76082ff45cc7055692bd65c79ebe843ad9a150b0366cb03b4011356bba0ffd9e

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
Size

1.3MB
MD5

563e2effa75ec32e724d935dd158da1c
SHA1

3160e721f09618f03a1caf7b5864ca67f49d5602
SHA256

0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69
SHA512

e1d99dd4b9471d2010a9a2e4b41aee5faa3a2da725e9a41f25dadf95fd2949e4a405ed77bfc922fcfca5e00e9a52eb74ca89a55098015f5ae1037628fa2308d1
SSDEEP

24576:pXDK/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:pGLNiXicJFFRGNzj3

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
212	alg.exe
3688	DiagnosticsHub.StandardCollector.Service.exe
3588	fxssvc.exe
4896	elevation_service.exe
4104	elevation_service.exe
1152	maintenanceservice.exe
2540	msdtc.exe
3228	OSE.EXE
3080	PerceptionSimulationService.exe
4640	perfhost.exe
4988	locator.exe
3628	SensorDataService.exe
2164	snmptrap.exe
184	spectrum.exe
2052	ssh-agent.exe
2764	TieringEngineService.exe
4136	AgentService.exe
216	vds.exe
4980	vssvc.exe
3884	wbengine.exe
4312	WmiApSrv.exe
4036	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\spectrum.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\locator.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\661effd0674cc675.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75187\javaws.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c766d3a56055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3edfba56055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9e12ea56055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000560674a56055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f39420a56055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0f360a56055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000848a53a46055db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052b946a56055db01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3688	DiagnosticsHub.StandardCollector.Service.exe
3688	DiagnosticsHub.StandardCollector.Service.exe
3688	DiagnosticsHub.StandardCollector.Service.exe
3688	DiagnosticsHub.StandardCollector.Service.exe
3688	DiagnosticsHub.StandardCollector.Service.exe
3688	DiagnosticsHub.StandardCollector.Service.exe
3688	DiagnosticsHub.StandardCollector.Service.exe
4896	elevation_service.exe
4896	elevation_service.exe
4896	elevation_service.exe
4896	elevation_service.exe
4896	elevation_service.exe
4896	elevation_service.exe
4896	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1148	0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
Token: SeAuditPrivilege	3588	fxssvc.exe
Token: SeRestorePrivilege	2764	TieringEngineService.exe
Token: SeManageVolumePrivilege	2764	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4136	AgentService.exe
Token: SeBackupPrivilege	4980	vssvc.exe
Token: SeRestorePrivilege	4980	vssvc.exe
Token: SeAuditPrivilege	4980	vssvc.exe
Token: SeBackupPrivilege	3884	wbengine.exe
Token: SeRestorePrivilege	3884	wbengine.exe
Token: SeSecurityPrivilege	3884	wbengine.exe
Token: 33	4036	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeDebugPrivilege	3688	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4896	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 1556	4036	SearchIndexer.exe	110
PID 4036 wrote to memory of 1556	4036	SearchIndexer.exe	110
PID 4036 wrote to memory of 4836	4036	SearchIndexer.exe	111
PID 4036 wrote to memory of 4836	4036	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe
"C:\Users\Admin\AppData\Local\Temp\0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:212

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3516

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4104

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1152

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2540

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3228

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3080

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4640

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4988

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3628

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2164

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:184

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4364

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4312

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1556
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8199271d55c00b7ea9956359d2be0012

SHA1
c4cd132928e3456498b3669c4de08fbdb0186efd

SHA256
5ba7049ca24e0afda9c084a93250d97689e3107ab605458284fa825c3196195d

SHA512
b9423448d1308124351e21b15cc870cd80ffa7212c58db50d675555aa81bf101ece6bc2b2d5844d5ffda3c192457db4ccea57e0e65d67a636cc73d7b2a197d4f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
4343ff6a534744d51a81b88aade53243

SHA1
d1ddaa3d678de19921bb8c840a0aca057816d0a6

SHA256
f824db0f7b205d24cfc8d0d3475c25d13ab9dd078d6f07c67525cfabdbffda23

SHA512
c6b6cbe7d7623b5928bf450301099ae29701c11b76fd17db78996536aa89e7a1e3fcd1de45fdad58b7c24906cbb08daa013fe85ec7fdd8a21f50299ff9c2c06c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
2b090201fa4d04f41f1d4701335d06f4

