52c657629359928d335faf3305132f8e9e927df1f416079953adbc6e2b3f5c66

Analysis

max time kernel
139s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
Size

1.1MB
MD5

83d50ee2af5a65dbef525712ec933ddf
SHA1

302aee694fe15fd34ad6a66cd505d4596fe7445b
SHA256

666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8
SHA512

4bcda9b9a1357ff4aefd642698a090b7f670fc1013bb5579f74d7df81adae8ea521c2277d1bfdb3da8c5aa7931ea20855ecf82caf90ae03040dfc2031353469c
SSDEEP

24576:WkXAeB8AeBWsqjnhMgeiCl7G0nehbGZpbD:rRB8RBaDmg27RnWGj

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2280	alg.exe
3556	DiagnosticsHub.StandardCollector.Service.exe
2612	fxssvc.exe
1472	elevation_service.exe
2668	elevation_service.exe
220	maintenanceservice.exe
4028	msdtc.exe
3260	OSE.EXE
3696	PerceptionSimulationService.exe
3648	perfhost.exe
1460	locator.exe
4408	SensorDataService.exe
3148	snmptrap.exe
2480	spectrum.exe
4432	ssh-agent.exe
4888	TieringEngineService.exe
3932	AgentService.exe
4844	vds.exe
4460	vssvc.exe
4984	wbengine.exe
4728	WmiApSrv.exe
5084	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Windows\system32\locator.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Windows\system32\vssvc.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\18bc73fce5a029dd.bin	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Windows\System32\vds.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Windows\system32\wbengine.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Windows\System32\alg.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Windows\system32\AgentService.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80703\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ad06b0a7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008491ae0a7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000b2a280b7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031843e0a7d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001215340b7d55db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074938f0a7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e807c0a7d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3556	DiagnosticsHub.StandardCollector.Service.exe
3556	DiagnosticsHub.StandardCollector.Service.exe
3556	DiagnosticsHub.StandardCollector.Service.exe
3556	DiagnosticsHub.StandardCollector.Service.exe
3556	DiagnosticsHub.StandardCollector.Service.exe
3556	DiagnosticsHub.StandardCollector.Service.exe
3556	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3568	666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
Token: SeAuditPrivilege	2612	fxssvc.exe
Token: SeRestorePrivilege	4888	TieringEngineService.exe
Token: SeManageVolumePrivilege	4888	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3932	AgentService.exe
Token: SeBackupPrivilege	4460	vssvc.exe
Token: SeRestorePrivilege	4460	vssvc.exe
Token: SeAuditPrivilege	4460	vssvc.exe
Token: SeBackupPrivilege	4984	wbengine.exe
Token: SeRestorePrivilege	4984	wbengine.exe
Token: SeSecurityPrivilege	4984	wbengine.exe
Token: 33	5084	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeDebugPrivilege	2280	alg.exe
Token: SeDebugPrivilege	2280	alg.exe
Token: SeDebugPrivilege	2280	alg.exe
Token: SeDebugPrivilege	3556	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 1776	5084	SearchIndexer.exe	107
PID 5084 wrote to memory of 1776	5084	SearchIndexer.exe	107
PID 5084 wrote to memory of 3044	5084	SearchIndexer.exe	108
PID 5084 wrote to memory of 3044	5084	SearchIndexer.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe
"C:\Users\Admin\AppData\Local\Temp\666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1420

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1472

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2668

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:220

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4028

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3260

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3696

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3648

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1460

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4408

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3148

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2480

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3376

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4844

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4728

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1776
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4464d093e786f8c9b12102964b2e83b9

SHA1
86d66431736fbebef31c24817649e0383a3f5ab4

SHA256
9f99cc2e48a11a905b3cea16e29748b44ab0c792f601b2024aab74e06c5de594

SHA512
6f0c10db4f042ea23deb652f42177093f50703ac0c2bd8ac3a70848e69df597cadc0ce829632a2e827300db17b6fb27acc748bb01119ab97469ee7ef6481eb84

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c6136c821a0d35e370d2084199f4df49

