bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
Size

1.5MB
MD5

8855937844ca64dbc86da384342d7985
SHA1

357a0cfcf62877c86d6eee3577895dedc905e680
SHA256

bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74
SHA512

bbfaca51a3b59444646308bdc1bbd667b7af5933afaa0b580b9dbc64e2df833e47d1b0047f3d2234556a59181355b8eb226cf482e65cdf315fbe02eebfeb3ff6
SSDEEP

24576:K+88NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:K+8gDUYmvFur31yAipQCtXxc0H

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1440	alg.exe
4200	DiagnosticsHub.StandardCollector.Service.exe
2216	fxssvc.exe
2268	elevation_service.exe
4224	elevation_service.exe
2384	maintenanceservice.exe
1336	msdtc.exe
2412	OSE.EXE
3644	PerceptionSimulationService.exe
336	perfhost.exe
3472	locator.exe
3544	SensorDataService.exe
3772	snmptrap.exe
2952	spectrum.exe
4880	ssh-agent.exe
4592	TieringEngineService.exe
2072	AgentService.exe
2860	vds.exe
2216	vssvc.exe
2988	wbengine.exe
408	WmiApSrv.exe
3040	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Windows\system32\wbengine.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8535c4f63e6c0d63.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Windows\system32\locator.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Windows\System32\alg.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Windows\System32\vds.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Windows\system32\spectrum.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007008f671fa3adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a1dea71fa3adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000987fa378fa3adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d2105b71fa3adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000715ba771fa3adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003632de71fa3adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1376271fa3adb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8bda971fa3adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5484b78fa3adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4200	DiagnosticsHub.StandardCollector.Service.exe
4200	DiagnosticsHub.StandardCollector.Service.exe
4200	DiagnosticsHub.StandardCollector.Service.exe
4200	DiagnosticsHub.StandardCollector.Service.exe
4200	DiagnosticsHub.StandardCollector.Service.exe
4200	DiagnosticsHub.StandardCollector.Service.exe
4200	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	956	bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
Token: SeAuditPrivilege	2216	fxssvc.exe
Token: SeRestorePrivilege	4592	TieringEngineService.exe
Token: SeManageVolumePrivilege	4592	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2072	AgentService.exe
Token: SeBackupPrivilege	2216	vssvc.exe
Token: SeRestorePrivilege	2216	vssvc.exe
Token: SeAuditPrivilege	2216	vssvc.exe
Token: SeBackupPrivilege	2988	wbengine.exe
Token: SeRestorePrivilege	2988	wbengine.exe
Token: SeSecurityPrivilege	2988	wbengine.exe
Token: 33	3040	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeDebugPrivilege	1440	alg.exe
Token: SeDebugPrivilege	1440	alg.exe
Token: SeDebugPrivilege	1440	alg.exe
Token: SeDebugPrivilege	4200	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 1896	3040	SearchIndexer.exe	112
PID 3040 wrote to memory of 1896	3040	SearchIndexer.exe	112
PID 3040 wrote to memory of 3692	3040	SearchIndexer.exe	113
PID 3040 wrote to memory of 3692	3040	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe
"C:\Users\Admin\AppData\Local\Temp\bf3970ee9e73ab791186c53926ed3398afceadcd1a432c51470ab58bb4301e74.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3244

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2268

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4224

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2384

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1336

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3644

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:336

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3472

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3544

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3772

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2952

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2264

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:408

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1896
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a68311943731315955662a289b6a86bb

SHA1
d1f88f11e432d7f09bde7b94af466acf8c37f01f

SHA256
6a942d8752043c3693b8ac256cab5027bd5645c21ca6a72b6ec2a9eaaf600586

SHA512
5a6dc98ae7f7078054b4672d83534adb7532529f310adb5e6644d1c9fcdcd9b2082ee25d703c037299e0b4a02137bef53fd84f4a0ac5dcf3603b6a70a1e303ac

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
056f81ed9daa39a4fe4376e6592222c5

SHA1
d445a5bba40a72894d5b7eb3861f7d971c0ff3a5

SHA256
2b88b4c4760370c3014dd14ca7c8ea31674f15c94552d8b63a06f0eb5982a438

SHA512
025fb3becc45950646ef8175fd90f221db238a8c09d4e077694b23088bb6efe3f2c7fb3c749b466e58ae463aa733b0c82e4da51a5634c76141fe9382b13f3224

