d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
Size

1.2MB
MD5

0f4fc02d5dd5e92e5d831a879902db9d
SHA1

1e5491a355118ca542596d6394f30102a9473e4b
SHA256

d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839
SHA512

eab8b28c7753ce8b4d0fe48342ddffe68b507b41d6578ade5438c326c56612c7e4f4c16b4b08b9b0d3be808a4e7e9390d53459dad48fbeaf772a9459b3ef2f56
SSDEEP

12288:iuMYlc+pFByStv9JRa//inz86NRo1qiRlUWC4kXzVC3:iudc+pFB5z+//ufNRoZW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5024	alg.exe
4952	DiagnosticsHub.StandardCollector.Service.exe
2440	fxssvc.exe
4724	elevation_service.exe
4532	elevation_service.exe
4660	maintenanceservice.exe
2324	msdtc.exe
2452	OSE.EXE
4732	PerceptionSimulationService.exe
5656	perfhost.exe
5688	locator.exe
5768	SensorDataService.exe
5868	snmptrap.exe
5956	spectrum.exe
6092	ssh-agent.exe
400	TieringEngineService.exe
5168	AgentService.exe
5268	vds.exe
3952	vssvc.exe
5500	wbengine.exe
1280	WmiApSrv.exe
5824	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1f2698da4ab059c5.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\system32\locator.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\System32\msdtc.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\system32\AgentService.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\system32\wbengine.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\System32\vds.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_135953\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078fbbec8f786da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d2f2c4c4f786da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016ddecc2f786da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008bfc64caf786da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b8d5acbf786da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c26b2c1f786da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020b4e8c4f786da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa20c6c8f786da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001ae37caf786da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
Token: SeAuditPrivilege	2440	fxssvc.exe
Token: SeRestorePrivilege	400	TieringEngineService.exe
Token: SeManageVolumePrivilege	400	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5168	AgentService.exe
Token: SeBackupPrivilege	3952	vssvc.exe
Token: SeRestorePrivilege	3952	vssvc.exe
Token: SeAuditPrivilege	3952	vssvc.exe
Token: SeBackupPrivilege	5500	wbengine.exe
Token: SeRestorePrivilege	5500	wbengine.exe
Token: SeSecurityPrivilege	5500	wbengine.exe
Token: 33	5824	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5824	SearchIndexer.exe
Token: SeDebugPrivilege	5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
Token: SeDebugPrivilege	5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
Token: SeDebugPrivilege	5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
Token: SeDebugPrivilege	5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
Token: SeDebugPrivilege	5032	d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5824 wrote to memory of 848	5824	SearchIndexer.exe	133
PID 5824 wrote to memory of 848	5824	SearchIndexer.exe	133
PID 5824 wrote to memory of 5296	5824	SearchIndexer.exe	134
PID 5824 wrote to memory of 5296	5824	SearchIndexer.exe	134

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe
"C:\Users\Admin\AppData\Local\Temp\d55df97b41bc60e7a80001639c09540bff208d6ca35c88d0bce96d960f928839.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:5024

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3008

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4532

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4660

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2324

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2452

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4732

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5656

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5688

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5768

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5868

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:6072

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:6092

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5168

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5268

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5500

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1280

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5824
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:848
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2104 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:8
1⤵
PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe

Filesize
2.2MB

MD5
874b90d6483a17068447b65755b693c6

SHA1
cbe1e8cee50e31fced4e2fca0bf529d85721d38a

SHA256
208edbca98acdf1d1e7c567b78142f1248b6ec1d76744236bc8bfcb111504eb1

SHA512
a540d0b0a59065ca9222232bfb4f7b2b13642f40ed42190979ea0d5daa5aade3d071a037dcb63b29ef261e3e6cf10e32bc80fe5f2fe2e7062b9658379b0d0662

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
d02a2df445d90908e6d93432fc815e74

SHA1
0b83171c926eef66a3c18d01323a5a1307019856

SHA256
9fab89d190130922d0b515583007a8c32027489c7f0a6e6f179901012de90472

SHA512
496ac0661706fc68b77b4202890e6ff5bb21653dfd258a1184b852972ee27c3c78929a8883ce2712e882993a0e0d4aca22e5160d25accb33f701367fe09c9b40

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
d33511d272c98c404cc1cd11ad49a9df