SHA1
2db2254dd7246a9d14bc62f075592d97e476ea25

SHA256
b839ca18ee995028cbed8436e3fbcea0351217a37b3efd876c76a369e43355bd

SHA512
f6c816e8925257784f2f1021cdc8926e2d151de62cb92d8d44a3f0811e7736838c596ed53b5e0eaf96377c9a17bab8b0b0a0da293b3b33f907c4d6c93c352ee8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
1e56fa6f8df82d83dfc985de5c0c3d92

SHA1
21fa7818ee74537b91b7c6056d1a32178d0b92c4

SHA256
f01be90cffab64a5778b7a7a7b6e97e9225f6bf61a1c642ab4f61a9093c24e36

SHA512
9b4e151dc427b2b795aefa047defac75c77a59f17dc08751608501095533fc2ddccf8575ff22e6b1a46a6bc19b7e58ae158a13624fc6f35163d697f6bacd555c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
40adbba453732fc6dca43f436f50cafc

SHA1
4269336ea37c6d8286da3751cd9b395d693b6710

SHA256
495eb9fe5f8b7f25643beb04c4c9c2299c993cfcd5f58de82c58c62282fb2305

SHA512
8fff1e9f55479815b626f132bd08352e73cd92829d827f6643ffb7adce15086f8979535a7b3bfa983cd1ef6633f705c2569a2bffff159e2cf7920e2b0bf8aaed

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3948da3e9786910aced0ed751522ee67

SHA1
97c598bb53213f70f6402396daeab44ecf944bd6

SHA256
b61ab460f474fca7d876f98999f78a3a20982e5d4486951c7f3e3eddeb27a987

SHA512
6bdfacbd0ab7616adc58d65d702fef1782ff04d45b5da1e7b18e0a004b556e13820dea8f47c47739e43de5c3306aec2d3289f3db10a622c9826c331b31ac8a7f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
136c43d543f0af6678749d2f9f51540a

SHA1
d966b4181a55b4d42a8279e6bc91a37fbfaa8258

SHA256
31ecea1e77bf44446d9c8bd6aa87d3da870ed3f0fe5716dd3c796efb9564c1d8

SHA512
fc0573ce9e426716b02abaf5f0412597f3570bc5e8a9cb0abdb09d0f57f07a15b4879d3355e1532da5baf298a80115dca96df40ab904461f85e5377054df7d2f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
15bae0738638abe96f972fbd0fd222aa

SHA1
c7747f2b397de793488068bca2d7df9764e4dc26

SHA256
55ea6c99d13eb06bab0e73b1505981b6567123a10a05f50df193bf4e44f3e325

SHA512
17d994a5f059a38a7d1cef600e653cef276fa90fcafc55ed697b82d8444df0e747206d60c43e7fc04dc1718e77a77b7958381463ccaa6a80bd2dc1deec0a8613

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
98dabcf59326a33737f7ba5fff5f5f5b

SHA1
27cba1c1d6ffbbaff00557ea843c016dfc6c0572

SHA256
f167bc6bd3863f2c4f2f46bc220989171d5d88a76bfe27763620f44478435c3c

SHA512
48a7fabad7515b86bc520250c016d8621fc74fcb1b782b8fd654934a504d168028155344666963e456e5110639fe182df4fd35a53f0258a793122dea6d5db79d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
f9ac7bb9b831eeb4f5d96406e481e72b

SHA1
5dfec124960c225f1c68cd91a9ecea0deff834ee

SHA256
38354b852a5da94073962c3c532d828f52cbd0b6a9f4193fdd34ca813caf148a

SHA512
0febcf3ecd415d61b6132e034bf8d290120449c784d61bf8a621e2a769d22198dbe2b5190d517f4f658a297eede688837052230538598341243ea88bc2f7a233

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3f2d68d5733d4f45b66aafe20ddd030f

SHA1
4358ba9d5d74772633403dd4f1af560cf26dfa23

SHA256
54d426b0ca86134cd231718744488044c52772345236af24fd74bdc978f0ffd7

SHA512
57515830dad1be487c7b8a219a97b2bb0a3e432a972c5861059c5cb520dc1dbcc32d50ac95d2477c7f188cc2fdd805a16be787baa9b5f16d74042d6921c9ae01

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
fe3b108489bfdcf993c01edadbbd4efd