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
5c0493be3a18a5b8af9c6cc3a9f624bd

SHA1
8982bae1f8816d76e5ed9daf8db9dbfa979443be

SHA256
edd92b93d54c1b11c9e92d87f4cba6b9efaf113c6a34a3aa956a59eaee3be6fa

SHA512
7110cefd870aa961da0a65e5aa6322ae82174d4f4e7b9dd6f207b763510589e41b9b6f40d99aca06081461b7a23e434323889cbab6e244bd1a498451ea753ad2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
11f75976e109b795c736553054a38fe0

SHA1
ee3607043e103b5952681d65b3f1fcc0e0f9688c

SHA256
9d04900a7ef481450bf8379a3834b64ebd85a5a155032ab436f52722cec018ea

SHA512
d79b83be5e9ac92ab7a35828d094fce49aefeab5995b1cffe68dd38ed74045fef68882ba689fa46f4ed7c3dacfe78911510654334610e6f67174c0118b89b0bd

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
bb0c1edda019c456bb14fa372ad454a8

SHA1
b7d336a909a54689ecabd3fd5183e672e7a2adbd

SHA256
ed294d10b51ed7dffbedb140ba10a1d0eeb7960f15dc5658b18a544dbca3b940

SHA512
4687396a2a69a30766f2f8314d10925c87c7902968f2953036b28ea05cf531a892436d84b9cb1f220846839bd9740d72f826019034aa4cd3c20d14960f6bf7ca

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
a6421c8959b222194c71ea6c4bbdc860

SHA1
14e7b3e66eb228dfdca50050baf7edcc9f98228e

SHA256
9d6f62711e55ff95d8dae8ba19a1f0aa1161b802da5caf4289ae01b113a8053d

SHA512
9b2e993c7ce2dbed4801e2a789a8fa736b274840ef3da4cb8d8d6ca93960876fa1a0a8188eb7474d154e83f2ccb3c099253e01dbbff813cc44e5085d1ccaa4ad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
f5911f7817a115109a66bdfabbefe39e

SHA1
72acdf1039fe1ddb1227ba739e1b20e0265e613d

SHA256
ad5a41b054ea91eb7664b09b4be4bef140714b8618074ececc323039073904cf

SHA512
fe24aeabd97ba4f7b2b96d2916c38346a10f994c19a698b9d01de02f9c23a94c8fb816ffb6da3a95ae59babbcf2294b1396edeb13766f55d49ca40365abe17b8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1dcb019133dbde92baf6d8cf72874cf2

SHA1
1331a45301a594de8f4b57b4dbc4b6c2b3f1abc4

SHA256
4302cd1b5ef645ac13f4ecc5366bb54cd43bf3112a66e01eb6b409d35a6f1191

SHA512
14f65a243b6a9b0abdc9341375801d0be5edd08f4840c96c07a95d54f5ec0a28ed19578e8d3cabbeb5069ef88872abdff294bfc09a7c97658d5c12253696ccee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
8bb30fafbd106c92d6f363b394e01230

SHA1
e5a60f4c824e2a5bbb9fe4cacfd8cee4f112de12

SHA256
021e6dbf03d2de4cdb3273073bfa66535b3e3a1644cc5576d333f5a87630a15f

SHA512
5505f859efebe42bd5479abdb586f77515e4d8ec0eaacaf39a555908c5931aa71d968b39c44578a6629855faa695f31da80208e457fabf033d4124bc0b7739d4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3f696a8cfe2e2b2319ef2d7afe2aa8a8

SHA1
541379d307af8bf8fb115fc137781ce3ba293fad

SHA256
2c1cac4793a3fc985d6df7513087469ad224a27d8f0449adb7419dc72e9b5c47

SHA512
a75be46d4c1b62a6774c4c595e55372b06a0a3301fdfea9b111d0b6117423f7be1889ad532d3b30676dc353e6ba2c7397433c97e5b401373550c70c2efa7ac44

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
16b820ccdae59b1d9998b897a187daea

