Windows\system32\locator.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\be27b038ffa85a2e.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79609\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da68382a1c11db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b33672b1c11db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058766d2c1c11db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da68382a1c11db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000383d342c1c11db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040f4222a1c11db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000862de32b1c11db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
620	DiagnosticsHub.StandardCollector.Service.exe
620	DiagnosticsHub.StandardCollector.Service.exe
620	DiagnosticsHub.StandardCollector.Service.exe
620	DiagnosticsHub.StandardCollector.Service.exe
620	DiagnosticsHub.StandardCollector.Service.exe
620	DiagnosticsHub.StandardCollector.Service.exe
620	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1196	2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
Token: SeAuditPrivilege	4508	fxssvc.exe
Token: SeRestorePrivilege	2504	TieringEngineService.exe
Token: SeManageVolumePrivilege	2504	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1912	AgentService.exe
Token: SeBackupPrivilege	2244	vssvc.exe
Token: SeRestorePrivilege	2244	vssvc.exe
Token: SeAuditPrivilege	2244	vssvc.exe
Token: SeBackupPrivilege	4332	wbengine.exe
Token: SeRestorePrivilege	4332	wbengine.exe
Token: SeSecurityPrivilege	4332	wbengine.exe
Token: 33	2200	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeDebugPrivilege	4532	alg.exe
Token: SeDebugPrivilege	4532	alg.exe
Token: SeDebugPrivilege	4532	alg.exe
Token: SeDebugPrivilege	620	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 1632	2200	SearchIndexer.exe	109
PID 2200 wrote to memory of 1632	2200	SearchIndexer.exe	109
PID 2200 wrote to memory of 1708	2200	SearchIndexer.exe	110
PID 2200 wrote to memory of 1708	2200	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe
"C:\Users\Admin\AppData\Local\Temp\2aa676aaccac9ec5070dd297d53a48f331b34d06a8e73f7c9a05b3551c7a5f03N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3264

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3068

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2648

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3916

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2560

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:740

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4704

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4084

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2076

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2880

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4072

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4012

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2900

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3680

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:116

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1632
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0e9625c090d2be7a71f867c6faa85384

SHA1
16beaad76eb1c2e72758ccb8d23ce8aebe6abb5c

SHA256
08ac6e9a85780d99279cdbd6d2556b614c3a0436f31c09be18ed9f61fc7438e7

SHA512
af4e181fafc067cdfc92b47d7d1b367b74678f1fbd738d7c3b2964268482db08acfc51a04b80ff8a60dabe9cda657d15b5033d6e98e05c83da90b7bd70e12240

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
64a622d900f743cf19ad932902d68ab7

SHA1
20953582b6839b2a4d59432509411208add6cd35

SHA256
c8f6c8807fc6628bdd18e359e732f076bfd10a605cada8749390e9362156d813

SHA512
2b75b01eedc46389c5b63832b782d80a17f23bbf973f3a0d28e973407000c329839243cd4e2991b0dadb7873305aeb1ff21d306efe4f0bc40cdfc056430d21e3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
113e097146c052ee2eae80c3de426f74

SHA1
c7a1622f506493eb0adcc37ef0efaac7062da034

SHA256
fe03000c75bd28913bffd585c6a2e86c91f9600012beb2a41e2f2a31a5442098

SHA512
83768443cb210e33b9091285d54107814d367439c3c13e32d46ac0961556d1ecc215fd8d977f6e4342b169f86ecd0e441bcb64fb820d6e39e5d6a94f4f588919

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4c10e330318b211781f93e3ad346576e

SHA1
0f26c4761769ce168ad860916a6ea76130537404

SHA256
c301aa619a55b0e2ae2d306f1a8b3328eaf9fe1c85d23c181fa78cb0d496a1af

SHA512
b2c75160ae0067b14b2b3eea449911daf1268b92bf715d5bf37dafa6d3d54e3daaa5fe40aa28a4ba1ad80facbb4c779c75f71adfb4e0531211013e5c5b099eef

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e1f7ad605c76f0c29765a7b50ac50657