SHA1
8186f0c57ff86b1317ff80ba6145c9c2a53bc842

SHA256
094036688d193c9b083a524fa4bf6f5189d8e832d89f4c40e5debfa14476e864

SHA512
14e1a1b7abd3458bc9d0fc0f3d94a8c1c406df3b000cae2b507e24de139773cb3388cbef9562887d7d281ac7b1f956acb79fb4a4ba8ee99a42ce460263581462

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
23bb336f2258076e80d0ac351e946bc5

SHA1
3c6881ce7a8af225552d00fda4ad7b0d20ee8e07

SHA256
8e1e22f59f3d6d96eb4f6119a443e902003fdf2039e29ab4732c93cc53a2cc37

SHA512
70a9c738a475e3a31f1bb3e86ec1479fc9b7e4aa2a72aaf496b45e776356393f0898fdc9ab401fcdccf20bd3214156c501199ed5e8bf9468e2af236b43a7df97

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
55110c63a71827eebdfd86061ee4b848

SHA1
ecd639fc40a0740ccc3d77a205efa48860179ff6

SHA256
07085637560c056c197a65b4e8bdfd6e9c1946e4a45d155b6102cf1a836c155f

SHA512
8f94fd3a94ccb2c12768c1efcfb51c9ab7e37d60d8cd62086b705ad53d34d34cb2d73d0f3160710d5933dbfcf456d4b982f3b861bdc16febd60bf20e0176c521

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
964b9d9998ed74b840dbf04e3c22255e

SHA1
0f0348bcb30ec03bc534a1abef55175e4afeb7a4

SHA256
f8e5f3dd092266e506e8199aa3c3ebcb6af82622fff803d6d40d931c2d533977

SHA512
39a5f08b053338efc0cbf5c3bc4e393ef7bae026d8d16672eddff0135366ce0cdade160f383a62b99912253cc7f0b691b933e62951a7b4b89279561dac8f20bd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
cab181b4f38a2232832638e3cc4b4f64

SHA1
904030a656c01560e745a115867b8a5c800db58d

SHA256
9aa16e103185a7065966faece9dfdcb6f1820f6656e60fd8642edf572498a8ef

SHA512
97d9cda34110368a00ea1f727730be4745996530151a1aa81133bb38ab566f8be015e9612c17b1e2af7f15524e5f65cc520a4614636b2bf2e3ed054a73b61e00

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
61c82e0676dc6fb522240f2a6900bc4c

SHA1
7f1f4698b17a07d86c96824e2740486239537a1c

SHA256
74743b362347c40945352fbd7f59bd7a608b8be494117aee0b74acfa8b6a1cb2

SHA512
4eca7fbc631eb4090a57bae6beeec7b6c394c3bcbb3b41e44eb791396b183770d59e550b7845e79e32a3d5b3c7af23f69f4caa62c74fd5e6aef3d2cba595401b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
8b90f48462df63bc45412a8a0baca52a

SHA1
b9253b7fd1cfac8967161ce26a9344ebb31286fc

SHA256
59555a83e31dacc45886600976893c5c05c5b079247a705c40fd14e061e85420

SHA512
e0062ba0a8eda7b0a2e2e2dc0dd6e475a43f5bc62064a4c3bee1d0ffee24ca234efc6cc309630aa587226a1b1310cfde8e68e20d4a934d5cfc25fb8261a75a96

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
06e92c8edb4efd43c7257f9fc3f6c610

SHA1
cdf2b5cc34710f7f0f4ac4e5c6ea87a77783cfe8

SHA256
b02a4641288742b317b99a40412d1f841c01f587f2e4d98cbae5630987ecfc43

SHA512
d3cfe991d6722b90e0a6a2fbde14856b6f7e7304be7649b21bd2a492ef2a7b9f23ce9f154a263456e3f70e72ef606c2416914660a306a543b2401d08dbbd3aac

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
2e35b3c9aacc361a8f4168860f4ed0cc

SHA1
cc5813ca0a2a893ec0e68e51d12a9140b4f52913

SHA256
312e313f54ae85ef4be4e5ed6360cd1a410db6c256ae317a580b4e1ee89f1760

SHA512
9adb66870ba7452a32e4aef599f121e40b3b352e88e2989d3eb6a0af557013c47bc3c70eb9ce13f1df57464fb087667cedfd76dd453b85051f6157e9e54eed7f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
5ae1a33779f3b1b909f8d6196d666409

