4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20

Analysis

max time kernel
119s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
Size

1.6MB
MD5

d0a3c6b113b5d14c133ed1a2ad57cc67
SHA1

64bc22486a0a42150e7bbf7cdb80fc9236ebf130
SHA256

4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20
SHA512

a3023b2c9bc2e64e79fe28540e67cffa9db71f61264244539790ed7b27a6f2bcab0fadfbb9970a2f87a1fb4f38d66534d733dd2b631471534799970b426c5c70
SSDEEP

24576:22XPYXKNix826VDebc46vVa4eZwq86QAhhUkXuMDtz6BlgF:3YXGUQVDebcFvVa4eZw6QAhukeMJz66F

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3832	alg.exe
1044	DiagnosticsHub.StandardCollector.Service.exe
1444	fxssvc.exe
4384	elevation_service.exe
2692	elevation_service.exe
112	maintenanceservice.exe
3768	msdtc.exe
1700	OSE.EXE
4000	PerceptionSimulationService.exe
972	perfhost.exe
1988	locator.exe
1304	SensorDataService.exe
3512	snmptrap.exe
4356	spectrum.exe
2984	ssh-agent.exe
1732	TieringEngineService.exe
3608	AgentService.exe
3940	vds.exe
1768	vssvc.exe
2964	wbengine.exe
1452	WmiApSrv.exe
1000	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Windows\system32\vssvc.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Windows\system32\dllhost.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Windows\System32\msdtc.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Windows\system32\wbengine.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Windows\system32\locator.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Windows\System32\vds.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4ebeffd3e5a029dd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Windows\system32\AgentService.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80703\javaws.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{87F23B05-A117-4666-BB8C-A9C77E6BFB56}\chrome_installer.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80703\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d340188fa3adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005799e88fa3adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000196cb589fa3adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e87ec889fa3adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051c9528afa3adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7424688fa3adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cdbcfe87fa3adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1044	DiagnosticsHub.StandardCollector.Service.exe
1044	DiagnosticsHub.StandardCollector.Service.exe
1044	DiagnosticsHub.StandardCollector.Service.exe
1044	DiagnosticsHub.StandardCollector.Service.exe
1044	DiagnosticsHub.StandardCollector.Service.exe
1044	DiagnosticsHub.StandardCollector.Service.exe
1044	DiagnosticsHub.StandardCollector.Service.exe
4384	elevation_service.exe
4384	elevation_service.exe
4384	elevation_service.exe
4384	elevation_service.exe
4384	elevation_service.exe
4384	elevation_service.exe
4384	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4660	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
Token: SeAuditPrivilege	1444	fxssvc.exe
Token: SeRestorePrivilege	1732	TieringEngineService.exe
Token: SeManageVolumePrivilege	1732	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3608	AgentService.exe
Token: SeBackupPrivilege	1768	vssvc.exe
Token: SeRestorePrivilege	1768	vssvc.exe
Token: SeAuditPrivilege	1768	vssvc.exe
Token: SeBackupPrivilege	2964	wbengine.exe
Token: SeRestorePrivilege	2964	wbengine.exe
Token: SeSecurityPrivilege	2964	wbengine.exe
Token: 33	1000	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1000	SearchIndexer.exe
Token: SeDebugPrivilege	1044	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4384	elevation_service.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4660	4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 2996	1000	SearchIndexer.exe	112
PID 1000 wrote to memory of 2996	1000	SearchIndexer.exe	112
PID 1000 wrote to memory of 1504	1000	SearchIndexer.exe	113
PID 1000 wrote to memory of 1504	1000	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe
"C:\Users\Admin\AppData\Local\Temp\4b8c442b1837e1e77eda64be3ba380f45854602c69b5d4c451d086b63dad1e20.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4660

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3832

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3076

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2692

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:112

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3768

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1700

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4000

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:972

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1988

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1304

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3512

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4356

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2984

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4172

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3940

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1452

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2996
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9e07c439f2488692efd113362a8522ef

SHA1
e5910b252b78703547fe2b84b374b828719c4414

SHA256
8192352009d572fc6b2ef39e514807b354f1799a6bdab393ec3d3ab03710ca75

SHA512
84516135fbc46c9c9ecf82fe5ef0da1d446d2aaddfcfa3551c2d346ea37c4db268f72e56a59a5fc75bf035e5773a4404c76961e56430a1f631fd6694dd631bae