SHA1
9cd5865e493855cbf7458765ab3e3eb07f3dbc1a

SHA256
90d4b50f6e194fd87e651cc5122de391781be63c0cdcc9615793a2aedc7242b2

SHA512
bb9db4edb9fc9afda91f734734351dd3b9e2283b6c66bdeb8c1072b9531c5fc1915556f3d0f83d3cb1e5be9f8e3c4b0f55f1834146f27ec1e1aa15ca4a4e9e64

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
24365f1f259a1853d4955826e0d5cf41

SHA1
fbadd1d8a2879a4d2d575bdc016a48fb010e06d0

SHA256
6ff7f77b22073358a68c2608ae320a5fb6ede63b612c82bac8cf13062b4cc6d7

SHA512
cfabab64b3bdc8457508bd2741097f9c84b8f524d0ea6d1dba83591f95d14bf63953d7c22c192b4bdee0f8d6d4fa75b9818d22e8233e4aacddb3b33b53c4d767

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
329f8de062fe5c2d857b9bc7e036812d

SHA1
e4b1525e3dcaa3560e89aa5653e49f723c9ff57e

SHA256
b7f947e2296036b128300aefb58daf9c6b068ec74ddad1ff647195ef1d6e4ca1

SHA512
0a2faf72d32f3ea1cd962bd43867b6a1fe84a043c9681098f37c91b92c04f5e4b519c92053edec819b9f7a9462b4e3a227be0134384f41617a6c23b902cd023e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c04e1c87bf81d05b456328c77d839e72

SHA1
1e8d2ee73a8be6884d7f78dc929defb51804f234

SHA256
71634c0c5283e083b5c596d9d6d1139133eb6453e8eddad8c4f5edba911466d6

SHA512
ac78bb7fac64e8f4184d710449b1ac0e138f236d9b7632925766ec18b488b4c2755573854a0cdfc20cfe7b8f7a016f2dd8ce882650de6b5978a0ab9c0b1f2091

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
395573b71f141502c30cea59fb04a953

SHA1
c5434da46b39623cbd63e88e218d4a6be2ec8698

SHA256
9f5407c6d03a98d7508f8db335384da4524407774777c53f659828d11e55dbac

SHA512
8e0763ba227a83ebe46986aaf9ae23be8378e0a72e62ebc2b0b2b9a9e20dbcfa13a9c5f86c43325980b217df30e499338ba339ec8b2b778bf0cc13415ba95ae9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9c3cac7b214560e3ec6ae54e06ec0e8a

SHA1
8fd3b33ea16a656b818278f3695fded8b169247f

SHA256
e3e5332ddca150719ff0feb950fc59d3c1f82db1d1242249bf6b7d2cbaac13d2

SHA512
9385b9ebce97a9595ce9d5b9d6bf2877c8a60a3471d7c4174afca9545da18f68ccc093d0413890149ebb5756ee2c1a299a6224d9d33111af9ac53223017b0b71

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9f7a169fa52be5a523c4fa24e6cee1c3

SHA1
bef55679183a2ccf8afd2632466c2b7e759104e6

SHA256
67b738c6b94be4c6b0a694d5768f76b2c2762e872f22abd6924415f536f08664

SHA512
b1c5de85505ab33cb6352a370939a37a563a6e52657f59a4934a3f9e7c7685b88263064cb00893c8b996ebf59f679026faa1b5de3b626969021c80501725d39b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
86d8d97e74a7817bb2eb9874784fb040

SHA1
f928ea4cde4aa17e58720600f702893027e1d2a4

SHA256
09e6f0e03b947879f94ec8c41bf5c694285fc06c52120fe11db2b9b8d1b1dc98

SHA512
663aae53b17cb0ccc15ea1619a7be30a31ca0c0966913ab4674833dcfdd0c9768d32b7e625546c2a323ea964203f0ea59e729210413dd7bcb53f9d0aecb6b41d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
1d56a8a2f228d794d2a2db6ea7c131be