SHA1
bd5928b617ff3f04420172882760f6a7aecd47ed

SHA256
8f54168649911df5f4faa8cb192c064d95f84db58b4918f7b0a36c3383964300

SHA512
ff4f88a93519075a72245c1fb142408afa1ff98f560c5c8a9654ea73f1a6179d0a1b260233a54cfb44489e545f0ac28464a11a976c3be6739e8b5479ef855d63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
c16d115ea102e971b72ddd007fa3d729

SHA1
028333d2408f7d74922cbbf5a524dbe3b9a057c9

SHA256
4c673021c8d2e7f26b0296928879b6505d63733182de3198b8b778daa069de0a

SHA512
3ad3721609044598bc962e8c48d8bbbb11adc4fa33b3fac0cc3cf4efc329a141553638ee5d1ad570d473a76ff9d638825f86c9750f720ee2ae6a74de5d85396c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
6a8cd3b0610f978ec3fd5a8a1b56bd33

SHA1
9f32483bef282e161e286cdd7c29ee035ee8b3c6

SHA256
7244c081b54546fa9cefa08a8a5d79bf0a48e5bad8ea950ef2153aa6cae159f6

SHA512
9124969467908d053352d0e0d4e4ec2f71308616aa8e253e08b203c625f02540e2c1ed1962bad89fda1375c7d4bce79e9f14cb97e7c424e3f74508c4f700a8a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
c16bae94ded7d6ff06cdc70502f83628

SHA1
b656d74489362cd057b89e49ad8c182ddb180d51

SHA256
4734f08a4a3d5fb222339c06b35ea645a458ec7414d49bc07413f0ce259899ac

SHA512
dbe39a4407ce1a6cf17511401691339f684105004719789ad5763131cbcfd1a84fa202813e07edd3796ec0165c4770e1a0d52088321f7e0676cd1bf72afa4e10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
317b00e73978bbfe0dfeeba307ea0d33

SHA1
0971e0abb2ee94ffe537cb2a25aba9c2630c91af

SHA256
0bdcc2ad649c4392ec7dac79173f5dd62864574564b72404dcba7536addc3f70

SHA512
c15d352fed6949c66c62fddad8e456734306bffc1b69d2a75b3925ba835a0f28ac2902e9145a832e15bcd557c2f399b15d87f5c8fe3b918dc3eba11277b9abc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
877d45664aaa49477cc32db5cb9e58c8

SHA1
d3ee1919be28e6a7222b197230233cc4df1d0690

SHA256
303412eecd0e53c114be0bdc348d1d40bfcc7d44c82663320198f3c24a2e4895

SHA512
7ab5d726866d6d8c8f0c90b1d51f34b67ac10912ac5f4de893409156af8a92a4be7b184a795fcdcbc1ec0bab8545c68816d4801fa06138c83d1a108e456f2f1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
5f1b6079ffbfc2a15c966c0e99444d84

SHA1
392fbb59243be2e897ae63e478b723a0a88e5d50

SHA256
cd066ea11017e131d50dbfa3d7e5e96fdc14470077dfc73226c1611e022e44e2

SHA512
2e959078aa0c7b5f2e1ed230352c56dfca370c834c312e518a10de8a247e1509375231f055d99b7f24c6f03b2df3c00731dec79ce179325d486a0003fd650325

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
79ee7ffba1e67a9377d6bde46c42b8bb

SHA1
0c7a3b888a278876876c636b6dd6381db96ab48f

SHA256
983c0a5b10f7ef7c4ed8b5c55cf536affabc17b7bfc0c9d469d31278cb9c62b9

SHA512
598cb9553a2c6ea5a3277ecc431812d41a059243475a0c1e98442095dc55c04d1714c97c35828f04c97c5752d9f7214334095b017ca717df4b1e9784ce5230e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
b64094aeee3d7f00f9d9a90011dc13ea