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
1709994e9da3c9abcce1529e2a04b729

SHA1
179b68b6c59adfc74e5c230c892689bab4f3dfbc

SHA256
6d478ae3cd7f799be6b0d9f678fd3f0b6d1621a77ed2e65b9fe0b922a6d3a989

SHA512
3b489f9a32507b3c2d5537228dd0370e72dcaaedc7c3725608b90e29818cc9e02207e44f6de723604fd142709c202e0a9b40465da013e02a782d7b574cf3a207

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
7a3a4ec3c436a3a0ae36dcedaa4fe0e6

SHA1
81667982b6d4b7d65807e55fdde86608636e5320

SHA256
e7d5fab4fa1c8e2ecd082ff4242d045703b4db19a2a36401941e924140d1acd0

SHA512
6744890cc773b32ed997e69c1ec2809db330debc521b7c9644841f8ce2aacde063e4ed8060e2d640ee056d7f7425164e48f36c7b4dee352217244fff1a26fffb

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
96c544118d38d9c01f04bf876f79324f

SHA1
5f40f42dc2c1a1c6fd12f1ae9b6fd01a9633ccca

SHA256
0436c30ce91055bb0b269a68da3541d0f716a2f8f3e87f5a99060599e8e1778a

SHA512
ccd135408843c8847a500d10e40cf4019b171d49f8700d2fe254af6623ed18179b2b4245aa4d8b3483ad57141006e36bcac2701be5d63bf88ac19f757949925d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6087aeb00451b9cbea2a2305d7be0cdc

SHA1
9c81d56f274eff07f902cdea0e01012d73338a20

SHA256
62b399ae4d068ddca1be7a5b7d5dec29c00a381d56b914988c245bebc42e3fd1

SHA512
72b1f3a3717e57a45cbb620a07a95f3d075023207f4294774a34fbca2d084c03ce0845f5bdfd63ce92a2ca879cfa0421d90ec15cc8781fc0f0b6b3745e8194c2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
8b26a0c537a58f43e24c60c351bfcaf5

SHA1
13de5450ee8b23b146bb2312b802659d9a17a4d5

SHA256
bbc22aa7fe1da5655da0b5cedb6548006f87b14840a2525d9df082fd89403c31

SHA512
add4c37be70774cdb549f299dcb752e091a6dc725b29b1adb7f10485112d74449b3d82e74f86c719815981b78eb03530e992994c86f72f6029eb4882f69cbe92

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
426ab95933324f7bd8ae4d0a8bb06876

SHA1
27c1687c0e09f2965a4fb9e16235af839383effe

SHA256
78dc18a6d0d4f7bc3a8e60df857986394a57367679b41030dc877eb5d79c6c1c

SHA512
d791c00dad6b86b76a649d30c54c30199d173a612fd7e435bae5f9be6fcea29315000f84b5282944fba7196972c312bed18baaefbfcdd9295f7bee536e2f1dcb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
156b1ecb90352ebde706a24131670c95

SHA1
4f4397b76dab8d28386fd6a682973d273cd94ea9

SHA256
a676baf41da525e0e087de0d2adb5906ffea33863af4c10167f7050054111b0b

SHA512
3cab43eb6252a0a896d64d7db926c220d94abeb68b2c80b9dceec2f3bdca559cc4d0977e623423fb15a658925d886d5a0a23b2491b2c2b63a623d6396a16b276

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
573d28e36081f8543dfa25a8c93d8631

SHA1
287be433c80f5bfba2448cdedd7f141ee18ef7b8

SHA256
2f44b085138512941bdb767bb921cbd92f705d47a0fc9998dfa06769d0d1069d

SHA512
7476a6e5e93f30fedc410d26e3c804b04dc098815b13e8a5181229d21ff3eabf562961b4b1e62f977fe16a07171713baf970fe26316980c748da7bb8c1b0b442

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ae28a4e73e1c9dca58a282bbbf03a8ff