SHA1
4087c48cd7bc26ffcab2ab940e5998449459d303

SHA256
d8363401ed2142b003dd329484837bff8e82d859bf6acde5d910d748bd58469c

SHA512
af4522120cb795e7d4e8b1348b217dcce536aeb52ff4e9e556b728b2d8ddbfac2957502303dfcc37eb71ffd15b486a06c35c2ca260b1510e19d2e9b4abd9caa7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
71d13326e9d1d20a1c3500279b408c2f

SHA1
7254d8a2a5b298a71fb2e686eeadbd1dafe64b25

SHA256
200db7218a5df1b6c95c94915fd147eb9c8006ed4768df72e2c9a9086724b81b

SHA512
0957a20264863e373eb6ea87878b6c03bffa2a0366584097c770abc1064c7633bcd157cd217525081e14bb125e9e2be2b4ddbd293bc92f0e2ee886d617cc6f1d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
08567e9862c538249253b2824164a604

SHA1
5fed427ee7762308375e775ff5dc88dfe431cd14

SHA256
4e84ce2949ef6f3c3d7a062c00f411e32d417cc4006ca13a4502ab79fa0f6c2e

SHA512
98ff1e54db27dd87cb04c85d946ed174e6ee5e624001d0ecd7d71189907d0e50447058770161acedb3cb6d8af89c3efa7ccccd1601ae1b81f777f394ff3cc803

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
10e686d6b9e9b88f9464e14040ee4cf2

SHA1
fa09d63832dbb42ecd246566781d3133431145d8

SHA256
74b46faa244f64b0fd67c588018698c73ece850adf17a5f3126191b1898c9dc8

SHA512
d0207d392451584936256721e011bd0ecedcca532ce42fa25329da34bafcb06a7ea6012408dd377cb2e9d743198e7ffe1c14776922521b95280b5c7294a4f496

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
c63b5a5e2506f9246d462c763fbe8b27

SHA1
17b91f5ce6a4526ddda1baf7b7ed32f08d64f192

SHA256
6b56e0df7f295e2f4cacf296ea6353cbb9ccba7d1d59d81ee1c660847121f279

SHA512
b6bd3200587a4be3981d5b835772a793058ca5aa31c388da327aa3d3926f96ed2a399fb085f00f966f826a161c2afa0327a757d18b3663b62c5ba3b15e343192

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
07c21004d95c27a7639c699a68bc79df

SHA1
81b24c7b95efb2886646f008aa1a9d7a1450b8b3

SHA256
f267e5673469e68e82420618c828f0143eabf0c639927fb44def6e1c11cc5171

SHA512
788e042cbc6a9ad1dba5a9a94e07ad3938174b6d1d22357426885668c8c3fdbb06f392f4b2557dbc5ce6cf802f9abff8782ea4dea1cbcc5bf8f01de3ffac160c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
f215649d4c41faa3e88f00c5e87cdbc6

SHA1
e63d005d0cfec43a227e0c864ae795df19f2fd56

SHA256
6eec42ae228e67039dc895d16b63e0f57271dc5d07488dbe2c4abc0e45a7ef68

SHA512
7bf6c45efa26a3a53843cea2dbce3b5032561d7b2cbdbe3398631cae897f7ac3ad5623ec6136c36b0d185c4667de5426587c917d6a068b9d7afca07fe81c8407

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
41e4dd5ee343dc8b9ae98c8351d625b5

SHA1
92f2aea6d316639a4800f7377a18d312843d25ef

SHA256
1abffcaa2ef510c5046d32b9391e316ffc11113dcae204cd1d826efc7e77b583

SHA512
d21747e6f2ee273f42390711569b61947521d75ee7fe34d2156e5a063715c6fa8d07c3088c70916f38a991a77c5d8fbea0d2358ff49476b05106ced5d451981e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
63ba86bfbbea60e05f3c832b9ad04365

