52c657629359928d335faf3305132f8e9e927df1f416079953adbc6e2b3f5c66

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
Size

1.3MB
MD5

501e276d8b78aae316630f118fc794c1
SHA1

b4c77f49d5021dfc59a845ab9b0d50d05649748e
SHA256

0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0
SHA512

1f95ddb6685c21851548a1a999605d9e17020237f9e9359373ca05dae628b35baa20ab6c5fedca3682a52179bce8cd8084617068284c3785d03a3b2fc56a3241
SSDEEP

12288:BBniJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:XT/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
364	alg.exe
1728	DiagnosticsHub.StandardCollector.Service.exe
2632	fxssvc.exe
4336	elevation_service.exe
856	elevation_service.exe
884	maintenanceservice.exe
4196	msdtc.exe
664	OSE.EXE
4168	PerceptionSimulationService.exe
476	perfhost.exe
2656	locator.exe
1304	SensorDataService.exe
1284	snmptrap.exe
1104	spectrum.exe
1620	ssh-agent.exe
4780	TieringEngineService.exe
3604	AgentService.exe
2848	vds.exe
4032	vssvc.exe
3672	wbengine.exe
2212	WmiApSrv.exe
4852	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Windows\System32\vds.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Windows\system32\spectrum.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Windows\system32\locator.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\44bfe28e7cad7dd2.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_92812\javaws.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_92812\java.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ba178097d55db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8047b097d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000530b0d0c7d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb8d0b0b7d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000deee2c0b7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f203020b7d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004aca41097d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2524b097d55db01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1728	DiagnosticsHub.StandardCollector.Service.exe
1728	DiagnosticsHub.StandardCollector.Service.exe
1728	DiagnosticsHub.StandardCollector.Service.exe
1728	DiagnosticsHub.StandardCollector.Service.exe
1728	DiagnosticsHub.StandardCollector.Service.exe
1728	DiagnosticsHub.StandardCollector.Service.exe
1728	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
680	Process not Found
680	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3652	0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
Token: SeAuditPrivilege	2632	fxssvc.exe
Token: SeRestorePrivilege	4780	TieringEngineService.exe
Token: SeManageVolumePrivilege	4780	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3604	AgentService.exe
Token: SeBackupPrivilege	4032	vssvc.exe
Token: SeRestorePrivilege	4032	vssvc.exe
Token: SeAuditPrivilege	4032	vssvc.exe
Token: SeBackupPrivilege	3672	wbengine.exe
Token: SeRestorePrivilege	3672	wbengine.exe
Token: SeSecurityPrivilege	3672	wbengine.exe
Token: 33	4852	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeDebugPrivilege	364	alg.exe
Token: SeDebugPrivilege	364	alg.exe
Token: SeDebugPrivilege	364	alg.exe
Token: SeDebugPrivilege	1728	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 3940	4852	SearchIndexer.exe	110
PID 4852 wrote to memory of 3940	4852	SearchIndexer.exe	110
PID 4852 wrote to memory of 3176	4852	SearchIndexer.exe	111
PID 4852 wrote to memory of 3176	4852	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe
"C:\Users\Admin\AppData\Local\Temp\0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2488

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:856

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:884

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4196

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:664

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4168

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:476

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2656

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1304

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1284

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1104

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1896

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2212

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3940
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4b7d9bb816a3ffeb6af9ea2bf692aa26

SHA1
96d26f3d80589c7e22e3913867cfaaf7ffadc8d2

SHA256
26ac552fce99d97e05cb18e8a8321bc609f119071844dba32a7905a02c6f6d6c

SHA512
137fe206560241843cb39be7733da7b351e20f6db4427110ba613fbdf836f110f1e649e13c246b1bd9985d912dc21cbbd53cc864dbaead7a41041bb681bd82bc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
6b7bd56ea4977a99f451638b969d2bd2

SHA1
ac41d009e7ec8d6f54d1c28e95963dbc069f5bec

SHA256
a546ce92f31991aaa694d395651e243f49c4a136ae54f65d618024437c5d3834

SHA512
69c888a79a96f0ea1ff40954187387b37b29fc009164a392463ce8b4106df83ca3b1d7fd415c9727b3dc11dd8125d69bfab51365dadff258ee08d6ec1ec5e701