SHA1
8de6c17d67687cbf20dd667e3239ab8007cacdd1

SHA256
ac01db95a9f65a74c13775026e526646ef45193e1e2f3c7629d7b6d669695c78

SHA512
277086da518a1c03b1103bfce4bf842ac7bd6619e20ec4a2ca3f3f96b76b3e790cfd182f53be24dddf8d104ead257e2de9aa578e145f04cd2e51d08f2e939a01

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
15a461a6668fd128b85ad180d85b2a0f

SHA1
2f7aa93b76f11bf0b0575e4aa0da46ee75d8ae8b

SHA256
d178d259538a0eaaa8c26aca29f498fd0c54069bcd9bb1941fcc1040bd436931

SHA512
5340b7cfc8ea7ccb54c7a62a3e474c8ea3471ab66326e29aad299579356a979331cfc44c559c83ed6b482489cf9bb53f9fe6c5f786b7d3c26d54ea5b682b1af2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
789b891a814247609bc10a6df5689795

SHA1
d09687d4bb4c691af75a6d1b88d0d1282af9a3f9

SHA256
be28475d920c6124f1480c59520c5bc4866d81f626645f3b1c8eb72abfaf661d

SHA512
55f3a1272b79d19b572aa9eabf182c6b2b4dc88a3da6cb6223bc727e00a6020a9a657b75f638c99ff85ccdc63ad4514a8737c57ed5e1fdd6538e4077359f5c40

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
041f8b628d26aed342109e640cba5a6c

SHA1
82c86f4de3a7d2d412219000a7f5edf893d2170e

SHA256
6c0c273b653bd139786ed6957185f2eb1954695da446522653f1497de01c027b

SHA512
5c4df8656b3bf6c23d87052b6ff31d297c6c696227deb5e572eecd7edbe761e9ec5e526bcec029af251e922553b7a0fc20951476f7ee005c6fef63cd85f9f7eb

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
734616a2a8e509b333f738d8c50d8482

SHA1
85bcd634c2a14a375db813e5f2201485f233f92d

SHA256
4868ae9f3753ee71e474eecfe9145a5d5c8746f8a650cf26e7e61c6a0f99dcfb

SHA512
aed484ff2eb8c93cb66e59dc67ae8d30908926be8c3fc090b21e484a4d351ceb374358eb6a4aa178afd42aecf1fab739d8c56c479393fd338acb61c7ec3ae2b9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
aa1408007b0e4c3ab096b1d5baeb2525

SHA1
69d9fc8c0252a4c58357af2f7c6e607b01cf222c

SHA256
88723d3328e9bdb059f1d9fc1a729b139ea10a180eaf5bb92e7968ad3547a54d

SHA512
f55a1d4404bfdec1e89caeeca56a9b24317db199ca71c11927d06cbb7db0142c6d61a81d3eada37e16ac8506a253650e838dc97c93c4e11c0178aad833dc0be1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
d4119acd5e6b500c9851b5068f88b304

SHA1
f3c497f164ac9182bcfc2574fba6c02dd1295040

SHA256
1039f50f5736f3fb031d4f7b1c433bd339e16fde0f46975fd3775cafca95fad9

SHA512
4dc9ba5d8c7bfbbfc28107dfcd9446ec180fcc52a685d6be9bf5e5b3eae529047eb4dab19ba60bb2a1cbc8c98902d7e7117d36d4afb8d762ebae2a6fff3095a4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
7dcbcfa29fe111b2f5646060d783af77

SHA1
480e3cb71207ee2473c05229085c3f901efff733

SHA256
bdd702c2d48329804ff424edeeae8bbff6d41ff69c5077555224840ebfe088c0

SHA512
662cbcdd54b7058b5c62b94cc7d886a3fc5ec07b1198a7b80ffe14d1f99e7099cc24944c845b655072202546617ad1ca55524debbc228f9ece56c13032174614

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
e28901e498ac59e017c606a14e4f9688

SHA1
ba9005e5c2f9cfc290b0623f41bb26f43d31afd7

SHA256
38b1d31ae380265f1c8f44062cb41d546d6057ebd1732d001d07326ccdd32849

SHA512
1c6e804a4205d20afd329d6338c70066732a5e3aedfb0b5a3a12af2ef5ef236f74345b77c5523e9fc2762dc6d2f6b63d4f04b461c8a746c240db7c322f026477

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
1969d8c0f057013850542001e5ee528b