SHA1
b6c8b8f1fa758fd7569efee26e68d1c3373a7533

SHA256
d50fbe2e17901b2bc8004507623d5624d0c31527f9517cca052c598b4ccbb84c

SHA512
0162a349f2ba36b97444797e0d390d956c87c85635cb3191d3c41bda8a8dadf2c41aff742cb5ab15ae4c3b716cb1bfada6e118ae2d269e979d1efa7b4d94e3f1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
986fbdea27a0bdc98301da1eab35d476

SHA1
9a5e04f06a7900a9f701bf190eefbdbb033fd6ac

SHA256
25f1c7ff129234639eb247f13e0146cab387a68413d824ecbcb5e6e5114c9127

SHA512
2849f186dd40963da3de34e4fa0bfc076f60d710a8eb489676c4731e58ab9eca7b1e0a2f8d985dcc679f72dd4b22209b34123f263679c684919ca0e46150476b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
67bd0da71bb26209a2e9769c24b7f27a

SHA1
846d5d456ae72999337d0ba77baa822853fcb4be

SHA256
f95ecc175510aa09e475b30221dac2f64cccb31935fbb74705db6ab11f525368

SHA512
3c2c195a705047a343248b100d8e10db30995010fb18f66b88bee15d531a11c257a624f8a5a657c6d549e6c5f65d47041446bc657b81fd47498d62aae1d0421c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
68ac0b39ef9030c35ff2a027501ff3ef

SHA1
3813cd3566bf59a0c107a6cfbb5e3d9b3a8432a4

SHA256
09b10fdd37e57ba570c824a707c050a720bee695ea9adb9c2b8ecd36536b2ae5

SHA512
1f8efeb7d6fdd7b9a4e469b34e2e6be2d0b34ab59a2a45d85c8b52890ab01acfa61a3945a5e464347a6875104b5e4f6b7fa7b6a98c499e239c9af5451435018b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
c6a5a3a84fc9875f7c9ecd284a4f0a3d

SHA1
97729d39b4ec89d48f91b73276cfda72555bd02b

SHA256
c7a866ed38d52aa2a38b3b64924c507803441462b1cb5c53c61fbf5f73ea6f2d

SHA512
48ae760ad005df5dbdb6853365e349d2b2825d45f2240a1eb7abcc2043fe722fc3914a40e59889d309b04141a4bef2c7bf0d207d12740615c0bf7193c64fad61

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
e24e001948b5bdc23cbcaa1ccc8d7796

SHA1
e3e238edf1e47f9d789f0c528fdc5b8dccd9ea89

SHA256
3b88dd818983cad7cbf71438a868c6e366a58a660b5409b48c1bb74c36ec2108

SHA512
d5a307a81946684117558f75cbd46e88f79abf7b68435709675bc290a21240f27c50b217e158b520f1a54cbc14a413e0353d098dd90b71ea635c5e4f6a93b5ee

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
d2e96b3512a15d5e8fb18c139bc7e33a

SHA1
7e10b8829b469d0c3df8747307a3b6c2efb41a64

SHA256
fe8b947beb2d5c54a95ddbb724c6b89c2639997ac80c4e64e119fd6ae8a12b05

SHA512
95a168af46dcf4a276be0081f6b500c9120536260645ed75bedd0507e342e57cff5985b2e44235352c7a054e786d83ccff753288c79f1a52d9808e9e28b1d7e1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
cd95eac77089c99e405b9880b1712d1c

SHA1
cbf93258eab05cef652abe981ce768dbb84e4eb4

SHA256
ca6ac48c06f782c23dd12f2192d9ac48181dfcb3cf8e2820325fead3e43ccfe1

SHA512
f3519a8dda04d43b498ddcac5f944051785cdb07b44e2c4d1ae66b1ab52f018e188c4bf0de9e75c93b94e58b3d634caaf63a82aea099f518816fd489ac0f978c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
35b48c8416f30d7aa1648e6ff472ec8c

SHA1
c5a081dc615749d0fd14f244891b15a1fa279b2b

SHA256
33419f4e7cf4b1897700f84a5601b176b81c2eaa7b716b929e55aa032e9287f7

SHA512
ba48e4e87af6a778606507d8ccafd7771e9b8db2e571d462c4da2932394dbf9698a6c4bf9687a56993747aae64967cfc8a09e37c624aba8ca2526d49c2801608