SHA1
63990de4105d5656e84acef84d0c1aeb746afa98

SHA256
69fd57897b3d4567a29505a569bfcc8ba8f3b8e0bcbcf9f5d20575b65d2162ee

SHA512
cb162c6cb6c373cfba59f9fc4154848895e825216150fdc6d6dc0f1ba047a7087fe3866e1767cd39442f234430f90a9d772b7f1929576811abe1374d83acbb02

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0d1ed64b9340d61c31f0aceb0932125b

SHA1
183f8ddc80e903f06d97b23d4a0d7dcf87298cae

SHA256
2e44483dda15b82d48b7da25ead94511ea62f9f90d0e64da2a814213a261486e

SHA512
5444e868d55ca5c0ff7e8242cf59ca76d9c798f71494e3ca2ceaa6d8e265d2e06a90d480d7e4fcce83d2e097f9d48f6cef0c2b062b183ccdb102974afb0d9b6d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
744077f73df58cc0187b6fa5a60ef2cc

SHA1
c0ef602032f91a239dd993801806ac26e3e6e76e

SHA256
62480ad754bc3c8b3afc6d67336c0da8159e6e1434344fa33883d87a87634536

SHA512
18cf64dc294373e04ce94a256482a2e92242729b8b5deb1d7c376b10b9e3055c111236cc02e757af9fbe81b5f0a11eb8221877626d6e5d4b683ce3e810a8ad51

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
c936841c9bf4b5f963603666c2036172

SHA1
043c894dc726dd77f37a5a9bd089603b3018b56e

SHA256
bbd4000d3df5e534fb4c1aa628ee33cb686db30c2a152bab931cb3428a987d86

SHA512
dc1424085e4e929b326cb548f36bf970905efcddb2530bd6280c99c703371b85851fb3f22de6b52ed7602473b153ab19744aab4073976a9636e5ea8252ec73cb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
b24f52f9c936bf08a1e171d9b53fd2f2

SHA1
68300eb5ab5cd1c1ae9537b1a5bbfdb55ed025f9

SHA256
2230630ed34dd95b82cedec6480a46ad223b66aa9bfc59f0f80978bd71fab877

SHA512
c70212ad69a2cb206e9e44e474bb4c2f89af3544505b19ea671a7fc65820f57a5668b3c103452f7dc1e2f01ead399a55c9ae597a34f1577dc2c8dd30d128880b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
41642dc2b1475a7c985f4a0a5b240922

SHA1
8b1f943e209827835e3e3f66130597040b67bec4

SHA256
4d974ac9f0b8f250a9025555b7db5a2828f2340f49c297a001adb887d21291d0

SHA512
4d01411d9dcda9fd2d31fc39300457b61552349d6ab1f759adddfd063d305595f202110384e80890a4d4e03508f3af2619db3013cdb2f04430b240f114b84168

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
3fc456fab5101f4817fe7e4d5f22c9ba

SHA1
ea42136e69be32fc850b0ee8f858fe88b8cfa47e

SHA256
4cfcab74cfeed35e3761ea205daaf80a6ce3099d3e69a191b8b1aaaa006046b0

SHA512
48408f93520da01838998cae8245f117905d0d1f5d99c15aba7b92a0e9e2af214dd0586fa1e21e336685c1ff29f3737728e3b73431bc0488ed0545a3aab8eddb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
e7f13c8f97fc48ce597b22ab33eb1475

SHA1
a50a695040b4f834f10037c42c50a814c803f60c

SHA256
e2629e265c2fe8ca3f268614d63b98947d2e1f4c41950d187f6209f00da2ef3e

SHA512
b7fd0eed6279fd33d1dd3c55e93d3e72aa8581b763651e69c3148789e6b61fc08fc53c39039afc9e2100f39ca0f7daf6ced506489f6470f897f26dda83c5dc0d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
eb93b826df84a03bf169de2a58c4af5e

SHA1
54ec33a9f794876549518be07fa32b60ece686a5

SHA256
6528b2f2b9d81b7f655eb8377603af859e22e89491fc38b37a8573921999403d

SHA512
62b992dfb1e33467bfa6dca4d9a7f5e8b0c271b74088cf928f1acfa24ccd9703a5d9a694d766327790d9f5601bced78bfc8b07db1b056302fd37fe8ea167661e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
45dc25a67543e9dd367315260482e946