SHA1
b06bb3536c21fe4ab7bec002ad11e5c1ddb4c447

SHA256
63a6cf052599f8d3639a7d5f06b91651314d2b1c9dfa7abbe2e43a65185a5b4e

SHA512
ca3470199d0a9ca48371522bde0c3fbd224ba5a8f6f833c3da8fc1de04d7730dad18171f17ef1fb21abeb1c51abe4021153d2488fa7ddd01ed8733cd2442f6c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
05dafd68d85fecf4b0b6f76fe1d78381

SHA1
d9f75cb297266d000c3f6466b128729ea834fc43

SHA256
942bc3ef96c1f3ce89cc06fa311780fe11f78e468ae415ac42019b6d3e7292bf

SHA512
3920e03b8618ed56a0bb54cc7f32fdfff030f59d01edecfaf6844e1d9f302a70bc54d949a6f80cc233617a4c018b0a35ecb1f79629b67dd9aa067439e92976fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
506226c0b0fc032af2d379d80b6e6564

SHA1
03deca07bfbd234a463acb0dbf1b404fd28fd409

SHA256
53421fc53afc348b54a9f0ae2c3779a12bfff34bd47c2ef840cd8a1f85d5434d

SHA512
0a014a1d66f312273aad31572464b3afc7ff000f4700f338d4eadeba34b9af7d39130cd7dd04751242ba7337074e43ca7f9f45259f22f07e7f9ae3d40d4275ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
744cc0d7498bf8ff47d3a2d5a129272e

SHA1
b87de6faf7b14272be49f9e75b7dbc1d6c389de3

SHA256
8cf67041c3e99ed6a04a7c7014e741c01a74e3c877c6fbdb403b34392a02ffe0

SHA512
7a685d5949ead27a62afacd4068eb3a3b106ff5b522089fd1702f90021aeefa1d0be1b604d529e10fb39b58917cc6168ce954c5b00192450ee3d2d551e16c51a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
085a821529674091f30becf6f63a1ffd

SHA1
cc662ff37ab1b7f1a9407a729c63f736a0637c32

SHA256
aaf616ff9d46af1ae63b8ec2e3f069831af324744fa563a2b3d8a1591f144493

SHA512
8577cd1858c31bb5e559e3140c2c56bd5c7c42ccfc464b0fb2ff1e0b47324432590e03b18d2bfed538541e4c263ae32dd82f8d38e8865275a55ebff1fed1e72d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
203f4df937427afc27b5d53927390140

SHA1
89cea7fc79cd8ae2952fe9cc9b1615e70d157782

SHA256
a67ffda11f8341feeb1932f0558cc5a4c31a39d06724183c52e151a5672f3fb4

SHA512
8873692b61c4dcc9eef8e45e0db5dd197160f0b86cd8262140c4c84e2866b9846ec24b6a010f63741d32d1fecfb82ad791a18d1d336f15cf3bfb1d96131b7579

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
02714fb6b0b04fed69aa62dce47172ea

SHA1
0d71b222c557b280fc08bcc93fc1f63a45278899

SHA256
b63a61088e1b0b91757aaea3dfb984de4f56f7e2d1491eee7b688babb809c33b

SHA512
b55c29fe2351073ed14e599c9bab2e272b0ccf97585ce2524c3e86678a9570c86a836013535cab7df81be88cdb5cad3f817c62ce732c4049468e2ed1a3617aab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
322b5e508f0bc1bd7fcd676773a24d66

SHA1
6386adb071672de66525aa959436188b62aa055d

SHA256
0cdb7d4183f1f7f19d93ec434eedff7003ad351c983a4cf303afe308d7bfac5a

SHA512
3cad8f3d70b4b59f621df1366b6871d03295f19224e7e716cd1f6d942800649cd756d4a3a059ad676435f53d7032bdbed78ca6831398486f4a5cb4cf8cfadea3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
f8533bcfefe22b46975e60f4e907d840

SHA1
a10770e1bd10b7f21e7411b6487b1807f7b44fa0

SHA256
d6435a01a984c29f9df1b9f1cc4995bc7088b884432e91cae248f396f4076d5d

SHA512
de1058f8ffec968da3d64755e6533bf5ed36006a97dfb27d14c2da0987eb2480f419748d42ead32b9dae4fd060360e916072d5e3639c1da453b55dee5eb41955

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
9b28aaa16beedd7cec176c32cf9aac40