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
078ce56170c67834678970d8e663a80d

SHA1
62be26220e04574ea500048d99ecffe4b6bb52e6

SHA256
c3c2c9fb3578976384bf5c62f5de5bea251bc002a23303043225c183797f0a18

SHA512
249fcfa6b95d2290c8e1e0ae0cb728b044ba79bfcea3717edb8833f25f947bd822fcc1abb61d619d271386548f7d6cc53fd6da6f6063d578b458e831ce4a6ce9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
fa7f76ce46c8a665b9e132e5279adbdf

SHA1
c26b34848124eaf51674c98a48ae2643b927b4dc

SHA256
f23a1553dcf0320c76e517502017a320e84d88ac8afafc749b7a1286624d6513

SHA512
33f92b10e8e83c1d1abe20126612961f0dfd500852175add16392fcc8f6d0a1c3843743c1ba1f141460554a6f4020a1131e5b9a22a767a39f1195b5451a08d13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
9f5e5060e42e69a523c35d027304c136

SHA1
af150a8f263a225b422c85b4d3339e32d512fa51

SHA256
bf063626a790bd90a98eecf1ae5a7c69fd64ea3db93e6fc1d1029c2b096b7b99

SHA512
ad34aee9ff5701f6da43b90d9db82fa4bb08dc5d7568ffd4153a6996e590676d97305a8286122819b02e49d934760f41ab0b311a922f33311184af7ba698b12d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
82d8afbc50c7d15ebc2baeae89f32d20

SHA1
815f21b054c1d6ef3acaaa9b0c61fa96d9c3c837

SHA256
ea73fa92211af876326aa250913165e4fc703257438f983556d01a7ae789c3a7

SHA512
0cce47139b9e3b1925d97c7c2b89e375c9004d22a35daa435a5ea6c956c7a3f692d6d82e2924c7d710fe71efe2eb51264ed1866ed6b2954a12c85db4b143c4d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
f51c4b6861d6a6a89c4da39ebf90607d

SHA1
276983748e0eba0fe46bf27d1473ba161a39ed7a

SHA256
5361016475bc4bdd94190513a171a462b5849e5defc578876c15e54223b0acb3

SHA512
47604d41b1b70b65d477b129881918a4887e139419f7fc7355f6d2af9611d521e93376c36611fc2b805e278fdc2fd04156e75a7797f1ba121f77a67b504020e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
01b34d3842b25ebe272049dd50aa5203

SHA1
c235796da0ac39880218fc357fe53d5c802c4199

SHA256
c9ee74a48ba5d4a7205ccbead29120fd7834959d26fe849bb5815017feacebce

SHA512
172fe1de60a57118a300c49c0419093031566bb504f4c4c8a1614366ca9127427096212da0ea3e231c7e5452c798ba57eb00c2b2af4c2f8d35cf97a7e94d6a94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
76d07fea720724c136dd26f999b90392

SHA1
21290b706036e21e6a6f19ab98b9e3f0b35efe22

SHA256
e81a0ad5f5259ab5a1f1853654a6a95ec728b1ab3b429e39526a5b18c7b62a3a

SHA512
499acb1f89664c438e51aa066fea12320469f5b4f418950bd33e235b4765380b06ecc37cb68a1f893f5840203bdb6603262cea83f80b58ea857e71b34c760680

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
7f4088bbf290353da91367b35ece7975

SHA1
3a1ea9e1f0737ba41701d5f2217593b9b2cff176

SHA256
fe025cf407ffc744c3f88aa531b57445e736b4c7fad5b19190205c8c1df29de0

SHA512
3ef0651b2b7d858a305d875e0bc0525ab0eced3d62969ebcfed3f47ab41d7243ed30861a22906d792ddf8cf0a3c163d3eebab51b761a4abbd41beade22eada19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
e79fc458689683d9b4117af8909a7233

SHA1
180319e5c10f4162c9083d41d612ac2f9021597d

SHA256
dd7689117ec04d02acf6b3196cc17c4ef5597d7b6dbc9c00ca5760016592c8e1

SHA512
e7d77dbf0aca6f100a3dbc974b718605d8b3f351bd27f1ad85550ba77d55c4dab9ca43d236b9cf1a33c3dab2015311993b92076d8afc9b9b0df4c7925b174d85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
ca75eff1f7a4ef41777acc137e288db9