SHA1
61c4321c8b9eed8b7a6e3c99db0e30b802364a8e

SHA256
4eaf4d9a917137c52f6cf8c806fd836dad1a48a0028c0f35fffaeb985f935ac9

SHA512
f38e4e3cbc6d8b6b79902a981b25f02a3c366a21530799634be5e934dec0fbfea788f57008ab482bcc3af2eb68801b887cbb0cf55441950e1a3e73a0fc00a646

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
8c4acc0aabe294f1e76fc238b4699ec5

SHA1
1eedb51933071e43c43e4fa0cad81483090246c5

SHA256
8b25ef6333bac41d846fe870015636a0c922c8146ad2d1e4d9dd6816afbd43d3

SHA512
863de880c492eb2fe2bfe7a35fd02c6ea95a23c015d1e60ed3cfaa8ff87696456672c55984786ef0c8a3ed315f21217bf3c86709bae70df2604674254222487a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
7ffa569e7af2e36886a7686f3a5ce8f3

SHA1
00eaf9fe3f292e0a65859f6f5afd8bb60ed3b60c

SHA256
6e3f1b5a8055dce5d0a5da616d0b4cecdb20a99671f0bbff5b6843ba0d1f28c6

SHA512
afa7b3d8bde756e63b7564bfd148baa23c903a26a476d45e5bd6331662cf0cdfca8232bda9beacbec2fbcba286a24012c830df4815bb9b0f359c4af9739e112e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
35701513c0cd10a376b9004c7d885459

SHA1
827f7cd0eb7e5109acca182917f512f433146b9b

SHA256
c37acd0b5cdb072e88edc9df926b90d43b03a047aba857ec527474d993f2db4c

SHA512
05db0ea4b59a8d30c175d42b16375419677326381488147ba9bbdccc8bbb3943cb2cb81dd8fddc07f76e208d7d5b87aa1582042bd9f19ba15736d0b504247463

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
80775d4af78765106e3953a49808a08a

SHA1
606895d3ae17476d198e99f930e1ac5952fa59d8

SHA256
416c4ccd6c7cef903fb7dbb9ed1eb942cf17d12ecbcedf124b2a23ddf1848749

SHA512
42bb61773996002e9ee986a680fdc3ef30c29f3e71b84a5a975955dbcc6f10caa02cfcf5c1c8d22fd52122798c92d0ddd03df8013b042dccf8d3880ffb30f0bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
0398315beffa9bfa164a224ed1bb3c5f

SHA1
7efa69bebd26cdfd653859715e658a680bd5fea1

SHA256
0e665bf7275b5456f30f19fe1aa415c06e784082ce7f8c1a58314c9269ea72c4

SHA512
8226c63be718847e338a502307845b1efcd6c23d6ed538ce60d5a4564923759b7ee0cab501d9eb50a77516f5407004d6e9ccc4fea466c86c7fb5eaa115fb25f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
c53e9fd25a0fdbb97e9dea9767c63bc6

SHA1
57bd2b3b50427bc4d434b28edb48163e673223c4

SHA256
62c8af116de2d93994566938947ee4c1491931d038b4da7bf78939913d737c0a

SHA512
13199970e17598c9842921436c17f5a8a37a1aacbb2d01c0e6d7a16ec31525ea971682a1a588bf3846ec0653f49393912a7e31950d030b569a34cca7cc3834a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
75422a549432397c248d471e7625a8bd

SHA1
8c3fcc2c3db33427b40995482536a46b0bf21588

SHA256
0bb57690f446c59fd912a43169160e901d429645e84dc40f4f9059400ca19221

SHA512
f3f113602b81d2f50df31bfa6d12d6d936b8b2213d6676f74727017d32dfe0316e3f0bef77cbd8625a461a344e84dac393523dad61e5bfd149d3141449e1f539

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
dddd5b08e62be535352a63588553e9e2

SHA1
28a0d1f4b1b7b62653096b356e160b3785975e81

SHA256
20f8f72e7f7d66c66941e30c3a85b0e23db4c2641a1304a5e18631c953e2f601

SHA512
d981a2d247209c4bd112cd7d71af92c5baeb7c5c1dc1c280b66b3bde533cae86cf234c0bdd7c213ab7102b778288656bfb0dcdfb66873dafe37b13b06ea67a02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
b5e3c7d83115268a5afb010c085e69ef