SHA1
696f5a1b1b67c586a37567ace0cafaae3a84fd29

SHA256
d4844035c5a48ec934f7c33ca28288a912b41e99f5052923c6c4b67c454f1cb1

SHA512
240802cabad63412f0e0d8409f32643227f62681a0702c96ba1d9cbe3469ef2048f9826d0369d40549a04f844890a47c7d8d1954fa9fea7aa90774ab38cae463

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
52c55c885fcd953d560b047a23db8592

SHA1
07f1c6ebee5643f01d25981c1a49fd950f21f69b

SHA256
a8dafe5858f8a0ff1d5bd91edd3202169dd414fab8c60dbafae671ad420afff5

SHA512
94bd5f45a2de66eefd0f7860ce436f113d30f58b5f9bfb00a63a7d8f8d5120c87d91e516e3b6c912a3b2a4f2720162f6cc46202c433aefb2270ec85194ec4809

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
89140844bcfca415e9d838976663cc6d

SHA1
7c39abf9eeba24ebe00c2994c8778a586b9577db

SHA256
1d357d2f2da7f10a507250540ee27f5f94dc57706af50816e0b27888ffcf2c6f

SHA512
d49e331147ce7aa02365bf10e3e0feb46bf1cb5338be9a648527dabe85aeb5cde8bcfe2636779b6303bc11d89f6dec1a959d10efdf19c52f6bc3ef8566037783

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
d047a4f54c6973d591f0eb1abbf75b1b

SHA1
4c733a34d9763e3c173e4205c382ab663ea95003

SHA256
e0d5088c136339e5b41096130ee8a24f0d8b4a79a9ab16e762c6f776bed63862

SHA512
8ebf245fc4bbdfa9f5fa2fba620f848650f988a656df9aab34f4e72d53c999d4f01020bebe862de0a58c20f6be403b9b176fd4dd5973007bd3b6521367c8bde4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
34774ad3db553c07910143309341d6b9

SHA1
6cf747d7744146b07dc382525d89adc6a9a1cdf6

SHA256
2b3ac02140a6ba13078dbb9659440bf4fe7b75b3cadaffddb10a0d17fcb7f086

SHA512
ce7542475cc4055354eb083b82285c312a8a87f0b79c60eeac218a72ac7deee07cbd7c8356e156a18586e6f6f69c7bc23761710014e265811d32b350cd0f3b7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
b05e1b8b692d9a3dfe4d359ff769da30

SHA1
0e79de5789ede2c1e66b2987fd51607f8cd2aab8

SHA256
ce7406cb75e3348ad4f11d0b8329b6bddec90ca7f8393cfe719877f9a37e5baf

SHA512
606e3aafaf3a06d61562f9e4347097c70f12cc01f4ba00833b84c5250c09505b74520d7d8852b6a12ede22e4d1753d262ac71f349630dc01e9df619e84075053

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
b0eb252aacc6cd0199a9d18cbec629e6

SHA1
edd8d7dab66af0a1ce949e90383767839b1859f1

SHA256
7199aa63f43c5c917efe92d5e6f97a1d07c31ef913abf4a9518a98f16652592e

SHA512
8db5421dc31d8bd6c88b834fed8cbf9796fa576198371076a189b32f15963ed0d8631ee7222b667f611b2fcfc29ea1dbe976939ff3814a905be6de5acac71298

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
9529839397b15640de0a4c98eecf02d8

SHA1
9ebaa026de87035e3ec43fda52a1333814c29776

SHA256
975d306e5193d07689267ac0e0acc41a4c021fb71a6f52a82cb3e89b2062c8c3

SHA512
7e2c9e7b6d30ed7bc70838fe7e972ecfa11bd4c39c78ed0ee4ba008802de6710f6b2340747aea7edb70321cba381b1c2760dd71547ddb02e316ce1fbbb3165c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
2cdf08cd5ab5c6aaf969777ac013399b

SHA1
73be8f547630e89750cf3f154cb462039c5b8a1f

SHA256
8e9e25baa75e6a4e7009dbe018da7cb4f288425da0de152e5d9e4b2b03207fff

SHA512
9274d6551b86e6cdde0f43acfbc6d2514bd834bd24e0119a1e16e86d8e493646d14f5420cca41462ce4b2b3d56f552ee28d3407a4a5f5a81e763714b11f270fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
cc54f44b7cf845fdbcc140867e72ff84