SHA1
41a3154a80a441402558c10a172e5a1221570443

SHA256
16e31c7c2cf2e47e9cb44a90f30f1e2bda4b79b01cfd774b7e384128d31423a7

SHA512
435f8301f816eb1cf2e745a8694b059d8fcfa0e30bd768fadc466819eb8a348afbc07dc76a77d7039f78cd656e41243beac679702aa58e2d8cc4da1942fea82e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
254e8ce0ee7c5be6da720516715faf23

SHA1
25f853cf39c4ab80926721ae30223bd2a4f774df

SHA256
cfe9a30985263ab3660c2629b9b2816f7bccae69e3607b54132b5b92b2a1633d

SHA512
2cc6fdd7e298fb2b561f7c8be4bf660926e8f16b9ec38b76402a856f8eb145be738c296ef52a74e9b035939cad06dfc210610703f4f4c428b38a96f54a267185

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
c10ad6778f4153a5d673e5f792fd1dfd

SHA1
431af61f0a2a39a44793a261a41be635bb9b37ab

SHA256
dcc95ba1f09b3f160fdd6742f84da2cea5dfad5ed64368dc3b53a524c619f178

SHA512
02fcaf371b4526070507b0704fd48be58f2691f3f6beb89539c635a4536edd7860dd23c2e63670252bbb16456c859920a28b1d68b7a5097217cc8a1526b24c52

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
28d0fe4fd2b6c06b69f09f637b30002c

SHA1
ddf5723ca8816f8553b79887b73a86897c239431

SHA256
822c8db939a658375ee3c18d0d4871463faa208f793179ee4bbc0aa912f998bd

SHA512
2b0905bb61545e13b880a341aef220a5938df1db767abd4c984b09bac10367827b299eca2eea0cefea3b91f54b5013eca6fb427a1bff7b83108b6686255aa389

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
3df86b5707d6a69149c4cdda770b74a0

SHA1
c4082948af4da233656084111868206ab81c80a0

SHA256
69bcee61a56805bc940eb1bb8c727957595a137124e12a8c9213c257b3c8b50b

SHA512
500433f4f601e82f344a96c66cd1bb9407f02d3886756b8b1a70120bfc22b11a476db84c35bdaf0e8bf7e12e44b98532a8f94b0319d8a5d74c6cebfcf4daa875

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
a2bb88821998e27d6743141d2865861c

SHA1
bb3d96900c0f396c2615ed5cfdc3532fcd3e9817

SHA256
9d60746db2c63c9fb1b02c388023c28a794841347d5d54266baa29e3a2ade64b

SHA512
cc40035188167d59330c272fc629d3d97dfacb35b2607722529ae8feeb3d0ef2345cfb24931c652c35556d03eb51ce7e5456612446314339544218359788a374

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
d5bcd40e9114131003e0ec2dfc625f2e

SHA1
8df647b3cb11d0d25a62d006b07b6993c871791c

SHA256
acc73d7cc5ac19071bd68d751a2d8d6fdadf3b188fb093bec654dca2d52b4e53

SHA512
44d45ec6a3c1b9d3d1677f3374b378f09c08704b68e37bb1e053c68cecd320657b0bb62d29fd50ffe8651e6e7acb38427006060a3c61a41b45063c86de6e924f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
26362261762c439b14ab02b30298260f

SHA1
0b4160c0520838b4fa3844514a3c608ca5a7bd2a

SHA256
c396cf98d72d950bb3f9b6d4015974d3020ff1a2cd27ff41288901139cc93c1a

SHA512
05c81fce2ad205ae29b9a2c900306aef72bc2cd6cbae7be1aab50adab99ebcd9cbef56ad7c01842d98ef284ee02e680edbf146aeadbe443cb25f6c40e3ebe0a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
3db0a63199577658da7eda7ec5471785

SHA1
1a26990d5f8f96877297cb71516f60e9537cfe02

SHA256
d244a8bfc9cabaf3c9be9a9a3d7360ad8180effe748ae850857e8c26667e2616

SHA512
e74663bfafed1c14b2744f2a67720f5956d03d533b9c1e1f2a669eee8f996f351b5a426fea9c9c89dd5625f0194b7965a772950c554004fbdcae752b29e2fb99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
468252feb0d93b9a4973fcad3d9f90f5