SHA1
5a20f36b6aa599365858f919c63b274ac67cf3c6

SHA256
b3fd3e9d8f19a1e79ba54d1c0b5ecc5e2a63e87a491207e777bdd5f80b231935

SHA512
a33bc4f5ebe0d8604b332796624749567171d54dc50a9255c559e401b888f46c4c1a0e36aba9edc422c23a9dfed3bf0889d3e0827e8a330587e6857bcf5115c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
5cc40a83dff8729207eba64404ec0092

SHA1
2b543c275a5d5cb316510aa259e28633f9537884

SHA256
5e381f02f268c937a6305431fc1ba1d63a50fd8813c1906b1356e0d3bc61cf66

SHA512
f6943223f55ae7598779b1ae2419703a20172eb37ec864c5c3f8949468d0978a09768abc1fd10cfb9d88c98f4dbb4873510f65cb0f8797b2a497304c19eb6008

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
d63b633a32535e1774f82d21e7114bab

SHA1
8057340e8fb1763e3607737086d6d0dd97b6752b

SHA256
c77fddb7a71f3f86bd08f53302c491a40cbf1d4a3bdf0671a3ccde7b7d3aa423

SHA512
d3aee3f80f1eabe9c9151db0d2a6ead5be515a2045751cfd27590b643bb21346d6c95ec72501ddd02954007bfd5702d4883d25ae83b59502029606c92959b5e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
0df7a88a80ee74471b0296b6d7cac8e4

SHA1
bd2e12352f9891428ce217fb80d8613e4e84b75e

SHA256
4d21e11686d929a72a71ad185c5aa3849d672b5d5810fad0ad773ba177967d54

SHA512
72ce27a8f919309a7acd35d3e1514507c977d12ee722cd953975ee20ee41fdc7f715aeab27b8ea948ac595587050666e1ea655125bd07469d7a1d93611293165

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
431d53ac8a032ebe868c99190e3d5275

SHA1
983bb938bf59c82ff90b7015b33b528846259391

SHA256
1c615958bfac214c1e66b042027e7b92508a2fbedab07f536cba0cc0d26352a1

SHA512
1d4a7ba7cd6804e5b96801265ae5f05137b6d615211622fcb5b874dc9a7482355232b66300d7a0ed155df9b293c756a927618405e1c08f7cfc336892ba1f9d7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
d424b2048ff862007ce321a88dd3b5c5

SHA1
3cbb5c2267a60a92be8f52dee2591039c617362b

SHA256
07a29dcab658168c09fca33ef7fb09d3b7750ffba5f25098f1dd428c24084b0c

SHA512
b97b9be08e859cbe108f7b5a2742f2fb080ba69d06657c490e8b7db136696af370ae0208eff2f0ffe253dd7e06aa9018adb093ab09406fcfce4a1496f46e9bae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
e30ac15784efec0d290e2a17fefd5ad3

SHA1
d2acd7ca4b8bfb21a0a31ddb687c95082cdb7380

SHA256
60aa568c226a8abf4386a13cd792ab96e6f130547175a60cc3b2902951ee8055

SHA512
69e505df10657c33a5e20866db47b7cd5af3efa1ebcd71911de5ee0db51f4fa979caa4ff7606d7526125f20c8f82e9d30dad362d24ea8781295f0d7556b05878

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
b672e578408cb21a23c3011183b3236f

SHA1
5301edde6d392f01f3f10ad5fc3aa17978e96301

SHA256
375f13412341683998b06b5aa45e2c22e04b2680dac11868a5d1e7c736855e91

SHA512
011dce2e9b25ce420361531217abc657955a8774333de35269dd049baafdb942f9de0fb7a4dd4621946ac1e04eb902eaa325140f6047609ee9d4948a878cdbfd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
8503289019276c3f9d2215ba2ce0e6cb

SHA1
3bc3520ace66951721e6b1e1ac42d4292f8920e2

SHA256
db701716da9b4ab029132d7a02f1b61a5fb2875eda1b8bd912841083b14adec8

SHA512
3a599051978cdec997a150d175a9ca4c52e0ebc4193e658efe8bfc62321dfbaba746743e87425826eaa00ebbaeba246ea84d54d43d408d0187af2ba5055ee310