SHA1
aa0d8fccd2317ff724c38dba06e53fad2223b0f8

SHA256
00a1dd338d6a207c37993319b7dde12d97b319be456266af0910c245d3b23c43

SHA512
c9a6eeb18811404027989a423604f65dcd7e34f5dde9ffa63fa56977d779ce56c63e567a450ce84b42f96774f5c15903da8569e01d625e534d99357203e6386e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f19b30e19abf87e572e25be9b40ace67

SHA1
ac0d2a6053f41ffe712f4fe4321d6b3fe2dc27cb

SHA256
0fa621c71d06a601326e431a9eb448c4b7d222e4974585a2a79f484e7d22b8b8

SHA512
94c05ce1d84cf985b7c0f2126607a42b8734622c592dedf4fe16dcd27e94f977131e98450f421364245b164b6a4b74e1ac05d6e7523e2147258c59da65555e85

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7dd9133993c90d0a5cac3853e6981298

SHA1
70b2a583c331751891e7fd04df34ae0bb4a99457

SHA256
ddb5c88f73c3ea53056d85d73823f17a7b5c40e16bb6d182be70be79b9785fe6

SHA512
3c8d6e501a22ea7ac8e36a9b0b8d053194190dc20f2b7671a69e50309aa6a35c3b190f2015ea3d8d434331369488a89ad71c95c05bdaceb540e40e974f1d8849

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
2fea410f2da3fda3e6b61c3cd49b44ac

SHA1
8a51e6c51290b692dd994ec411c0139b36a67969

SHA256
250e99bc9ff771ba06d2a45b93ae95a3fecbf489a8a42c219ae369c84d2ccf65

SHA512
1b596a9bf11123bc8ff3a726923bed92eaebb5518fad9599a34e575f969db3df2253b93a8256b7bac7fa8e9e6fa258f98343fca2207848dcdaa815e63ae117d6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
3ef61c9a7a762fd97605df832c053285

SHA1
5763d468b8f29159a90d0a41de3cb8e86a775967

SHA256
db249ddb2e0ac17ffbf7f40687cc98b7bf9aab7821ea55867f53ecf76cc18a87

SHA512
c3009cb98f6c236944827339379e22d1e4a5956a19b9206088b59280b2a3e519d84a0ad802a1f0700f6f9aebb51aeb9b6b5d145eec582d6630bc0f72c24060c2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1d48316b18b8441bf16429c9a34a8199

SHA1
8ba2a4cb4b124295cf9f54aa0cc310cbcde12b11

SHA256
246ae9903f0f6c433b3bb5e5f3b38c3264492ae3a90248cdfbb9698c4b2c9c3f

SHA512
4377db81442450a0617efec75b8f48bf519c793d6a1900c13d5bcd0750046e474b531254657607cbb36b3a113fe7b8a857771303137f9c7f79fa6bef7daab9c4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
e3052dc77b957bd15c40e0426ab0674e

SHA1
c0e06c2021112a9a636e2b682ecf2c27499d8791

SHA256
84366573e2e431852c66c6f3cc5761a1ed7836087e15e08f3a3efd25cff21405

SHA512
cb14700e491763cc67d7f06f0d861a9583746cca194a5f8004d8122569efe28fb5d420e32c9c23c0a2780b65f1d49a1743a74dabb4aba25c7143091c607ca1b7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
bc9c8dafafabadb6508d0485bb4cb812

SHA1
4dcfb7dea0ae4a6fb67b0017ce2a810abc588d4c

SHA256
796f4cf1d4ba37fde8710c6e2f88dd3d4f4ebc9e76950b49a9307f80df19aa7c

SHA512
3fa725ba45453b15f0a26236f1415b83717a252721412302009c34b4b13c35dffb69a2954660b9917143abb272db40da1ff8b7241acf8b498640162a3aac0bb8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ca58be359114c8165c8f0e6c3b342666

SHA1
da5c4d6d6bcaaa97c58d3b325375ec64bb364897

SHA256
5e65a80429d9ee9d935c73b855d710ec881f1194d8a3232f50784e94b8ad0db4

SHA512
b85ea9795d89a53206063ab06db586a931253cbc3d0fb5e6cf7b2327610066cc3f2934aef1b884a67cee57817568bb94c1b736810ee7c40f3ad45d2cad330c91

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
528a5549021524ed767fb9a1963fb850

SHA1
9f74466bfd116c07e271b15d45fde665ff2391b9

SHA256
9944dd1c82332c57b86ea49b297f77b31e475fff5f5c701abcc4245e3efb1b9d

SHA512
f8fe827e1d26c7a569d1d7e1293b8fe5b0d89ea873624bd8b58bc67a707ea75062dd523e1d4610bd99decd59e5ba13c315d558306a271119c7aeb3203decf650