SHA1
da20e0c4b54294c209b7713455d71bd8e4aeb4a8

SHA256
627d62a45a2cc01844bc170e15a0b5168ba0b9d25ee60178e28f35645637ca57

SHA512
de69c8b3225fae25a4c58af73ca0b88f957afe98ae06132c85de2f3a705bce194467133eacdd7ec12e94d4cc97e5895a86fb55293c220f86086e5f4b2b9b1384

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
1e11d573150236d1d062550ea3ecec81

SHA1
47cff62e177e6d80394c650af5ec15abd180aa1c

SHA256
7984ff2909d7d01d1378a84d5462272f9ab2af493a5eeef655986e404b2761b4

SHA512
1a17c5d34edb4e747fd4bb21db9e7f6406fb4e0a355c28df420dff89d6ece6d87015bede85d2c9f6746e849111209aa727b1c6ded096f1539df6f0e09fe9083f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
e50e7f3bb0b967bbb3504cf44114ed71

SHA1
adac83773b093d8241db14f9bc048ba131fdaa90

SHA256
ab7e49927daf534fe124730f70cd6d8173b7de6912f3566b2a824d03d91e7b4f

SHA512
581dfc2f04f1895c993f0e10fbb5685b807464a6efadff0c6cf6323ed36e6281fb3ec0a785ca63355506adb15d82d5a2ebeb34d3d47d1e142249a5faac1ff833

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
c21838a80f09831bc44ea5636995c1bc

SHA1
53ecb5ed59e9027e08f4e1e7abaa3a131ae52787

SHA256
a66580ccc74e669fcefb6abb9b69800a8312e70d7135565767f5ad8939fdb615

SHA512
c93196b64c497719b30c3c133655de68336ea5228f1c5f96d24c0dc952243abb1e108390bec1f09682b9f1e9e7f99423ccb12b014965e0a9fd4276a08eb02531

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
7f01cae81187eda49498024d96efc873

SHA1
83e61c3dc6aa4dd81eaecbd0eed4720d31b4772a

SHA256
08a8329d48120656527f571269d500f6f9222b73d5db07a40a5d0ad0a2315497

SHA512
f2e0376d39b1fe086ca9d7e8a50ebf113818a820b412a4a1d014c1b5bffa5994e535d5a8c3b3a0a557867032b8109ce3c04163795cd8f324eb2859ef4d3437b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
d93fdba065f088a95103d04209378479

SHA1
1adac0b2c449448f678a465d7278304fea8b16df

SHA256
58fc73b4321bb9f51e8294a760f12be5099d346f15d49c446d81d5c7d4759013

SHA512
da22ab58159d2d6a2e1872b5d375b5a2c2190bb2f18a2bd32590dca6e7eda154d9236b2c68aa7ffc66b03813f73a09ce6c134a9701010b53f8e1a6b2a4d14875

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
2fe9672f5dea497a029cb4c0e12b74e2

SHA1
1a224a15022cefd8e8df069b2849556626275b3f

SHA256
8bd62b9b3fa152c7ded4f56b04ec62bc8123c482fa549c13908718d0f7b58ecb

SHA512
5327b83b9c749912b0614b17feae084f76722cb4eeb45c6eb55d05b025302797d27ae5c14addc399aad1f85aa27f7c2df43ee462774864828175859148e1746a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
27ef1f5e22df4c0587dc9f8b976d51e8

SHA1
82eac1543d0390250a348c7d7ce8819d4a975538

SHA256
4409da3320d4b1edc67de9a21ecd38e11c5eee890bf88e3284566fe0338e9bb2

SHA512
fbb42172d4c948fae0728ea848e6d748b8b027e9cb2cb4399bd5eee2722950f8b3822f6b4cd88e0b4ef2987d4984b3f5a93335b83f6829c18b64f668040f4b27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
b621281dfb7be65de1605e3f947cdf5b