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9deae7085cab91a833b687d5f05bb670

SHA1
289a1020d8dcee1cb0530f2f6378c3386236cca3

SHA256
eb428ee4e1845eeb8e1ad14c2a0159f5afc7e503d874114dd8cc5f446f5bb836

SHA512
580d64a6ed7c96041e1afff9f4f3ed7f4a151d17d0b6eda66a0ef81afea44bc63a4ee9ad2d3c063753d21260708823a5fcadf313b40ad6da6d306f4c232a606f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
f719f3d8f07ece66c5b891392ec35114

SHA1
09b23b55bfeaeea53ea9491ec9b692a8596fc2cf

SHA256
9425ad2baff85b7d6329ad50196a41b1b594abdc6e450cd10bf4783a769c226d

SHA512
f27ccfbc93f890ea1946b7c161025466680de2f96b6d3a2455216f32c7dceb1cb6ccaf5b8fd68e664dd53970041450b984065d2f8496fd2a25aa8ca32ff893b4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
1601c13ba3fd68bf323ec458d96fafaf

SHA1
08df99a9280bf3647ec82c1dba838e4a2b0e5510

SHA256
8524b765d3ce51f3f39c29f35db9acaf07f8bd39e686a3d5527dbac46580e970

SHA512
33aa3b6e249dc3f208ce0be3b845e0a7243ada3d804802699b997cdfcd8b4a26abf5439ccce4092bef7c05ffa4819fa7fcbbda44a971d4b29fbb05bbe82e7428

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4b2c6c1d7fe2c26b9b0057258bdea7e5

SHA1
6c1ac9f1aa515e69e1b7e177c42ea9c1012ffdc1

SHA256
aac1309dfd5223e16395636edee0cc9d977879fe0c60ec72c697b0b8670f000c

SHA512
5f0f9ba669c653ad320954444a5804b59712258a3ad77d91d527766a6f49959f3da915e79e90dc69931a5f557ee89e0126cd53ecdde8583d55b0970103f48701

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
1889c8fb757b40a2dc4f77d59e320a91

SHA1
cfe49cc33ac22a25eec5928e34d71fa0dd9ddd82

SHA256
a29aeb6b3265cdebc17e6f7fca1655ed3ff7d0e68ea71211ade577e05739d7f2

SHA512
a54ae62652d10db439ac922aa86ff4c4e69145d81862a206ac5b78b0f7d8f12ec31dba455ea1d1f6fc7b7c7f840df77a0bd374980506d312a482c9aa15d8657e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c3d6e87ea3973fe5864490f831b08d75

SHA1
21a47767e08671cfc12605c4091b404163ac770e

SHA256
a4403c934e8ba2308e2355c047fa01aa8e44c84842b48845e46d7f660a348cfd

SHA512
86b70d14df6c57870e56805a7bd067538a93d118e6f141bc813635ad89d531dbc1ee71d9e9e63559aa026c062786bae94e08b3cfd62026222493538b4c76dde3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
385b7f9025eeba10beeafe9bdfafaa8a

SHA1
e07c155dec0e3e5a5d912cc1a731ab1f354e2fc7

SHA256
f20a5cc2e1ce092d9a0f25ef17bbc31f60f1948f3cb1704d16942033a8fdc007

SHA512
d75887f8a73cd6f0767aa7ca689933ebccd667495daf883a7815f68552d1cf97340881d4e4119d041b40390f0ec3b987ee9a33467d21959afc05c112625aaeb3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
98d7d3dcc8e174924b7b2c4241f018d6

SHA1
c700487f056df94db5b13020e8de1cedb9548585

SHA256
6b08713e314a247f5ad194c06408248ac2d1616fe5923a3ffb349dea2452f90c

SHA512
f5d7d5d6393e8bbd5161dd58f1d1353fcf34b7132404ad4cf4c658aae4fd35db216bb4df1ee4f8b2df0e02d95cc4f21a2ccacb1316c0a59e2bbe46acb1c37dda

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
5c8f7cfb85fc62b03fad98dd8110e03f