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
02a4f0f23b177ca5605906e5d574b64d

SHA1
4f6827528de31b45e21ac25ff83d4444ebcf492f

SHA256
84e7072ce44236a98f6331ee97eed6fd71beafaffa1be590f7bd1a7023113761

SHA512
ed4e5f2dd64f74f01a09c1742f5850e6f0033891b827ec4c0277d52fd5c03fb9e672bb2f740d406626ecaa22a273863fb4f4456cea37d675d732f658224d55a7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a91f27de581b8754003ee59d7ce8eac8

SHA1
9b8302b37fa0e4047d2b6ff50544b1ac05560f86

SHA256
7456187898ce9f3ec60ce386f405c595915954ae24fa451e56ec53927bf08689

SHA512
2568c279037447ad87a3c4bcf71b38765dae66ac57463574879cf142a97d95b6f2dbbcc10b74d7dbf1d2ce3c0d9c68bb83cac05c37dee20244bcfca465281cfc

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4c0ce0741fcc654470a405d6d3cdec57

SHA1
d08cf60c4b46af227fa45082bdaf96c46778ca8f

SHA256
6c22d91b750e75c6a2c5a53b438a0d7675500f91954b1934b5d3cc5cbc1e321d

SHA512
43a841c23203cfd2ad0acb8cd08c2466f9bcee3ca5ca0c632e8f3ea85434b7bf46a3a38ad0f1b0bb38a8efe70dd1e8942e723a00bc2c044282cbcadbc3167b98

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
b938f5c4df6bc90270ce89edab2ab0b5

SHA1
22c1299fc0633e05a23a6cb557b7b2b12279529d

SHA256
4fb6b07569e802a3fbe5aaebc209ab51d8285dca5fac618c93d988a9384e08d0

SHA512
d34dc713edf62b1443fc15a7540082fc2e39a2f72d456fc217606048188d753e88532abc6ca78b816cd51c4b78f9c364dd298fa3fbf1a02e4aa07ab00866e0a1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
1f27cd38ca08d7ee5ae58adf29adeb5c

SHA1
01c35ec1f05d91ec21061c184ea8c57396e05ed5

SHA256
2c22b0a299c25e6bdca9092c0db384e7fb5e5921c93e341120746cd758bc1c1b

SHA512
c4c8328b92c2724e05680345535ab321829644d510d7314387798e2b7626d447ef259a45a8b4f26548d3827798ab015f7135473c0e2ff82f9efdba3e1e01ade1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
507b8d4b1f918eb1597b38c928f485c4

SHA1
45a9782483c21ace67655b4eec5fe3b3afeefc2e

SHA256
f235301baffde59d11b9f77efb09fd1cd486914366006db74529ac8efb8791e3

SHA512
86b3cac253b500276522fa65043162e3ac8b946ab39efa9cdf0dfc34e34b96a2a716eb2d932d1b59e292c09d209601b16e43db7b2673d79baff5c1a4a773b01f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
d6d5693f23d22ba853af39770672d39c

SHA1
741d85eb4b302341bb942945d5524b798adcf8b2

SHA256
a66bfd14a6a0fcee552fa16fad7db5e3266bc0e77efdb0da87cecc74d5b79e26

SHA512
a7ab711f081934ca5dd03a5253571a553e2688df7c9cb894e5d19c4d25a915336c4f98d06c7848736e3e3934caf92dfebeaf97bba86d3da5aaa195cbc552aae6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4ff6c5711a146e34bc67ffe064234261

SHA1
e033a69a73310679c50979cf14bfff8bc62a3371

SHA256
8f9dfddfa393cb1b9131654efdfb8d27b67d6daba7dd503c0d8c26059d850a8a

SHA512
29b4bc60b542324dacbd87b0ee23adbf3d1f0a4bcf5450d134ca7d64a05a98a1a4c079a84126f4d529f3a03b7b6464b9762017e6f73f94fbc1e643ba851a8af9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e38a46bc86395626ecc9ba3dd5888c45