SHA1
71e2d478c6bb8d2dc5159056d77b8ae0f4595fb7

SHA256
8bd1b4a9c70eea6f43e9fb83689b6baff8e181e6e18140bfbced448b3033de53

SHA512
c14a7aff407aa365d68a0617b247ac871a0eacfa23784de48af2960faef32f14684e99ffd2a458b5734766e1b00cd862c34170c9647a83e83efab5be1ae04ba1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
84bc157320fb1ff80006293afc5b9fcb

SHA1
8432d44702a91a09ac467597014fa1d0976e95c5

SHA256
270f70f2256632dabdc2e01a887cb86ee0456e3162aa3a657577842ffac9e01e

SHA512
f293e00532b9b759703692cd400db6549cac1ce842656c60ddbc8c0c908dbaa2756e897a9dad542a5d7af347535c16360b5b433fdda0118e2f50656ba9791eb4

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
14d4ee66fd82d34fb34b656364a9787e

SHA1
57061f1cf51a66d40c85c4ab5defb72162f406f2

SHA256
06d3e85116591c278868fb0b4109bf0159cb947d086edc45f0c8ef746013ded8

SHA512
a7f9cd6af079d6fd015cb6d6a7c2a904650a7f011d3bd33615239e760003bb0f5f0c712c707b78893d89fd949fb40079a86a87fdb1e110785189e80ab8886230

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
30320e09dbc149130dc2fcc6924f4311

SHA1
a3381a8e0df58577490008d1d0d4634cf5a67ad4

SHA256
3e199f7e1618d35312ae0595a07a7e81ec4b18b48230873fb887c677bfe52e01

SHA512
a93c7adbf7ceb88b00880c13483f7751e7d7d257be849c54aca718f29e3f11bb2ead94a173fb6bf19f2d039349186cea4d27c8d03b83e3ebdcca535451141bd0

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a533105b32a6f2f913fcda2ffeea30f1

SHA1
118bb25247d3fda38f4a509f56a428831c45e518

SHA256
f772e1c3cb60132291993d06c3c5a5ecf4a40320ec60e01ee8581881a38f5039

SHA512
fa1859a691091cc5b93a20a1f6d3b09b1b317877349f41bdfad00fb6c2b36ea5958d77f4ba6ff11090bd549e810aa751a4e4f10335555f4d1c04a928b7e902e5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
d73eb08df580feaa0324e9c16a23789e

SHA1
9ed105356a091af634fd5c2a146bdd940ce40b19

SHA256
8704fddcd7c8bd388e11097825ad58a2a56b202dcbef0db3aabd56a137f6b18c

SHA512
cf3aeff6eb09d010f7df366b69014814d6834e4a19f411b01099dc32fcf77cd8af28c1a9d4053065470b6c065c09f70df5d5739fa4bb6f77a4d2018b65233214

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9db44f0b1c73d873d964cd188cb8a7b1

SHA1
08d808914f0a1e622033301404eb43776c110ebd

SHA256
e11ba8b3c645fddd83e146e1aeaf2d0395add592a9d5bbe958c03e28758e89f8

SHA512
1e4821f69370bb3b0439a90f724015fae23585c53602931fc6e3c88f902a7b06a15b15a8b563a6734abde1621824cff93a3282eaf023b300f7625dab284cf144

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
451e00e9709794ae4e2954d3ebd5a7bd

SHA1
a1a762a3ceaa2c1ec6206dff8c758b2bf5a383a5

SHA256
5ba3b89371e1ee0a85360173a670ab80063d7b35050e32eac5e73e614501ce00

SHA512
d3afdf30399c1f9eade5d40ffa674f811bb9fe4a6661a9362bc0bfaee2f91f2c74c5e667efdd5d64b0f15e48516b5126b8db45a87a463c3bbde16f987d3f77c5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
1acad4574e73814711cb2cf7df3bc047

SHA1
088f9ed402aa3494dcb2b61e832c1d618bba466f

SHA256
fa3d7a9781e87af61c5a52e5404c914e75c7a43c9448637563241da45ce51758

SHA512
d1370f0ff56915e9048382e262f8bb60ed86f01b5e402c1dde3b3dd599194ca4164bebbeb9f907c09f54fa7b02c9992344838e2ae6e92150c6eb0990f63950d5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
97c2b445ef52a846b52be7c5620cc9c4