SHA1
badfb81a2a52df5a41bc2b556b9328394f352f6e

SHA256
1749d6e681e7a52e0aa30ccf3b17e54f05f3822cd3325b070d25b4be250933ba

SHA512
428432b58135a673403b474240b818b27e62c0450ca662e9e9d1ad0ce6a9783132e950d3f89f38d6de755570f8676af2239c1b3bff1161617968095a498b397a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
361d43c6abff298775c2d7863845d8d2

SHA1
a5cf87bb5ce2ab5293568ae2b266e5f780c816d0

SHA256
9ee4cac6211a6fa4ada48542a5c6762f7a993dd7af122296b57e863c70c4954f

SHA512
89178e6fe10b062222ca7c79f8039833c8aaac47512409e61cb92e454fe0b87cecdad47eb4b40ca21ece4e0b5b6f0ce0ffeadb6efc8a468e6f07c72cf10b5bea

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6e52a9339eee80c44c04d45a0c4947f9

SHA1
a336adb641fd27fb7a949bb49d6d1bd9bdfc5952

SHA256
d42c9136c9af5d4f263d6265ad77fb4f1259ad7fa15a5a017b59f5471060335b

SHA512
4900d4b82485b045c92e693013726dae86f64f5c0e1f087eaf334ce7824cd26a835dbed1298008ce8895a3279abec7996f352472e7b4cf39f3825dc008f105e7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7ed96061c0d73ec7955b45a8b10ffe2c

SHA1
589d12ef108f4dd6056b93ede1e425e19d3e848e

SHA256
4af2542b45f88263eccda0b24b375011d98c7510bdf4723d253708af37e8c056

SHA512
75964166e691931a8ef8334846346cd0d02807a7eb9861ecd3cddcddf30e4c347db4c8fbb851c96768ff4c57a2e01f10089e4c615a10f7ce72a60fc4c8293427

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
b67a23239e0f3cd20c9b398c9f4f7417

SHA1
29f4a20d0e8c4c726b35b1ba35e6b3e53233edf4

SHA256
66294c2b357a44e10960e3b6e5dccd59a5c32aa07bf41aa65bbfcec1860b4635

SHA512
de376bdeae952461199155a430983a59b1b351ba3d29443112b7767a2a5b7b7e396b25d41983f784fff19089bea22f80ff802a0390fb852df77b8f4af9d08888

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
df36d604ccb26f99ff2e7c05eaf80c7c

SHA1
84de01febcccce4dc1706d8db411f4cf93f92bb3

SHA256
4586d93a5034c9761ffa92a799f402039119a22d3063539cc42e7179c0a25e53

SHA512
58d4344e826b1e742bcd457b25be226313c57dcca68e04e6363140a920916be0d96f6ff97d25b41a14cede0eac1a8a24440dc46bc952c284ac6ea82e02167017

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
77ad61cfa56a13d77f85f1672939c8e6

SHA1
8b3f3c22b8b4a9325be361710ba6e7f3dcb78ff2

SHA256
087e517e2a61e297c309661e4999283b49cfd2749e12462f3afacc1ae7d96eca

SHA512
b4e7fc1ebd26fbfec6abdf94d5cf20795f0f85506faf0a13c7a91ac20e2f7fdb5268a24fcf778006cc4946b8d7e08e1406b3e6d031bf5d3d51654689e9cd6ead

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
d56e7d21e20d77ac508f377c97b29cb7

SHA1
fa8f86eb9c54957647cda3cdff5c6b8cc9fa491b

SHA256
7bbc62b04351663b1e5cddf9570c8939a9db2e7a5496ba3fcd57cd44305d35dc

SHA512
b891c5ca9951c451d57bc96a85b94cbfa1ede2fade48913ce58dcd364dd4406ca75ecf080f450b3ab762529ed9df208c813e59045548e67cc9d232f99baa6f33

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
b238e450e0e1e0a045878fdba256af7c

SHA1
b7b50a9dfb28dfb813277adf8e81842ea4e223ca

SHA256
44b6964a8e2b4685722a8565179dd99afad7d4b9d5b689c71bf419f4d0298e1a

SHA512
c4f40f9b52ebbd67f91ac8974cd27039d81298717adc0943a5bd5d31071da64d47aae51a08fe67379d838d535963c3ad19f15bdf3307ee79496119cccac9f536