SHA1
0948eaae41aec4b63d24164b72bc47e4b0a65b9c

SHA256
abcaeca4b932be89d8dc4de4ff7522b8677476405e00ae87bf7a0035449c8704

SHA512
ec4c2ee53f38bd5f1fe0b498e38677fbc3f5681d376a97331fb0aefd0905a43578e445ff9c491735e004f0fd4639012b34842a53d132338e8c719da8e83c7ed5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
766754cc1ff4ae9b66c61a0db3705ee8

SHA1
ae4220a029d16f18aa7956b5866d495f1927a738

SHA256
c9ebd07dd6e260591088c700e67d530e3d8323399f121a738e40ca41e23f6dfc

SHA512
2d2cc4d610a6891128584d06304a95995cb8f5c55b083cf87bade5b196c5a3ad67350aab1871c651ad69bc6d6b27bd7c4261fea271d9e981990382f286f9cec5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
24a4a09f36b08acaec1123d5286a8acf

SHA1
2af8c5adcb10ae8887b72613e5a7c41a83789e10

SHA256
09925552356e8349d770a072f9744ee9f8ba89856d7301d25e04af3b4b1b10c8

SHA512
f7b5e5837d627e135758da37cc85f10aad78a2d875ada4dfb9f12d1be0792c72e6a32c195fc06e388c72f1efbde4f5642c303975bd10fa7f5bed53651105c378

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
673702478a3d9f98b1176e3539bd43d7

SHA1
5360e287e99dc886a19e405592b3e2fb024ba3ae

SHA256
f3eda354a296e29e5183be43b398f9aea8fc4e1ef373c5b7e1e7690d2ff033a7

SHA512
3afb8316b89bf3cf5afc82044982118162e884159ff0e07378748f5974e92d7e52c5844c65184416eb307649481186e7d12ffd777aeb3dfd55ecf520bbc78631

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
447898f43a81c18742307c473ddf8625

SHA1
29147a4dca3a9837d7d8727aeb320176d48e23dd

SHA256
4677e349fe2e1f5c25884e6c07ac10155ba83482cd1891cdd5c24059bc8dc274

SHA512
f3f8629d9c52c97ad6c47c83f0569c9def452226e6e07c5a9ad2eedcf1d34dbba1989b8ecfe52f0efdf1a9bae843097a7fc1cf84dbe8cc5bc0ceff4adb3493eb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
f83b0bd64e68d20d64b95ecace570eca

SHA1
0257c77cd1ce4e142827bc993c55a0a5e5352f0e

SHA256
174272b49b01ba4d73c2ec9982a7a56e02742ff55eac92835969198b69bdc194

SHA512
9fa58a36f98dee0c82e777076e5ab622ba4101f05e95d6461055f5fa362d068bb208b4bca38f4148e42bcce6c979aa920a69b6b95295a6e45b1fe2e39372a49f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
bbd94c5f3c4cbb4985ef5d422f90b23d

SHA1
afa3c8aa471cae1cd1c296b1a1650e435f220780

SHA256
3e5080b39dccf05a5a02403a2e891d6b899ce682e8c85a43b15223c48159cac3

SHA512
f44a144b3f32365f98f98302848c33c036432c5e88d305409d035e82c22cda3c4d901b840c467ff2ec113636c990636b59ca02720e3d2e598c83b0624e3de8b1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
a56cd2bbd8ec7185aa8b3aa5c2c2ba60

SHA1
b78937769192b5134ffd74e3e8392da02850fd83

SHA256
25e5405cd49b9bafb12b5abfc184183b1062d5c4660b51ad5e766609c0484d66

SHA512
822cc1384e211eb9582b5bd75de9723f0f787eb8d50bc2565245e47d4d463d1ef760acc3731e8ec79fdd9d30ca7a36106281c7b8735ad03e1b0fb6aa9dc57e45

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
d22880f789c66329943394297cea1bc2

SHA1
67b588b2e2df47d3d6967eef3d945b822a11a3ea

SHA256
632c0ab2da4add7a49182cb9872bf9d798c66ccf02ff406aafea9e8fb8df4033

SHA512
9355c02b8e830a08fe82bf3057fd72bdf1a56ddd388fa52137a2943fa57a679a16554c75048d7e31636ce27767903d47260a248f02be2f2c65082e59951516c4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
8812f175bd62dfbac92a37bfb6f436e8