SHA1
d0079c40842620a32889286081e66d31b4b90302

SHA256
b596ddca9db6db21dbcd620a529d987129cabf48a9c01bb98f8af0356259c83f

SHA512
0fbdae8ccc31193b6e7af6ad572b287b032bfbb8389b3c570c4a5807942d4d753d574bae9aa227930e9c2e382cf1429a968c06aeb1377075c6fbae682f565b1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
3b255b7663cf7c288449c2fe531d195c

SHA1
e4e199226cf4f143bbb48f9a909f31af9af0b822

SHA256
7555b2cdeb377949ab7bcafa3ede973e02e636c9ffe274b39c7ea397eda2cfed

SHA512
e1ae1b6dd832291b6cf1e2d67e3baa704ee5a84c7898f9f6d2a86732fde3f332e5aafc3fae4d787825e04a9ee6ff92c709a6b46755060336a62202588670df41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
0bb5d410bfb7260541994ed2d09a4f73

SHA1
6467b3091c673f1f0c6fbe686afedd9e7e62d740

SHA256
61f11e9dd6d2a3be149edfa798e997659b1e131ae7b47c7a76760adb615c28e5

SHA512
c5cd13cb418cf5c1d7b43cc11e7e03a470c3941dd2477731d160192aa8e5a67b4af4fbece6666cc6d5ef3b7f7bf635a1b41d94377122ffa909c05dc9f67c0da0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
fb2b59d6601a6f32f15202bc551a5a47

SHA1
1a908570e57d7fda569658013dec246bf7233833

SHA256
24d8225b42240943d5b6c12b17db4ea7e2f7e77b9a6766298acbfa5fe5a6c778

SHA512
0aa7b6f142e53dcc308c608a3f9ac482e158a2558f61b7741e1550e82514220130bc0a51242eec9fb7a43ded4dbaea63cc81e73635a3775f06657d385ae25f67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
14f8636f350c3b8a65b6e11074976b5e

SHA1
389d6706733e17863c91eb02179dfc6c7ba2b879

SHA256
abb579108b5a619b6fcb2b48bc0afdbf2a13e06bc5243ae64522406c0249c86b

SHA512
59b9e35917325af450aa339ede2d1d0447bcd940438f7b08065481dfc7f3f49c23458ba48293f684f9b4b49fbdeebfaa3855ada228664b387de4b78ad975cde3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
8ff6316e0d80e070ff3097a1425ca3ec

SHA1
86adf3fc1949c2e8f2d32488d8ba7b96fb742f52

SHA256
0cdecafa950333f1eae58c1946fc9c0bbf680a0a1de8c5f44452bde2a7538c6b

SHA512
0b17e5f3d39b8f6fb6253307e5564ae8e2a6eb906609cc26b95d5ba2728ce662281089c619fe624a8e07cc9b4e18ee59d2bcf9f4b3c432bf0504f1b330ad28bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
ff49de732b1340bb6be0d69ad9556a0c

SHA1
4453b66c92e38c25e0602c2b8ca1d2fd4c52d6fa

SHA256
78511038745bf8028f96a4df5f056a56c2b07bc8270b16757ea24d062cb894a7

SHA512
541302618feefcc365f598372a9ed1a7a325322b1f7ac58be37072eaba36b1aee2838f9bafeb86c0854d882405a162651b5bbc7ddf669f7e44ce5f7d11802b0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
88e31b47767ba987f943ddd718e9eeb6

SHA1
1d720fc22bf5d871ad16d8caa33c0c9abf65016b

SHA256
0c5e5bc0b00f5fec92c5b59c6ad3cd17f2ba11cc0cd1b389e2a3f72f09a35b99

SHA512
ded098e71cc23860fb1a321d1ab67cc39b8bcf509df0c3c8a7fe4a2c3cc97c1fb472296a8a4b3057e6136aa41c3a8f9cae5f72285870aa5a1d0bfb3b488e53a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
8dbf0e8c55a24c5943c8a9dd69ddaaab