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ea6b1eed92b760b69a5d36332e82c7ab

SHA1
df0985dc21821d764fc7731ccef614c94e851761

SHA256
46c34fa5bd1df3885804933c7ae702b98bdd066da8d34ad1fdc05f3c8b7476bc

SHA512
4d6d4d83c9ac25eee7dd25f078898da60b14c650e8fc27b6139589ee9c6007f6baa36673f11d311e62eb10e1b88a293cf58b727855ed6fe6725408cf9c5bda7c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
39599025ec5a8671bc51dea9d2751ace

SHA1
9c96bbf0d39f93f6c92a2511bd275b2db205aec4

SHA256
814b52af6c907aa05fd6fb64f84337c8d2ab60fa0ee098b14726f8fec9012340

SHA512
8aa7c2affd02b09e7a91d3da3d7dae7ba6bd6ff2ba3959e45fde51705767def92c395ba7f4b95cc6bf0fc58821c03f9af853eb5222e4b5b6a432623353c54ae5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1e5eaeb3ed8f19fb960aef0a0e1df949

SHA1
a9586a096fb682d5782e460d0da0d00853a772bc

SHA256
02e26deb7bfbdd9f4a97faaa339e34ea1ee5bedf2accd44587dea7682bc19c21

SHA512
d8f08c926a01f2bbd0e506411eda8e484f39fe791bd96cef1822a2b348bf7454fcf37b0e6f4bb9714991a49ddacaabf3eec699174804d2a92bea570d15ed35e3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a76ae27590860781bb0949968810b505

SHA1
48a4b372ef3299a766a8bdda5dd985c92763cd70

SHA256
c7431886009729caf04de82823d670a7e6448457d88027552b8f5891fb733cc8

SHA512
b1180f01967102d51f0ec6c1adde1ce40740389b833632361bcad5e5ca4a6275a7fbe32b0bffdbcb0f68402f6b47f7906eb506c78578016949104c5effd11f8b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
3594e6f9f6a3d1b46b6e2a5ae36ce3ea

SHA1
5525def3a8972c8bc89062a82b69e18e922adfe0

SHA256
93470405340f2c25517eb0078c4ec5af47df4c741016a27543e5bdd9261d0ae4

SHA512
17371d488896b035bb77e8e052a023a4d58b2e72484108d547a952f4ac8dbb6d1c03117b7cb9dbd27562f4c460b007f6592730be0351e862a2c4d007c186bcd8

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
e4952361a9b43e157031172dd510d127

SHA1
9c75a94bae75653d3386e0d0b11e4981f813ed5b

SHA256
a8e6f4c26c535e0b8fd190ce6f231e7e866cb1e9f823ae43ed95ecd12c11f90a

SHA512
844ff2c532143bf0cb7a50a03277e21bf61cea6ee4daa8c0f312d453af0a847a973428d28c218c8d6a184ebe4da6e0f439d2413d866185060933555e2ae8d400

Download Submit
memory/184-330-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/184-124-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/212-101-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/212-14-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/216-464-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/216-157-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1148-1-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/1148-9-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/1148-83-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1148-426-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1148-428-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/1148-0-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1152-57-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1152-63-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1152-56-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1152-69-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1152-67-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2052-363-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2052-145-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2164-120-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2164-249-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2540-71-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2540-151-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2764-365-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2764-148-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3080-160-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3080-91-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3080-90-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3080-97-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3228-81-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3228-84-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3228-156-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3228-75-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3588-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3588-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3628-116-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3628-467-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3628-172-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3688-26-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/3688-112-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3688-17-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3688-18-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/3884-165-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3884-466-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4036-469-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4036-173-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4104-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4104-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4104-136-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4104-53-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4136-154-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4136-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4312-169-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4312-468-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4640-103-0x0000000000880000-0x00000000008E6000-memory.dmp

Filesize
408KB

Download
memory/4640-108-0x0000000000880000-0x00000000008E6000-memory.dmp

Filesize
408KB

Download
memory/4640-102-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4640-164-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4896-40-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4896-33-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4896-123-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4896-34-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4980-465-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4980-161-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4988-113-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download