SHA1
43e80ba385d22614eae2f30a6c2ab1924f59d2dd

SHA256
0508cf8ffe23d73565aa585a6d4edf3be1adcb70153bd0e708f923e9ef008a42

SHA512
d7c41a9954c56880a77103433849351d77e80790cb1c2fbcef672f1d5fb3c02d88a8a05dbe876c5582b8e86c522ce73238d718875798014d155071570ba58d08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
8b2383b9154dc1cff3a9b6b49d421c67

SHA1
42b7f8f1ba6728b17540af77e260fd13ddbb7d02

SHA256
d49839138493afa88ca06767b35f31597af3de1da175c925df16549d979b0bf4

SHA512
79e51f059fecb484228279eb1643a1a267db0d5344cc8f4cafad492c8f5c325ed7a31377a48bdece3adc7b3e9bfa161912223be679a91ddd033c0eb8dfd198bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
2c23a51e0724100f95af7189e8c91f13

SHA1
e4f9efa941569c3c257e87139650cdf9d183a33e

SHA256
969f362f3b8c4321669c993b95706458ec5e4320e3ef52c85378656db6ce90fb

SHA512
ead93094d4fbe4e146878ce28392ee418e15f53d821d0a0e37d0771154f1d5f417c9e4173ab11fab2c6f7c61ee06b3095cb2bcbbad6aa5889b8413c2f7e45d63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
78407b413dcadacde19b19b87d5b55ca

SHA1
67ff9e94634058d18a9603559a97a28dcef60318

SHA256
8259e07ded373dddf5ed38748e0f98364f9c0fa77277523852442a9a0475d9a7

SHA512
aadc0d55d20835df669932b385ee72e13fcdea8100267eaf3c08948e417a807713d6b51bf3199b1acf7ade4dba0cc3d5f925351cf148c8b52b2dec8a35a88698

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
a74cd3b2eb5151ebdff4d6d71b5ee9f8

SHA1
694a8c3c1c35978c0be144bd9702115056ce752c

SHA256
fa3b70a56d851899927fbd42881a0e5f250bc48b576faa5e2c9f62cbae197520

SHA512
9cc7290419f68f72e466e88d78b71adef486926cb94f6d646a2e57da18dc0500dc3d63a39e42b37e04520c3ba3a0949d2edc1383bedd0be046f1d1bca6520616

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
4aa33f5562c91c236efa13fd3b253cb9

SHA1
91baaf95c6678cd88dea37f7203121eae3d162b5

SHA256
b90136a70f3ce2d1f4a0f67b2151fd4e6d7bcbab93065c68fe6c2b7bdd76097b

SHA512
cb443921db89ea981cd48720148db8a0c10854e193c8a3a9bfc7d6984c23b0c8cc17a79af712857dee5a2bb62116dad1b08ac6bf6d32879dcd7e01cfc61b44bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
75efe6b3cec778d5f31a95b7226b2b51

SHA1
5da5e6ee39e9d73b890643744b49b2b11064f036

SHA256
a0ad168124ba5ac56800e35e0e4217524d72fa5e57b7eb9ddf18179f26ceaf3e

SHA512
74b34ec8e5eec2b5ca2e4003075593a4268906a192b0a19eb114ac3cf85e53fad4fb3c5fe552d84fb6b642e0eabacf59c7939dd3735ee2ddb4dd9a8fa0a1bc2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
fe4aadb7c8a538bc03192f85792730a8

SHA1
c605469e7d6aa071e87be4d3d182d340f4f55c7d

SHA256
9a290d80bc78caee4cb6360a0a32f9a36b2e82e610fb0be263f25d0f6c88b2a1

SHA512
78b1100e06a4d5bc44410e678d2e703dcecfdadc6e45efb3a007753016b6facb8e2b52cf0dcf61e9d73c9e1c0b624a0454a1966f349191ea0ed9de31d53337ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
7ee53cf52c3a2869953ba127341152fc

SHA1
20bc56f9dd866f92aee52441c476cfb9fd2eb5c6

SHA256
82dfd6eb597c965976fa1e3de27910473eaf4f9286d742eb3ec2594c8da638a3

SHA512
b1b1b59fc5652f49d0c0afc5ac4c1d1871e1eee4615b11012a457b2a5fef1102de2b0866f914477bb27f0c048a0039f8d4b4a5de66af7a0dbe8d7d9d571455ca