SHA1
d2f770ebfb2ce10e2841445310fd45947c987ab7

SHA256
c03fb17510fc1b823c1ca7e0fa7dda3d48f21341983d61cd8a84e55fefa1ee1d

SHA512
9a8e1e38732e3301c5734543f61d27d12ca5c996e3f0193194f6dc11a7edd2cb96dce6471ddd74f7ef4adb4678270244b5307e1d9459fbddfdb936ea7e4d99d2

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
034d111cb9e18430d3208b36e87b695d

SHA1
2b656fdab34ed3027b3cbd3da23953a1b01320e7

SHA256
232647c9124d8583964bc4bad7044f7e61ec7fb4224e14ecfc3423ac66d18d3d

SHA512
9ab480d3dc1ca257b9dfa9f3259326bccea1a02b00feda0be497a67ec1047ce3ef04c9658d371eeebfe7c5f9a9d577ae80650ff9c852b43d16b56fa0d8ec9561

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
2deebdfb4f9cc736eae1bcd9bb4080b3

SHA1
27a04219d3f40f0d347e0487aafd541e93c4ed1a

SHA256
87c7e9cbc61720bc60ce2c5285eab5efe85ffeba01c216e7b6cdce226f1cfdf0

SHA512
e390d3f7366b0e714c368d66aa72d4b08d3a3549d17d33ee5e668a8c213360aa08b4848d7409ea6541983da1b91a63d2cbcb0797d436419f990b968d87194345

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
7d6331bae5329a2a58aba60c9d37d8a1

SHA1
c2fdb62322ae2b590d16d18dc3d17de19cee4839

SHA256
a2f9d521e2a338c8088ed8c6c3a103fe686f6fea1045d10895b8786c257ae4d7

SHA512
17eb27c2ebc6d9fccd21ff567f51c5209e071f7fd50572a56ab5a7cf11c59b39d6c7eba411e37d4a7e54d5728cf725396d63755802c67eab5648919c6e2c95d2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ca888697fcfbfa3a6eae10ee92a33393

SHA1
30323b34c9baad6bf2d66cbdb39788348f4e38d3

SHA256
4840e777237d5a43057fbc0950218a1af64d8933e78915b0f729f6de08c61c0b

SHA512
9a66a65c17cae3880239dc25c1c4a3cfd6e43845e26b61f656cb679bea7508c61096a81a0cdfa5ac3db4c493dc4486701df36676d452e3585d80671b2da1e4de

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
2ccfb7a7aaa650d9b3eee0ddd68d8db9

SHA1
49dde49ae71bb57c7e208ba48cb550e54b9f727e

SHA256
bc5d732049182677ecdce57d37577b03fd2ed93c8b6dcb1bb3abe5a1c6fb207f

SHA512
9631daf49ed3be30d264f8736201e0c90e0d4633b878627c129656f5a81a27ac01ee609f6c546fa5d5e4d99793ce9bc473d3db0fb10bfa9a1864ae590aaa7ae1

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f919cc44c796cfa6a1d8e84bad34a85d

SHA1
3385dc9212b1a369a885035b0fd1d91806678c8a

SHA256
67d418be47ec1f98d915927332c99d647f6933765f8b729507d88fcd8ebd83ae

SHA512
06abc807c18fa2250523314d3bc7270f03a7922ba4ae2c8fa664318c60e5309f6539a3b919083efd4bafb0a0144bae0cf23a9c6e3a8fbbf5b01d15a7507a5319

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
fd69a36f251add8edc2a910368e51b08

SHA1
771774e51defc011970a4324d121331fa49bb31c

SHA256
3a1bcbc723b6f03fa68392670210852a4159a62422e3aa36d968d37cabb1ad89

SHA512
e1b49df7ba303c2754d14b5a938a363f25f0baf690efb9e10238f16bf2f05fd087fe5adbb0242ccfee76e5f42fbf4dd9728f163f8de0ab3c4d865db3edd38553

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
597e5067b04b7e00823f887834ef4a24