SHA1
a39662114ebc4915a7a407516d9e8d397d1208d3

SHA256
d09a9f2058e420b2b94fead53022c2db4b38409683f79c67a330909425bf238e

SHA512
a310f2608ec60f97169a491a36ce5a3848ccd9d4702d1c7a47fe17d1ce1f834e8193c1aec595dc62c345f31da641e035a1e490900e7f4fbacb7e77cdd00b7d5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
f13e5c27ecbb02a2c1fe0da84b53b529

SHA1
97efb54442741f75e6122f92f9f1ead85d0974e3

SHA256
e31ad926ea7a094fc271e7fa5cfecccfdd8ce7a38e602435db5d3db549881f06

SHA512
82cd24970b820280982f07416c1d289616200ebbe771b33d514fc20737c73ace5874a940abc4c37fcdcd67113631c9516c5c3aa4104d4e34a26b658324824f93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
e6c19150e410de15b911322630e69d29

SHA1
febd0320edcec852cc20f173d67bda955c7eb780

SHA256
b68a4b0f6a60dd5932c0ea69839010a1352d0d9bfc4887a05256c3273447593e

SHA512
b0387f216ce877952d13649dfdb277be8aec72b2ce89f6f2c8dd31ac94a32fef35d6a2da1107835bff27ea79aa3ea42a4375f1483cd920c0de4f638270988ffb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
a350628f72fd2167828c66a9f68459bb

SHA1
ead216a70adb2a19ba94e0a4fe3e7be3c664e614

SHA256
d2654c4ca88f8a5df95f49236efedde0998b1b0786b292670c53a18c5975ffea

SHA512
9c96ee27d8130b8e52991b19df955f796edcfd0fe9af5d8b75ce959fd609772ff0c2a91a58d8efeb238e5679106019dc901be465c72cdb96c1b37f31c3752255

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
b760d0b300ed56099cb4cf83a5805cdb

SHA1
378eea5f61cce83faaa209fe3761ea617f033e61

SHA256
9a82d065cf47d3996ad04d3e2dcb67556dcec5f2ad37de3ba0848ea247feff52

SHA512
2c51f2d2f7cddb8f6112ccb6677a8cf5dbff67879356b7688c21a5a90c74ba8c3e83bf09377722eeb1a11a58062e0678bdbc217e9c7679c6e48a685584325faf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
3c14cba0f7b8c4cb0d36426e43a2e02b

SHA1
40cf4c42a4d7c527dd1e9e2550d6b4dfb7b93207

SHA256
f7901323548d36c4b274cc80a8844869376ea077ef2b8a32082d9bc9cee9819a

SHA512
146905e974326849e42e7a8948817327738dea43a6f5791fea8bdbbe09023f08ae261000a0a9a0abf8d61d34776fada9fd50bfad452004ea661301ef802d54d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
601a51e9cfbba9e8f5c1e6c80a6795f1

SHA1
4bbfc41d33ecc9ce5203d0d873ed524a66a1cfd9

SHA256
f2894453cbd5ad0e6bea2a5f58ebd45986ae6d689ece5d551acb4e2fbd7fcd1a

SHA512
fe30b6acb36dd60ea985e80f33b60bbd9cb652f35e2320a16e1eccea1163a0b8de589afcd0de9a9ffa71d5e591f21766c77576ba3279bb89219d6feb8c27a88c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
030901b6ba0668075ce44dd16fff231c

SHA1
99a8a96992c0d435f24af8f9a6225ed59d7a02b3

SHA256
4005e1e024c3420d5cba5fb2c6c1581668bc35211e84042f61aa4843bf1459ec

SHA512
cc337397c98f0f0647d19bd2e82ad3ec321087e1aa530399a171f6f3e157782e5f334dfece3dcfc110c9000bdc859a6e28255f2dbc539b3e1f28545cd0d75c2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
171db25765025331a200596900e67bcc

SHA1
07878ca8ec26ec76402bb9a82c70d56055a866ca

SHA256
d029aa1a82a56e15b9304fb3621816e92e305d11d9b14a6a504ea96738271c0a

SHA512
12092b583381a80d14998d5f6e4fcde0222c07cfd741ecc0c6f6aaf01a06208e80e3e5589913e4a6a92725ec5bc9d41e2f06466fd835b5eeebe32b659de5830e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
d883df26f0711058ee81ae094f25017d