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e65f7da85495995c71f297215790cf1c

SHA1
19ca3e8ac31a0e4d3c99f98af5f52884426d1518

SHA256
38e6c46371427260a214fb9dfe3a378261236e49cd7f0c0d897f755cfa69b49d

SHA512
9a0c771936bb48e1e07725efb3c2c339905d62b0e33142fa01ec6033cdcaa4ba2950c4c6adab743138a6420828a8b57545d55215fecfc8d25b390efa9fae3e69

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
fc62139ba7024807e292d21e69645708

SHA1
e60644ccda206914a241dae3d877719c5f342a6e

SHA256
c7ab557e83a7c000abf09ca42631256764fe77947cdc3856a9f20aa1ed1202d7

SHA512
1977cc2ef9c0dc8c612a5f0426897ac4db656f54ccff7bfff03782449471ecdd92c4f929de7e2eb390dfedce59f8349adaa6374c103bdb4c1318ba8c58c7f140

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
3370289ccf90bd43e5cca8807c528a23

SHA1
acb4e0f4e2d80b5855c89600120caed34dad8a82

SHA256
48f8bfa5ac05ec321d582407bb77abea1e9c45a147c850c2b39230e0c33edbb1

SHA512
5a69288979997aeb79ee9211a6bf86ea7affbba6f44e41e39360b78ea45fa3cb584e45b8aac08e5850f9590fb8f9e8d1f9dccf06038a52ad0fe81bfd8ad656e8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bc9455cc9c67aa628ed3e6832bc941cf

SHA1
6eef1a41d6be834568d1338c2a4b1fdbe8145e52

SHA256
636cd14304d8a9b7014732d4503d9432429af0ba753c30825b564bbf077cef66

SHA512
8bc987b64fa978e14f0a5d92d0f55f13267bc6c88775a7a8d7a74dd279a4d0dbfd379b219cf0b07f13ed77101d4df62b47e0bd7f1d6a533c92958a7c49029fa9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
9f2aa57b76be12c5c20b0e446a65b5b3

SHA1
14543b5e6821be02b95ec6137ab266ec681000ee

SHA256
8e22c54851d2f4d006e8610cb234dfb7c0cb598cf2c63203d0a1f1a90747432e

SHA512
9e2d577b816f08fa028861a9a14174e8b65ea45f3729214632d1e6ea03afa0940c74a5b65d357e5c58275d962a5ec3eb92fdaea398b36ecb341dc9ff14aa604c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
68dbe8b60e591fbf74e7c6d833f0b98b

SHA1
e777bbf3b4710aa3b3415c71baa17296486c5a5e

SHA256
a61fd4093e291678f9827515b0494c009da216d12b29c23a1c78bb4f0f98a9cf

SHA512
0756a3030315c34578c4836412c6a5c5f038598315bf87b3f70d4aa507097eccde192ed2ef940e5f81dc577703d51150c01068c0f3756b13172b75d7fb7f955e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
a9f8e05f199340493d8a4756bb7da995

SHA1
223f0aecbb40fda1db59972d72cd1b31b72ab97f

SHA256
dfbf705c674f3c83955c90261c0d1e3c8206c56b81f1b9feecea25454f2dac84

SHA512
74ea8cb091789d90d7691b1877fb14387b60da61552b1e40c53f8d77b966ae906fea3803e832cb9560fb6f1d2407ccc7b917510de8b4fabad58a10df7c56d145

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
badc693d2e39add1fdcc9ab2bdd2f64b

SHA1
95b59c794bd1b16f71379318d8cf44ad0b5dd01c

SHA256
53a9b8812ffaf3d8854c811d83a19e8d3f6e1fa9cce6db858ed823375a81003f

SHA512
7f0825bec8333be6ec88c5c4823607c134bf196d31b845fb88c618a3720b549a150372b8639203df0907bd6149d76844f1b96fcfba5374b227a26d83e8d0c2f3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
36d0fd94f5b759d126230499ec99b233