SHA1
262a2263c12ef174b493f6905c8ee785cafc462a

SHA256
9202f6be6f10e3a5c2192a66ef584a6b53dc93ff58a6a982c9de0bfe8cae44aa

SHA512
c05f1caf986f1208bf1f561ac0e33f27e586e711eb3af267f4a55cbf0ec17b9512a64f85cf08845bdc4f4dc6163fbf179ef12d7dfd9edb4b4b11096fdc6a88a3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
b68ecc54c2b9e2e5338f8e37567383b5

SHA1
1f97a9c76c4310f096071f052bdac3c6be5e24a5

SHA256
f0b86544b789edb6aaf86a6272b7583d96aef26114110c7434ec8052b67dc7b3

SHA512
bb6e7cd7ebf8405e95c4aab407c5a126aba0de61c06c4bfb37b2a6f03d8451becce6df5b2a8ccd239a3805097efae288553e08bb44b6ca279be539ce4c060880

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9d17a435223d84e869c80159badcc02b

SHA1
213862704f0af61b8de40dff55ac7672a1641ce1

SHA256
bd42f899c9282dc19dba0fd17274cc4607bce52868b53d1c51db15a164b47287

SHA512
e9f847a5934ca64410a07bf9b4305d7b7c7f46a2dc0764b83b56ade692b8e6eb6bf1ab633eb4501d129f4e3904fb21d6184ff6b00ce9bede22e13d840e0470bc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b0021920f6e36634e7a65e4a85cc27ae

SHA1
28bf30cd29763c4beffdf21767baffdf148ae441

SHA256
5232e8b01cb6b7cf2c2cb651440ac87e46b4d0950467d4b3cc236b25b9417b76

SHA512
a88761b3d8901e8c2f53f19c19119e7ee20015c992b3aa63bc55f2f3d55501b153e41d0be3773560e72a89fa93830bca858608c21f3a766df39d65e2cc3e96e2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1117b594891a5e4bb1a9a3b03361ec27

SHA1
6bcf5cd713e2c0534413c709a4aae280261cd08a

SHA256
61ff9c08d5f9367ec02b884789802851e3c7b0a8477a092f12bbfb791abcaa32

SHA512
f0f21e0143cc30a528c242e03489444939816b0126acbf4ecd5b7c722ffae5abfd9ca19b35f923df9196bf7e70ab041b4200483d387db4d7ece5c397f51e55b2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
693aa7db2c24799090202c51f232e51b

SHA1
a41c2b2b5d42e45871484b5215b699951e5e451d

SHA256
f1be3f5a192a6a151fa58b8af5f0599a277dc62bf0d225fbb5e0ffa1f1c3c5f1

SHA512
f682a811b995f88c09b5e324d3ba9ab5597263d1906e5bff2ff412ab2a2eb7b3183b664c8b9be5429f575fd3ac2874482460cba65e9257bbfae728d1a0eadefe

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
976cf1cfddb2d0dc1e5c4b294adc8ff4

SHA1
966012a02617b093c5390c5ec013fd08e48676ec

SHA256
80bec870d256210e09d96eb3234e057e5bf4c8adf8edb9186c01d32549ff90a2

SHA512
ad022afd565be865909bb7b43e7f947593285b8098f2d9fd59e5074e6b30794b6bcc9b912638afabf825369a170ffba516fa6adf4b45e3848779747a5e2e063d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
1ba82b427136b04d3bb849dc6f906db6

SHA1
6cbdb4e539ba36031ba28afea44550978099c5b1

SHA256
9a003fdd0b645d7f766fba12e8aeaa525aba7df3914e1ac59af6fd46183447a2

SHA512
92a3a5dba2835eb6153c15270b3ade9d8cf7ad7be2b17bb511764548a872d92b8f5bab8f01561a2a94609e6911efd25be203759087b50e879675ce9dc7f69b8a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
736d4cb041ce601473ac433ce0e91d0d

SHA1
25dffbbd487785993175c2c645a44fc8c4c94630

SHA256
2d120a9fe8e1f130d135c5e2cade7fe4327133548fcba7c094fc82e1e356265c

SHA512
a59e14cefc7f1be03acc3b3d0b5a3c5cdc9dd72ed087ad104ba59c9cb2a1263c4d21b5d09d67a174a1471af2cdcfaaaa259fc7c89e04981b991eb6a9005799fb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
47af3eb3f0b70f3d6e79b9762ebb1084