SHA1
2299825c11ad11587319e2e290db28683e0fa614

SHA256
7b83e150d6f07ab31ed61e3bbc788aadab3ec60358d1748df94e734c03517b90

SHA512
e605e3dc8b1597956a8a508b98dde5b6b8f8f1488f3d5e14d7580cb9c912501908434580cee086c5f1007fd6059f00aaa12dd800e7b3cb0b204dbe0126284f18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
1c47b05814353a8af0ac8607fe681f5d

SHA1
d5640f779942bb4a4488537e01005db436a8f99c

SHA256
acfb83e7a19281f7950524a3da3c0ceec2d7fcaf6c4516f57b56512e2cf746b5

SHA512
8c625bde23606814dee0cf225618c71b5664a6579e7c31e5f825abecf5806ef54616872a509c10333f8b80b5dd4db66f4a23d8ebc4094b3ca30aa6120e45c5ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
62967101aefe70aa89f673978448b54d

SHA1
b12bc663fe809539702e56ad798ddcbe28051f49

SHA256
394d4929cde9426e0eaf338a556033277ff869d3af3dfd06ae7b2a2909e7e32a

SHA512
c7c450e1996f8c6351d1eeb7bd4381aab7af0af9afe7d881b553ee637e59bf5d5e3414f79495b0ccaea5022333595c81e5727513a4b5ff302954cfea47df171c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
2c6aead6fbd748dbd584365aaa0a1936

SHA1
54e56ac7a322c5a6664c67441a5a38dc503440b3

SHA256
8bcb11b9d62ab1009f6d149d4168bc4d9d6e9d3ed7a2568bfe3c8ad69bc530c6

SHA512
eb5724bfddb6603b30e2846cabf9c4ae89ef5837d606694bdd63b3de4029800c8e0accaa2ecf5eb249c7779f6f761a75c527adbd1622d21ec4a0a0fe665834bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
6490508abc62a4fb68ca1199e8c8d3d0

SHA1
f61b442ad42ba0623f4c3b78a5daa703545ebc50

SHA256
56d8e20d347f70ed07686a245f7bc44c92067ff1f4143c715f1add8b75892043

SHA512
35607e5357a900c0dcbd1969008936c999d33edee2d02683d7a6119862e246525807466d64bad645f15f5d799e5534afc56c404aa6c68a09190d44d2197f9b46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
f8d25be40a5f9829d4a0f42cf4f0ad93

SHA1
944856af6d1a24cb9521bfdb00f845964f22777e

SHA256
2656b140227221b0be1ed7a4a22af326814d187e24450706a8ef16a32d05987d

SHA512
4302bf63cc11d30f1ec82d281bb337b3217a20632cb6fb2bfa33e8243f304b11a7ee47856a7dd9ad8e3419770d2222b0713e5b996e6210b5971bba88b753f7bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
5be36578eaf0a77cad706da3e0ef2040

SHA1
9c18e5c442def73fae7e042478a2a3576d74747a

SHA256
1ee0d030662a73855cee8515ab64e1d4781c7a51ac65d332f0116e8d8fec5f1a

SHA512
f3bda7d42cf9cd0af6eb625ac6437bd88fea2974c5c9c3d27653cf468bf32a6ec94ff9986b945f8cce7d45c42e26e1662109e3c5825cccbe1d27826e2f32e4a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
66584e938b1f678e3d47fe5bfa356759

SHA1
bd9bb9eb68f71fa77997a5a9546f465c82e7bb13

SHA256
30c5c2f9c907282db0f93ba8c1162283e3fed327ab70121eb62669f592ecb924

SHA512
c20f969c4bdb50426940f3b043a311ef33be6653ef64e5eac38f960de7bb8312f69f75bc9b034f2f7ba1a6dcc82279d6fd3d743f1b8891c4c443aed6a7ac9c2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
d45c645b7c382b6b6f7fa7884f09bc76