SHA1
44c686bf2bd91e59ea95648e22b2e33dce981ff7

SHA256
d5f917c03e6af63f8da4fa577838df30454478adbcfeccc72a7df697aa11a998

SHA512
699b5e6548520f3f49f3b067ffefa010f24453e4d58947859bf4ec83612e2a22cb49d6a83c2aeb7454373311ab943eb072bf484e9dce159974b197c47015be7c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b74cdbc6e0ad1668b5143ef353457e8a

SHA1
cc474352dab8039650eb5b6f81f10275b5d75336

SHA256
aa72b2f167682ee2477cb67319033faad1ed333661122656b0454120b240c105

SHA512
885612b2e2c42310c32cbf0fbd268a7f186b2e78bc8050086c8024c27df7a01a11b52be3524b426108aec8ccc532b2cab49cba9ae662c132f30cf9674638b3fc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a0cabc90a470c87e6e91f09ec552a47d

SHA1
239a74bf07d886c0e35cba37b54948c8f9af90c0

SHA256
47103b1609c2c56ab1eadddd3f64ac5cc0dbbb3c06953f49b8367d2bc3a4855e

SHA512
9a8ea8525fdede24cd154061bc235f9e35795aa5cdd75a55d404145f56e9a29b5eb8bf48d8cfe5a2fd1b82b7f313a39e28cfed72b083d3026462795fb745748b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
dec211c662397c194d3cf7b94b374e7a

SHA1
2d3bc0bce7c4e7b6484ce2b46b6f8d78a53649c5

SHA256
4360bcc2917d21017e2827699abae2f39fd3895fa139cbb8b85ce7939c4edf4b

SHA512
41b2fb5f31dbe8d594f17dce9fda1187f9d77de340f64c4e3fb85f24dce1fcdd22b0bcda363a6e7d2f2ea4aa0eb2509fcaf0045597c05e88164f8b287eb6323c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
4bd8cd0e46bee0ec8454ac833f1b0a30

SHA1
ebc49bcd30bc992a4d2aad142f1579d30a850e98

SHA256
602d9fcb313472105a5187badc542f56e44357f09d1025cb7e6a0a279f52f593

SHA512
2038a390fdb0cb23759015d48ee0182a49aaf8313e155c6659e00150d14a62e6bb52326901099415663b01b37a3e2973621607499b269ec1acb70bf83d76ec74

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c2606707124b085d8ba30b0b914d9629

SHA1
d54c34a9bac8dc1e7119058fd7ac58d1ae71aeba

SHA256
1d6ec5c8ffd068ebb33976c1129bce9109d3b0090b8429d59bbf4a221eaeb9d7

SHA512
c50b7595bf0bff88e06cf5193b3f96a5982ad75573de0721fbb49ef611027b3f2497b9669b12a4688196866349495e1a17df9f178cb35070ab158b44dd64c9a5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
164b983f94b99456d3f0da652ecfc097

SHA1
f325ae8ffb43f4eb0d5aac36a700a0cab18f6474

SHA256
0e9661262344815fc69ca75b69b3ad427f58adbba3160eb2f55948c415ad3013

SHA512
f1c4e9f74f05ac93cd05374898dccb57f1f93bdb33c5b2dc3788dba9e7d67b409105720b109108a956554d8a67bca1401dddaaf3493a701c8dd2ec4b2ca00c30

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
457b15c8c8ed98de07c64a7e72f367e6

SHA1
f7edbd9d05500d024357c942fb6ac8bf636c87aa

SHA256
d2c904f792cc1a87f2b341edf308cd9c3adf9e06730d8c2f3b7049e408fa0951

SHA512
8c26bfc263fc2eb3154d977a792b2b6329e08c7fb2959ab33c8911445b5a1dca1ce2e35a7ac5656800b38dc9b1554de01c6bb88641cdc3e6b5e31dc2ffbc8098

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
53e1938f02cb24464e48cedadcdce0fb