SHA1
a537f4d1e8a912ef4c93cd87bad82e754a06a7e8

SHA256
d08b14703e658f5e7a93827d8bf3ad2be0f9a8c349c487da2914c49a7a1d87dd

SHA512
6a0db901a7a321262a712d23ec292651554bd556ca4cc8a720b59da9c87c41f4a8bfcd09af91dfe08e963c8a28b56e4be4e3c154ec49ec2a68eb636f7160bcaa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
8bc89bedb10abc21671d1ca3f93dba84

SHA1
640931efc80c27fa9fc37fa22ee633c46ebc9269

SHA256
5f9172db9839da1e8007bb8c49293676b6531958830bd3d07bb2c1c7b48912b5

SHA512
3838d981623be67f3a408b4f1415c9bcf4236b36288daffc357b1c02f3b26db221e45ddcdb82e1d84d80119a09635503cda68343b2f7becf7c45cd9d2e812303

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
edc7d47dd4aeb79fdb78472329ba7ea2

SHA1
0646438097a6a33b8374553ce0f5dbfd80eba0d6

SHA256
1e6f9538adc871e8a060458ecb16df8f0956836369636dad062de4a85bdbc961

SHA512
49c1b176f163406e1184be422525eaec245ec7041e9ed504ffcedda216706f381da3e70ee01b345d63e4682f2c1e1e852acf99da9cbccd7db123db2665c34f7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
0ccbd756b1b2e69575a2a66c27a05ec7

SHA1
cb8a3c81edd851c5c8184abe74f2df2eefa47178

SHA256
af22b271dd1662dfb461fbe2aedf0421aa7b1ff39086791ad1b86634c1c6de8f

SHA512
bca3914a70474912429e8a326b7967d154261c7461b43e6ea5dc7de25c3c7fe4b91d587a4ef24923e21f0d640707587fa2d253eb205384fa1e8966958dabafaa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
c76f6d767bef47487d6c619b56e2e0ba

SHA1
16cdc9aebec554f7829316dfb744a3956d24b135

SHA256
2562c176a3fd188d4c7ae6a1710c2ff48f95567c68fb43899c1d586e018c38b7

SHA512
1db0f23427cccc3038ac4ca896500192c1c95b01c6005c132fc3952c579e6ae0193ba5e8192b662184ea793ea32f1ee093347a7d4154cdc58d8aabd77c4e4ac2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
52afbf1d7dc4fc97c035d65f01069082

SHA1
61e2303e91c9b11c6481cff92f45d5b7207845cd

SHA256
4df4e6d6bf19450d64472ae918a68cbe3a15c5ce37ef5d854eab909c662de2ae

SHA512
dfb9179a28c477d54ce4d72e33659ccfd879dea48e47bae73ea8a8054edabaff6689dae5cf5b646f3e2a2dbfb5483aeed595e6445bbe59b920cad8fff67e4b00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
29349cb07d14b04a505e90836b421bd1

SHA1
ed2ca05fa154ce617710ba2ff4ff737a6bf0266c

SHA256
02f4a2930f5fd442eed807185c72fc0597bc56c08e51bfd9b65b0dab79557054

SHA512
7a5cffda5d0e9cd526b2eac8f4605010a7f5eab8b40db21357fd8185ddd35a13194c4947b1b91a415139b90fa823246e7c69bc23312a5f2baaca075afb6194fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
4e5c950b168f3a6af020588b2010e6bb

SHA1
3654134cd81c5b0376cf92b504877837af8fb3c9

SHA256
b42b3c2bb98f82d093e3af6fc33ce0f2c98a99e544178ab894d679abde83ef3e

SHA512
8168514dd52406741228479219f8a40cc5f5221ece12994b59b3c48a17096fe9c64955f511b494622f6a3f8ce357594d7c3bde21550cd27e2864d2558217b0f8

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
155307d38247569a922432136be0e30c