SHA1
fac02d51e995910e09c662faca534ed293acfae0

SHA256
619b0f6928aca13398f2d2d2826435fe3ff327e33bd15ab21a1827526ed53ae3

SHA512
cc3662545a4661ffa38f49e96d37c742d4348fbc8ce04cdaac3d3c8a91e8e80e57afecfa402e1349b528b93e4e3c2d110bfa3777379edd3e1286febbfe66fd16

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
85b39b377fe05a181a48a037a20a44b8

SHA1
5c3df20eee4d488b4bbeb584ded50c9f9f795993

SHA256
4656b929134cd4e068604f65f8dfaf1c416fd550d9dca7d8ab178b7cd321ff44

SHA512
503110c3b43d194150de88326de047bb0aa9e0e986f4892e0ac9185ca70517e57b409b0703f815a067146f6b3a2b41d98b7fa5bbf5905cc10e1b513c3887f144

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
a5756e7b45694108b2cddb0ef5147349

SHA1
b440c6f0c1b755dc1ab3943eb5aae96476df58d0

SHA256
4774e2986fb81b2e3b6cc6c40ab734d253c7f62d6ca309d920c3412450694d43

SHA512
fc33fb4ffd8305ad410085db3b5d8a00fe53da5b58dbcecab4aa19187c919c3cf75ea63dddd7b98653432b95f83934cb811fedf0a7f0d6327ccbae2ab9bdef13

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
8c81c2c49cde7776ee82eb73e8dfd48f

SHA1
31a468f1a260c6e44752f72c98e7d6171634697b

SHA256
46c83453a75ac66e369a56c54fec56ed15c0e5d38d3bdf816ec630f39ea8dfa5

SHA512
047fe0bab5b9dc0385a8a0e706ab7186ce72644195ae15dcfe02725625a9d07cac79a3988722e100098a5caab77daafe0a753f8e12e7cfcbb34e80e2f4b29f99

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3d3acbc2792cb394860f2e689a6bceef

SHA1
b4fdecbb56bdf678dc42a3b24afb36b331826b2d

SHA256
7fcf0d86b8c8b7a52c34c1ed13e56c51102ba3774af43e089cabae41a45d212e

SHA512
5de6e3bdfc7e580567405a79ea753e926fbe180950988e15887f81db16d41c36c8359c14a342183c38f7660ca2053fdd1894d2c91d805d9b24571807c7291bb7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
80742091ff69a204107d300b1cb88792

SHA1
0b3e146ab3854869ee732324608d9b01b1c3d5eb

SHA256
393865884bca3811a366e02ad3b1b03a975a96cc2b0c59cf263c2a5632ca1526

SHA512
c88b1affa7013380af05c60909c231a09ab1b0231fca686a75906d4fbf4bae0a1c1303f901299f01cb28371d4702414a1cd16d2ffb8ffe12f06f92987498cdfd

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
58181dbb4b4e91e417a6528460776591

SHA1
3b1416ee0db1d8aa9049ae8006cd1881913d6343

SHA256
9d304e831270b406ff963beeb6c148c40299c8355b4f3f934a9fc0fafac7f352

SHA512
00a7afe79364c30fd63fb648a4143364d942c5fef127dbfdcc133e45a046ed14cb1902f6412533fd3385a5c04ce5b6aa7ab10761a00bf26fa7ccec8cc08c883d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
37b352ca0cee0fa78cd3fed5099230a9

SHA1
e5643304d196072097255177d0a4a94d70254e7c

SHA256
2922da5a21bdbeb9c4a4c7d8b4bd75ee72333e2c261e76d69b4372f0b4299d83

SHA512
4684e8bfdbedf2cc1bd364a2510c50035dc15fb83f18fb927d36f17f7c060b123959ecffbd1d334a96236911344a5c0fa87cd2541e26802de9de5435039f54d4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
5c62ff6d17dc008725b1a8f2e5ba24a8

SHA1
7b0e5d20010f026111be3baabdc02761795d35fa

SHA256
8b3dbf03ec5b51e58626e9db17f310ae6be6156f4cfa72899c0b2d8d36c13790

SHA512
63b1d7aa39a24eefd932944aa70bd9be6eaeea4e2008caa90b67cbb55298b41e100676216449158a243fc3438cc92911003769c71d2cd0eb6b8d07a51fb38ad3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
6d1405c193f1d89676d5c00515fa2b2b