SHA1
2abbe479cf61f711b2fd9b95f14c5ff62d011359

SHA256
4039945c018999bf32e6bf0f08d756172edf10717d8b109fe8a404268466f542

SHA512
5462cd403d99d808817219bcdc4889fbaff83e2663a651da3dc58d9bd9c09cb10d3f04cd139dcdd45e7e32b8bbf6c0df9aa41b03eddd7dcbeee0cb42ea8be505

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
cbb51ab4ff5514be4878f6bd12a3e1db

SHA1
019931f385030bf2818656473e07383ca61f714b

SHA256
02ec5559baf9f8b41de4cd3e747f1c77bd0e6d034f4392f109286576565bbf51

SHA512
e7b7a00514d5db9ebd66234fe467ad139ac3b0e7edde61638d9abc517a8f58df2f3a680f494cd761fbb2c27b866ea80afa5534d5c31f2866a6e97d390c857d4c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
53c66addc439b12e7f20b528e66805ef

SHA1
aeecc9e2787bf0fb96c019700d463d1a989eeeab

SHA256
eef126bd9ec33f03572967e3d42e060d875928dcb5552c1960f4be1d9fffd6a1

SHA512
96df7500d860d089652b988b595350359cfef7c252beb9cd807988564d8b9d1284685fba7e5a74e9d11d17c341bcdea4d13e7cea975f31b3c585d62f86031cc6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6ad7d18c8a729e98641df9b70e13707d

SHA1
b87d9b9ad49672d30d3ca41a75f263590434a898

SHA256
9dd59e4449dbdb089738d21123d324d501de484be7e1c237c656cc87d36261da

SHA512
d3201f8df087954a6bb1545d2bd998580b4816e4b045f5f9164dbeb3f6994de8cfd9706170f8b3b5b9b3fcb10049e9591629672d0a426ec48617c66b7471c011

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
ee87c58d6fc17f67a528e6fca5181751

SHA1
6d1779fd324685599a78f94107018140aa97b44e

SHA256
66f9249081d750c6f94a1cb1dabf5ee43100859c05045f839e9e16a0bc9810fe

SHA512
4c12f4775a67922524ecdbe290f6e087f66685a03516f011b634dc40ceeb39160a47b7432d87b439ca6023128cb87278af9852cda94b1d8b5b1bc6fe2cab32a9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9224c4d5902959effbaa5eec6e6bd4c6

SHA1
5b01ee6517d1a4b564e09b7aad7975d60c3ebff6

SHA256
e3598b5bdc4fba0241673fca4d2656e4ebeaca0da3b7e43b996828a4c7f3fa53

SHA512
00a495f1bf9d6fef08a6708645df02089c55d584971e7a44cf21636447a5a8cdf7779ff18fa65442438afa34ad5e088f1447e3e03dd1281284ed96b5dbcff682

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
5eb420c29f247bf850df932a2bf9a0b5

SHA1
d256c7a01f5bda9308abe324f424eb1b51de38ec

SHA256
96018916760872fea3fc475d2e77a832fba50f06e389e0edd35b11d43ab3ba8e

SHA512
a46c4de5ceb9969779b4e2787daa3c9dec65090093d688820e65de20deccfa761a34e56bc18365769ff572651da1fb2371a937b5a956ce4327b8f8e6c0c55002

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
ce58bcc31ddcd039cd909b666b75ef27

SHA1
d7a5f980dab84c452cd3a9f827c8d79555736dd4

SHA256
0ab3f746e70745f6bcba6338395a74d83921d4cc8c0be0c8bad3ecff99c73801

SHA512
f7bd5670a3b7d24c20455efdf77d892ed7364cf387e41ebd9adfe3bf871ecac607e78199a5bbdbf9391ad1bd534be6c6e55d6080e3fe91b08b60b3c6992e9b7f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
ff75af0eb7827062f01cc9c244f3b58e

SHA1
26e89d18dac59125688b74ef3b13b07dfcb2edab

SHA256
60fc134cba597266dee3d61fb8e8bf142ac6fa985bc6904566abaec708c8512d

SHA512
175a35661152d41197e6efeff88f007ba2a87262908828367dec1d77af71543d03e3f21d12a5750981cb74c32bf7ec91b0024765efa6548bc43a10b9952a3fff

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
adae7195c6cf16b630e1150c1e6abbe2