SHA1
0278af8eb35e8af0a8e2251120ce7f7ad99622be

SHA256
b59120c100a33d18257f1ce3e55d40546e0149ba106717f4bb41f12e47a3b0bb

SHA512
76ef0b1638a72541c0158e70ef094dfb60a836821e0a5458af875bab4e3f091c6c05cce2f1baa2a3a7b46c60313d903768f6c375e36e14ef4e6af79bd6851dbb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
c7339f563f85c53b68e1ed680e93db98

SHA1
37d8a8158fccea41eb00c51f868fbcb2200c0c64

SHA256
3825ca0d3c1cee05f7cf739877640e00c0f23ac8ccb25725942a9fb0148c69f8

SHA512
0f750d1ec6bd2eb9d320184842f97fec7c2adeda39752c17d570ee3d872fcf041895176f311c33421dd4369a9daf81858bf36a955073929bed2d5e51e4e55a5a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
d486ae1041352f8d9301325c7e0a3f43

SHA1
d78940b2d7906a18dededee79bd3796f1366f723

SHA256
8c7a9481dad6828de5fed6f0e5a32e77225d9dad38470aa30a04ee2c48735994

SHA512
c0563c21e33a48b78369bcb98debdffd27e6e8485030235927075e1dcc8b702d481b4c25966995d017dadc60aee55fd2f55d20b66e7e568f6d07230424399480

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
28287e849c4e32acf4dfb143bba3edb2

SHA1
e3b2e0043c1787a62de53522e9faea5b337bb3d0

SHA256
1a72e2c6b58946c3fc48df0ad560eab155e038b4d88d100e9595bb0e9c708855

SHA512
56f96aace8ff7706c613a8e32d8348000f832c25eef1b2e9ce436e9292f5c2bceb14589f97fb96d16c1554d0b57d1c9162d236de95d2d3b65c678fba0f0c1b0f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
053c42c00750dc394eacd25d1fb34e84

SHA1
3914a55438026d708a87989aabaf687c4a6971ff

SHA256
4002b16fc4a127027d1a24f306ed342cec0807bd629c8d3283c7120707e05f07

SHA512
77b97fc63f476ffcfead4be96739e01152f84589d69f4a63f0010453c266ba136d5478c34daf384998e05dec3438fba27c446c61ad217eccdf563f8b1540b10c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
010da65b1c5a70d55f60849d02b2a475

SHA1
f8a4ededb0955f6fcee6dbeb8a99a3ab22739b7f

SHA256
ee1d3953e95a3f883503426bd00b8348c6259ee0f98cc0c716d0c7603c0e4cb3

SHA512
fce94911e10497e89eacb142573014076581438c24a2b5b99f267d5f79ba4300ab458afc18cdb784c943037c77c234ed9a57fe86b098a15b06b75a1b196e1e39

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
c7e0c30d0bebb19d9e1666f735992259

SHA1
fbc26854e30d5306b81ad2cead1d7a2cb8617ffe

SHA256
238be57846ee812a63a1bc37e803b40222151f3501649942885157c2e6e3551e

SHA512
dc155854721b74146f5ecf93c61bd4ddba5e45e7d90e5c603329b58a6344390e16daba8a0fcdb47a8ecb2426d38b2a3cbf9f2ada847fa8cd557d411f465fe0f9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
6e67cb0507fa16fe42eb085f793886df

SHA1
6ff0c584c4cf5fd83af42b1e5be702edcb3c9161

SHA256
220e65ceb790b4b096b02f45f3b8e874eab39bf57dc2621b4ca55a65f717fce0

SHA512
72c51d08fa46bc4ad77ad9cfe5cee068fe73ca408ba0d3479d4b6d825d85ead52afd8de05e7c5d6e8f1fbfec6fca3b330102e89da5a85389abc0e2c4ae681edc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
cb4408c1d172c066867829c95e68a25c

SHA1
15dd5d86d2dbb4e8ec891c3c69ab1df95af87430

SHA256
be808f3aca8ed4e8b0a5a5e3159b2b5134ccea39044d4c67a91daaf0c8be8de0

SHA512
fd3cf7a7e7224fc8eda9e3f4c5322c5078f0554e49a88f9f9b971366a85e35171c705cb9a7872e27759777897b1b1ea75c9a48dc0b277f7ec071206164772891