SHA1
39b8285dc0231d013bf2247b1bbc9b1e07073451

SHA256
3dd311989bca71779b9b657ff79fa13d1db50cc238fff7b5ac7eb90e150880f9

SHA512
0c13f07549a04ff2092d696651e3386e4a87c02ce4c6ff6521792f2907678e0b8be85957763961823189500251b092b04350cb0fb345f8bfa7917d9087988306

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e8b3d7707c515f17297ad3bfcc57c13d

SHA1
85d2f22f1af2e698d5e7c042f0e4aa21a4cafc17

SHA256
2236ba70908406ed6d6b9ad622d48169b02ef5bcea681a3030793686e68249c2

SHA512
83bcaa6a1bfe7c5245580165bcba3b47fc174caab0ac089e529cb42c1439d74cd710b270b3b889a60b3b93858e60edea77a36a0dbd67e5c9ba2c1575bf22a25b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c5c184f5f6126dabd61766e378f01a54

SHA1
df87f5b7bf250503e6b99fb77e64fd1b93a84208

SHA256
58fa48f512c17b2558588fbc4c5133fdf588553ee80b479575853a69c987f47a

SHA512
2c4a8d87c4a73dd2235fee9f5b2cc86992d04f11067052c55923d10e455a98c95a9030b037ae29a4bd0f9acc8d798cd20255a5d6567a255419a6094960ac5b21

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
869d66e59dd7bc60ea8f32ecff2464cf

SHA1
c2125450cada786dc715cda9a8277a4b8669e311

SHA256
3d585af3898fc9cd9bd2831397af12d42c9fcd6949636cd7916cae17bddc7e86

SHA512
d8c8c01bd66962821d233e4b93a5facb92b47b5dd502e4259ea3099720b41950b02102c960f92549a0427ec513b539ddfd4a0ea757a750421d776fd785bed5f5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
0bd32f6d8fa2dbed793a0c156160873a

SHA1
79e4d225a72cc9d514e648ada9dabccab17d3e35

SHA256
1c7d8ee1d2be47e56b3892798bb52e9e4b12e26f2548cb2f75b495435b61230b

SHA512
0357b4318639d7ad00e85d1bc2c3815b2240c102ddaade1c5807c5c92bd751b1477299ebe6f020a3051b1033cf7896d466bbe091d2edda0e7495740e0732de8d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6f8d98eb60cae611717e18b18c8f8503

SHA1
7b78421f7e6263199c739af66965d77f7c25b38a

SHA256
6f01f96532ce6d748bd24c63d4eec2ef4f51e7220cdb6284e7053016accc2db4

SHA512
2cc94ae101958e4f3702168b9616d55333968899b382c0cdba8eae3353c4d3fff0a5cbb9ab756342d7f57c9c7284d35c0c34d4370bba54974d89b85817667714

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
db22d4f7e382750af030b45f16ac2ec5

SHA1
86f70f4de182768f2a8ca77448ab240ef505742b

SHA256
c2c3e15d6fa1ab4d528ba3ac1911259520f9fc915b2009778a58c8976398f688

SHA512
a3150bc24f903e781029f36d3fc0b1a065a285071f7a19c2880f991df5a22f16aed0fdec9ca65651f5c57958c605a0205bfb8949d61c34ce006bb5f37444abb1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
f9ae5fef39b8e6495fad99257e8ece08

SHA1
3506278a2536bd70918ed957a7ac6d46d93032e8

SHA256
0d6accd6e0025f6f612c52ba75b23555432425e3b12eaedc4c26eaab59819017

SHA512
3f3ed49e8a087ce12dd04910c7dca1e91f8abdcfa20b644d21c42734aaebe30c3ee9667703261207e8b18ac0fb1f35b65701063806f421f137c9bfe6b0051364

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
f0a73e7bb3421329f3c3db583017aab2

SHA1
2eb28c4e77b04da417357e18d87b2860c0df5d80

SHA256
f580dd1a3d1855d3587b2073ed017a9ae13bac2cccfccc64e9ea74ca5a8cf19a

SHA512
afe940da11d2f21cdae07b87fac53f96e03ee566eec7eee7e9fdd699615469be8e0d8574867bd229f1492043f217f04f0107cb921ff8c0211f7edc0ddbfd4b6f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d09672b46f3003ec71714ea085b49fa1