SHA1
0f2bacdc5988ef13554df1231706e77e3377cf02

SHA256
0cce0f12f61c7c5711a872330bd44aae075717447cb374f8c6e0a1449f06f5d3

SHA512
9ae5280a9c34fe6ed1275240b52f97c9e6b207ac4ee29020cef403becbd83470217210a76b0f1eb84f8c35358a1f9a6c44aa272c63222ce2d9e7b670cb0ebd51

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
ef2dad573ad835810cbca090361c30c2

SHA1
1863b459827f6a9549780eb3a1a88e29caaa33e9

SHA256
5d5bd0e53b60021196417760373cd73fc60824d41e028f5557c92db73738e164

SHA512
a13274b38d760ff8b100e00590613f967be4ac4c9805d0ef06bb98d0fa3e79dfea964897c618225bf0041b5d44c008fb768e7c6d7548e32bbe5c54dcd47e6ab4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
76cfe6705cdfb1c304e2a55110c5da3d

SHA1
ee32e79552d9896b7c55701c24c826daf6695682

SHA256
2819d8d72fcf4421e59ddcc1e8aae1cf2d8b1745d4938e44a9025e06141b996f

SHA512
73b1e41447b13a02ed002c63cb8dbc5177ae385ae0980f72e9d96c68a86c996617dccb90b8f3f2638cda67a941f38703490e8a615e1fcaf3438f3355277b4fa0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
8fab3c7510aadb4caee55a349e638d4c

SHA1
e06fc49efe8b050aa141021ca70878c4c63e1bbf

SHA256
56bfd54a05ab935245c486e62958fb1fe8aeea3540423f4fb518614c6f1bd732

SHA512
e9f77fe15770556de6104183ed11a2d6fa22f4cb5687ec1cb8c884e1d7af600df4d36b142098fd854d203c1b7c3a90f58c73890daa7e1fa4c2167b08616c41ae

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
68f0dfa350217faa0d1bf8a6f1e4a4ed

SHA1
c70be5f619e03942dd183539aedfb328b25a62e3

SHA256
a9ef2c8ead732acdc2e582156d9be65ffe86eefd964b4a180ec1bb04b33031b8

SHA512
e9c3d806e159edc246b75df2b52d6f12b9db426bcd3d9d2d2e022f1d60f7fde4ed1b960429e9f1c58e62e97c3da3c31615f97e93a7a548ff18d9d0c30cc7eeb2

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
3f5cdbb1ee7dc33b2105070ed05d135c

SHA1
96c3c270c7bdfe7edb580f0a0f31524756efa206

SHA256
b7808b0b1d4d36093cacff7455efcf15700660b316c18725df2cdd65c2b16931

SHA512
40d33f0d84e7ccd949467da283f1eb4190a9a958fa7e710a9268201e9b1db557e4204b32f4de8b292c40f00e6839aa4a26f03eb2fbdd92129095f21cf9383245

Download Submit
memory/112-65-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/112-67-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/112-54-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/112-60-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/112-63-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/972-105-0x00000000006A0000-0x0000000000706000-memory.dmp

Filesize
408KB

Download
memory/972-100-0x00000000006A0000-0x0000000000706000-memory.dmp

Filesize
408KB

Download
memory/972-164-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/972-110-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1000-420-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1000-173-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1044-16-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1044-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1044-24-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1044-109-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1304-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1304-172-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1304-364-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1444-84-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1444-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1452-419-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1452-169-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1700-73-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1700-79-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1700-83-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1700-156-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1732-366-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1732-148-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1768-417-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1768-160-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1988-113-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1988-168-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2692-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2692-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2692-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2692-144-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2964-418-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2964-165-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2984-145-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2984-363-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3512-313-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3512-121-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3608-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3608-153-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3768-69-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3768-150-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3832-14-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3832-108-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3940-414-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3940-157-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4000-86-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/4000-94-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/4000-98-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4000-159-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4356-131-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4356-344-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4384-120-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4384-38-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4384-32-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4384-51-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4660-82-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/4660-379-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/4660-0-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/4660-8-0x0000000000C10000-0x0000000000C76000-memory.dmp

Filesize
408KB

Download
memory/4660-1-0x0000000000C10000-0x0000000000C76000-memory.dmp

Filesize
408KB

Download