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7f6a3d546ee64c6ebec7f5ed542ae011

SHA1
75e730b29e8576e5e03d3d827288781411b5d163

SHA256
61e1b90bebc1e7dba3e6e69f0365280d1cb838f08d3fa00e07ae3cbf4a7060ff

SHA512
1e548e1ab9e59a62c65aaae624638bd430746266cbcc9bb87a7d0e400c303f75829edd3aadf5204d2f302fc95d560380850e9d54490c22306c1c2c6b1b0f9901

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8cbe2e95cf46a9351066ac618e59287a

SHA1
9d87f37472806827391a6a430e8c3d71a0c284f3

SHA256
7b72dd68418513574f6ebd3462af0e78bd94959d31fc50ebb875e8220a059266

SHA512
49445c15acf1eebfd9a2c4c0cc9ec86857530424e3589822300ba971871f779e7e5775ea62852ef18f24a118d1d69c2c621748019396d352808678cfb7ee3aee

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2d051556ba30435805a207a83012760d

SHA1
1f3094d36652df822169ac2be6c44f00b693fd06

SHA256
ef9c11a36d7418e28c9bdb6a9173f4127e78d4beebdfc36ab6256aa67e93fbf1

SHA512
4f8106389d70207cc85a2628cfa02a0313069c8b502bd092b8c0b1eddbf649f921459c10a29515bcdf912db5761abdaf95900ef8706b8af4d8fe1e2a25962985

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
e7a3ba8e3fce54a614b74df4703153d8

SHA1
eded035b22bdcdc38761c649a4660ba21a21dfdc

SHA256
df7465d1a68450b06bf9f9fa8c5b8310f9445e26db6230074f9f0eda15010f78

SHA512
33d9cd4007566a1036984074a673b8dfbff36c97e0d7a88a90282dfee2dfc56afa1b94d452ecd35df596d4c0744d988ffaba92058dc75fcc26b0afea2c43ad81

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3e03f71d48a3d239c96ca7011b819ca9

SHA1
c825440cd6d88f93e4fd616d3f817a9edd630e9e

SHA256
a505378476e71efa5fa0fc964fc2bce06b7f583319a347fb4dc9581847b94152

SHA512
2bf8123fda8f9d1ab498722d4c147378d8c5c24527460ebee0fa563db7c223cd6be729ac7f56ed9a14462dd5a531520496ef124561db7a1b4ae59e1ca490736d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
492acd782f024a28124eb7a654e49320

SHA1
23c881bbca0fa8e2aa7f99d3a8e0cd2a5839cb2f

SHA256
eb73684b2fe473332cdb8598972a13aada7fc7ce64950813578713e32066c641

SHA512
2c54e3c9c0c82c62d07f262ef61e459b5fb6c33304ed95228331b7781a47c0768274a367ac1feb6b83618f80c2c2f3363390575f51e4e5a493da976702a05310

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
60462d3a1d046b024f2497325de0afbc

SHA1
f81a0049600cd0d9047ef2f25e6e25cd85ca03be

SHA256
1823f62ca97fa9ac92901efbc4aa5b81b6e43e78d1c0781aa0f9fa4af22ed8e9

SHA512
e5b4b19a85d16c4540038837f2bbc4e27044b52538f80d50b007242263ad87431565ac43c235621a2d51d78e39d2e3e13508820ca2397b6bdb739c4bb0f87d9c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
4e1adb28aea195d79ed6f6095bbab405

SHA1
35c349c6e7852667100fe95be50c704b189929ce

SHA256
8e57704ab940843ae040255af91e018eec210ef4d1c9a40f22988228ad94f338

SHA512
47225f2ae0832746b336e3213e2d5092936b1556afbfb76f682788484411f3dc8f29e507cbf7b269342748428e084a5a4108c8a4a0a29db875157f59b190dfc7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3b7e900ef8ab30f4ba10ed865838f319