SHA1
837b6c87cdf609985234477ce1e38af73212ff69

SHA256
02906097687194c2ba91b86e703487aff81b8b5217c78957d4ff7050d1a75172

SHA512
403787ef1788945e40164982bf23ae8b24031ee31c88942d61eba5dcaa22d85607beb74280c404d1b6d515169e1504a9f1b2ad59a788170eb29fe172f50bc039

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
8085a7af1a5f3dbe1c444c3a10c0ec84

SHA1
20f54296551739646e4fdc36a6b099242d507a5e

SHA256
3bebb4b3dbfe64211edfa2015ff621a17e0c4fcbe7b267e9746afd0e78550b3b

SHA512
f2850d596728c37bab9f7369a20d3eb5511e1b7d4c1eda060caf6f5dbff2bfd70156b6e82a4e03bdd7e76fd0d0dd463f3a4ff91c8aed65988c080c6c22d2e5f8

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f88f15f4930205a5c4406f5f41266567

SHA1
3a8cfe15dbe3c96a32e7b8bfc6e2946b802dac25

SHA256
24b627164df57d74572db7449f32441292f747702a90b859cc13db8abdaaa28c

SHA512
81fe614c83521e63928c96e765ab870877a0ac274001e38f9acb0e3850647c0e8c1d5af8e33d90ae3e32d948fd527bf71fc7de7b71bb754992c1724760ec9483

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0bc507c9b6d79949d26f855451167e8a

SHA1
59138e4d0f194960b1ce39d412552b228542318a

SHA256
37250b03747abf27fab58d1e1cf5fa2bf0521379a056f574537eca120fb8d4ff

SHA512
b6ff29d8200fc126c6ac320d4272ec08e5d60d44e2bfd53a87331a5313f431569310be044364291b8142d1a8c7c1fe899971e5c4794cd263a050066f5073545c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
6b41f71bd5cf22a1b961a71ff1ad2342

SHA1
ca0e0b40cd8840574fdb58d6c6f302a31837cdfd

SHA256
0b5aac0a055a9fe9db3d687cad616ef0cea65ab187cd7f10459179f8e51ed52d

SHA512
7c22ff902e87eb60092f6f4f1d72b9fed0a9057823c5a2722359ad50c79cbc8f19233085fcb65ed4e5c34349f1746996bdea2d462eaf3572e36bda8e7cae8dcd

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
95763d3921500faf71f255d17d3d42a1

SHA1
d98873021162a21a6764e4a4dfc5c30e5c82d84b

SHA256
81a6339ee41c3e71b042916188d2b278bf818064501fa6c760bc22e952e62716

SHA512
c9cf71dfba1a0620e41b358f16db4c95f7c9dd0b41d81bc450a829f08de85e17b212962d6c4c438c717d146edc1be3726ea60d3314190100acdf9ce7fc7f1bc6

Download Submit
memory/364-99-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/364-20-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/364-21-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/364-12-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/476-130-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/476-240-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/664-111-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/664-216-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/856-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/856-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/856-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/856-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/884-86-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/884-83-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/884-74-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/884-80-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/884-87-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1104-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1104-428-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1284-345-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1284-163-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1304-615-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1304-253-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1304-162-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1620-446-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1620-186-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1728-26-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1728-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1728-27-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1728-129-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2212-262-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2212-616-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2632-58-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2632-45-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2632-39-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2632-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2632-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2656-252-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2656-141-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2848-217-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2848-546-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3604-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3604-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3652-0-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/3652-1-0x00000000021A0000-0x0000000002206000-memory.dmp

Filesize
408KB

Download
memory/3652-484-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/3652-8-0x00000000021A0000-0x0000000002206000-memory.dmp

Filesize
408KB

Download
memory/3652-82-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/3652-6-0x00000000021A0000-0x0000000002206000-memory.dmp

Filesize
408KB

Download
memory/3672-612-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3672-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4032-579-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4032-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4168-114-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4168-228-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4196-100-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4196-90-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4336-57-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4336-166-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4336-55-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4780-199-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4780-527-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4852-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4852-620-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download