SHA1
5eda8812475168695e8ec982de5ee4cd47c6195b

SHA256
1f7377dc63a36658183eb2ea80141d55a9760c4c514cf8eb819e3b8ce77ddf45

SHA512
4ac5b01a7c63cfbecedaef9f7e3f9d08c112ee97d230cf594a7aec2c667537980eefb00a451dc27f0ea4b522a20de0937f3ddf61ed5399297b2a5ed1bf2a8f4e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
76b6fcf601e8f4535ec8be5a074b2a9a

SHA1
1943291b2e2cb411850431dabeb12aff0b12909a

SHA256
04544c5d2bbe847edf7ec1d85e8a6ca37f0c0f611500b12844b9401d5cc2ae6b

SHA512
e2edcdf2609c069b64f22f2f84269c73c08ac416f6320e6030c39f83f1328bdde2b836371a22bada52c7952040dc7db59464b7a7511900dfe6c895fa7831e443

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
e239ea93a7c93ec829dbea055fde654d

SHA1
37b8bebd02ce80395011c1f92681115b74d64150

SHA256
1929a6d15ef6ac153716d537a2d076c12e3969bc1052cb392f2daf02981f9fda

SHA512
8cc5e64578a9fd64c23346978307362fffe8711d7388bd41669593a193ff9a426b3c776b2bb3124203a436b6bab4efc0ebd0ae7a663e9a43677bd1a83eb4e8ad

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
df2d5fbb0a48c61c89712a10646baba2

SHA1
91e3c65128a9eed3ec384242eb40fe61d6d8274b

SHA256
56a975d7fb125fd1c4f97f8b6bf6f6fc581873b3ee52c70166215093205410bc

SHA512
e1f32644cc2f2fd77fe3a694064ee958b42a5ad8970fa4991b301f82f614036acfccfe38fe4ef5a2eaebdefdd560bd4f7534cc1a48cbc34b97c46ec742e43834

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
8f94ea1fb4debd3c67bb3b30c7b6efe3

SHA1
34d3b3b63b2c4bcce655b2331f086c40c9570264

SHA256
a67c24913c3a125b4b239a863b4425308123606d30f94e8eae9dcf5dd40fd84b

SHA512
e8a126095a2114e845c3f6fa145f69ebea4b9c973f52e1b7e2fd6214968492e73634c5ddd73e96dafa3e7c806c44af5bba6b0e213a945e2497562c11e75a02e0

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
85b75b619a1def907754723a496227a8

SHA1
d15992a54a8f934a8896b4e8c930d482a208a934

SHA256
f731f2ff84c835aeb11fe933efa9c1d659caf7e34b02f646ff9dda653adbe113

SHA512
ff577e419f63b0803c0ee62fab8bb75a4ac5ccf9c2291943597bcb6d70d6f02ace1faef8117753768c71d9cf98d94d8591a4740bcf6d5947decfe369eb96b7fd

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
c50277489bb8b37de10598bfe84411fc

SHA1
3b18624cfd3755fc2323a5dcaa10734cfb2df7dd

SHA256
a1a432b83253d07823a2dffb63d019a257c1ea7ead6f1d8a829f481e6cbfef2c

SHA512
3e5f85711c993889fa7b0dbcde7f5bef3e1da4870869b2664fb2a6b185f8053ce24b3ad7f748c953aafc8b2ec449a22fd8c848ada6440e04cf622bfa013cd77c

Download Submit
memory/220-73-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/220-86-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/220-84-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/220-79-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1460-251-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1460-139-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1472-58-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1472-177-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1472-60-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1472-52-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2280-126-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2280-13-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2280-21-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2280-12-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2480-365-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2480-165-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2612-39-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2612-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2612-47-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2612-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2612-45-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2668-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2668-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2668-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2668-82-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3148-154-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3148-327-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3260-110-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3260-215-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3556-138-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3556-34-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3556-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3556-35-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3568-7-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/3568-108-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/3568-6-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/3568-1-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/3568-448-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/3568-0-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/3648-128-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3648-239-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3696-227-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3696-120-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3932-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3932-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4028-88-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/4028-97-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4408-549-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4408-264-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4408-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4432-188-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4432-432-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4460-550-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4460-234-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4728-260-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4728-552-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4844-216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4844-543-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4888-190-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4888-502-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4984-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4984-551-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5084-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5084-553-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download