SHA1
ee459f834fd102dbdc82de91b1f295b7fd0ab4d0

SHA256
2d5d5a01466074133a11e551ff235f1c1e659b2833b038d3cdd5fce5cbe67305

SHA512
bbebc82aec5deb6aa186bd903fe145b65ce28205dcb1bbc9873f13e3c861845e0c1a6e03db6aac3b3dc1fea5c8ec8cb6b9ce380036c3c0e5927984a7ff14546f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
2f3d6dfcc6f3c2fc9622aae466d4d6c4

SHA1
555c3d7de5e096435165bc45e91410392676dbb1

SHA256
184f757cf845badde9b74f2dd906e77f662bbeccf40ce68284b2a2bba196dade

SHA512
ceda5139bdacf0a5a705d489172a368e8181aaa3ffeb599432ca288517a5d9dd9b1b4c25f5f986ef57f5d2bc4f950de7fe420b3baa38929a1f224a00c897d993

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f1cf261c37522d82356609a46e6855a8

SHA1
54cc85a38f862ec04cc0ad7777e15e166244d3aa

SHA256
4600788f0590019c4e05ab0e37ed2403941fdfbc1500580e96f138b04c6a94da

SHA512
54ce2aa78e31039c96cbf60e7edd54b2ea7d09695c1f0206bdea6474f9fa75be5b5b1fab7ad9f359757724960d35ff245e50c9484db987b586aab4c5c66af6fa

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fcd33d3e6710cbc4189fb402c000a6a8

SHA1
cc180bd11b79f2fb07989518727399e3b932906a

SHA256
e5610e066a0fd5d9961db18b8dabccb9378b4089784e8804578ff87bf622cea9

SHA512
33e92ab78aaf558028d0746d7dea3f4272f2a39eb4845929500ac294723885158444b5001ac47ce7b2cf12f90cf6baddee151550165aefde1b7ed0099862088c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
dd637e1dcf1e423fb4fb01f8e9c6edbf

SHA1
a31021033fa3f3585cdbf43b92a9a29844230028

SHA256
1c5c3e57f234bea7a730abcfc695af3033dc418731be84f8a2b39b51551fc788

SHA512
64db7b2a60e5920601982163d5755a62f6cc0f00250ca2a127370e93d0d06c9dcdb2856615a8c024d3fd6e74ef16c461ea362a4d5c56c51511b1e1afc9281570

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
40fa35900d965d3355e530883e1f6bf4

SHA1
a92df36b53059dec6c2d3586244501f82d4a2f96

SHA256
140dd51d1fd1a11da8cde16818c90aed8f17e22504375bf4a1f51ddafe9fc263

SHA512
ed7fa193aaa1c75d72686ce1c6be69854ee38f89dac18897e2224ec8b09e3b5cda39722fd5ddf3af93cf5c17b40b2a009c3add90344c4c1aa9cc350f0325a173

Download Submit
memory/116-586-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/116-262-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/620-26-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/620-27-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/620-36-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/620-131-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/740-112-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/740-217-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1196-7-0x0000000002220000-0x0000000002287000-memory.dmp

Filesize
412KB

Download
memory/1196-0-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1196-89-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1196-6-0x0000000002220000-0x0000000002287000-memory.dmp

Filesize
412KB

Download
memory/1196-1-0x0000000002220000-0x0000000002287000-memory.dmp

Filesize
412KB

Download
memory/1196-372-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1912-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1912-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2076-253-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2076-132-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2200-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2200-587-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2244-584-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2244-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2504-474-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2504-199-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2560-90-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2560-202-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2560-98-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2648-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2648-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2648-63-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2648-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2880-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2880-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2880-581-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3068-60-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3068-166-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3068-52-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3068-58-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3680-577-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3680-218-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3916-76-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3916-74-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3916-85-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3916-81-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3916-87-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4012-418-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4012-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4072-337-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4072-155-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4084-241-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4084-128-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4320-430-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4320-180-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4332-242-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4332-585-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4508-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4508-39-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4508-45-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4508-48-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4508-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4532-21-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4532-13-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4532-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4532-110-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4704-229-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4704-122-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download