SHA1
40813cc920c51812f76f22fc42bc9a8571d6fdd4

SHA256
3ff5c60287d72f0b31449a359fc3e922d785f1984b8949e8d2f19d0510ef6ba4

SHA512
c34bc619de2d7caaffee2844dab904a213252a817cc045f5b5ceb45261b83fa5c7355f6701e6b4b88623dad411986de0e241fa469e8a6a6f23346ac9c6f628ce

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
79920c2768898f944dec8808f057e449

SHA1
337e91e221be9d8039e3ccaaf4d568484a008e81

SHA256
6079542da58c64caaabc7233e962a2dff36091c21e80dc47f2019db32d34dabb

SHA512
8fe38d1041b3b92d3bc8e5bc3d0fee2da647b8f758bf39e664e6fc00788922d7cd27dc1597374b2070538d984230398e3286c9b76cc20895f9ddcb6e80b660e8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
14052dbd87e9f33012e3638b06378b18

SHA1
3d6554dc68673976fe8045f13b9951debfac93e8

SHA256
a9505092b284fc1016e4669e4f4c41d9c35805aa8a3f8c80ba25a7086ea36f19

SHA512
1fa8f10867f0a1c47ea79c5cb1307e864d8981fd8e18fbcc6cb1447799f5366310e41538334ff2312dd46c14a3fabb6d18341129c8ecd1fb82019820d62138fc

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
970364b0bc38be1131014fa269ea3b3c

SHA1
81d89152c364e23e54149bc9cbcc73750948561f

SHA256
e9aa7ddb3944794f2efa19d2e1c32ca1e97c9e27070b45ea7963ac9283be8b7e

SHA512
ae55128f2f937155409d597639ec06fdf6123b952cd773030f888c27559f869807a217f1261dafffd508e02b8b22ee73d04d74624101c8d704ff7f1b09301b0e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3d0beeed07f723730421cc9195c27fa8

SHA1
525bcf1b2a93ad4a55a7294de17f9434e0e4863a

SHA256
2a7c75223538808e145f42045e6441d23842c4886119f333d48cb3b7d3dc25e0

SHA512
988a15be77676ecfbdb8a5c652d5b64a8ca7ee1c10b858955f978a2cf6f25422c5fd1b117ffdbff4a08c27d95154f30849d37b671062998bd6b21f3f905421bd

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
204ae6b6aacb896e8bb10773d812d77d

SHA1
f6e157c4a9fa5c67b3d45eff5fdc2349b0d7c114

SHA256
29a4943ab6cb7408107c9f0ef7db97185abe99d4f7454e017a7996b2b9ae17e2

SHA512
aca9f79826670e18056a497ff61b8b752db36fdad461e4ef17885af00016fbf8ca19ba2d2ca1aa48476c3a300c40c96e42777182deed4996a7e9909ea3ead848

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
830991fff5c6607c7fedc4ed8ca88c71

SHA1
8c88639aa12edea24d1f525dc651896a755ee6c1

SHA256
3588c2f9551c284d7b485ae1ff3a70ebe165cefd03c3a149684b55f8410b4700

SHA512
a857c5bf137ff308b92ae12829f3d315202b90ebab1f0e1d7641c13bd2a9e0a7e0b2a362ced997f41e313e102e1c973a5efacdbde728c385b4eea2d1d84e72f2

Download Submit
memory/336-130-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/336-513-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/408-278-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/408-588-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/956-75-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/956-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/956-407-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/956-408-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/956-6-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/956-9-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1336-319-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1336-91-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1440-21-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1440-19-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1440-20-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1440-13-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1440-123-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2072-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2216-46-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2216-40-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2216-587-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2216-59-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2216-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2216-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2216-275-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2268-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2268-56-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/2268-50-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/2268-206-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2384-83-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2384-77-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2384-76-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2384-89-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2384-87-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2412-103-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2412-376-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2860-280-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2952-181-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2952-515-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2988-277-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3040-589-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3040-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3472-160-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3472-514-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3544-182-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3544-520-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3644-511-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3644-124-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3772-180-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4200-27-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4200-35-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4200-129-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4200-36-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4224-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4224-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4224-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4224-273-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4592-586-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4592-207-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4880-553-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4880-194-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download