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
b7134f68dfc7be059dde73f076371305

SHA1
8eccb9feeceb808624e81f0b741d6053890f91a8

SHA256
740bdcda673600580f217e74afaed643dd9653d78eccaf26ac81abc518824e27

SHA512
391c2b6a6368a1e238b81645d07787d9b32d53a1aed0f33325d92cfcbc2e03167cd0b313cc047f6bbce5efc8d406eb0e47db648d0fc735aa17270339ef9be4c3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
766c80c5b6fefd46372acbbabe26543b

SHA1
7bbb12739fc749da43e3eb4fc6bc70b7cbfad1fe

SHA256
b80cc135993799f15edc0ddd49bd394eed5b489e8e00b72d9bcaadba3aa8dc8f

SHA512
6fc2c2042a7a6f6b9a4472914224ad91ba57902af8dfb6b0039aa49a9019ba47e068afb073f467f203b18d575952248d4169d7522eabebfa9938e537b9144e29

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
a73fa16f2f6210b40ec712ce28ae1c01

SHA1
e9d34d88c38642e7eff43182ac91041d8c490dc3

SHA256
cca2467f6bbf8d78fae42466168d0d0b44db93a4094f70690effb04e55839aab

SHA512
010b56d4d081c1c18553cdf6aec43b7d5c1dc1a09b40a61aef062f34cbe59b83d76346834737308a7905810ad2cde160a34100681a964059bf9dacb59adf29d9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
895e3456fbeb94e93f69cb87bc35d509

SHA1
05fd3485227d89fd0e9378e3c5e11d9cd26147bb

SHA256
d7dbea3035834eca95324eddc90572c7778186db9e1b7b16ceeae1c0c4d1740c

SHA512
851b84dcaf9bcc8d26a26d1e59963dbc2b61568fc81299da52d2f7877ee99cb92435e3fd3005e8020fa144339e65e93296e105c626f12675f6d228068a3043af

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
e577280d07cad89214bf9243565a6d74

SHA1
054af1522bcbca3416a1591c6682eee220d5011a

SHA256
0c9ce5f2c07545f4cb89cec7ec5d36708ac8d85e34c02d86d66a5b3f8e4a32cb

SHA512
83b09a3eb9c2cd2a7ef9abe5841426dc51665dd5f59d23a97973ee44bad11114b72ff7a0619219ddd5f076a9610ffc90e0889354957db01a32b1cdd0d0bd01fc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c729168a7afd2eacebc73c3d1e8c527d

SHA1
c0fce218b8dc5be11d6f98bc8293c97a70170035

SHA256
84d9bcb71d3212dcd76b92034cb8b39094ca7468080cf704f13d13f187fac35d

SHA512
83a674663ab2cc851ab9ff7c4b0a0e543b5b50888cf76f10e0ddd9fa14418ce5f4c285cbe36ff941179ae7324c49b2a968b7f1b27c7c616cb33a683cba18acce

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
f1706d76db3183f6d5d66fa9f7b02821

SHA1
34bfe4a329325b2e17f599e0513080395027ddbe

SHA256
c7877f184bbee3ac143765aba19d91a3a2c7d40a64531288d0b47c7253c75fd3

SHA512
24ef4bc4d7d5545817ab87f05edadbbf56d790d7b4f1d79ce689397b1f2b142fcaa698cab7d06b3c221c6efa516ad06d4445dfea45d52325d1e1913c9da6e21c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
6f756ddefa2bce287249560c8e686c37

SHA1
847c65e881432d90dcd8167d80f0bfc8e3ec1819

SHA256
975b225d5a0ee4dbe3774f55de897a49049a9e5fef3da2aa1862aff41a308893

SHA512
ef9cb963e897481653e1329cf25850644f0ed49962f53cc77606f949c3c2ff28c7acc648e2b8c96bc112cf2d4143a83fc4caba81b429daef31e63cd5d867053a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
3b9c720fa3cb9fdcfd2ef07bd7ac9fe1

SHA1
110a1307a9dcfb1fae4d3634855e55e0547a35c6

SHA256
de2b58feff0721770e1464c1ee77fa45230f5da8f9f1edea19cfeb33741d684a

SHA512
b70e326ec7034ccbfaa1da37732a3485631bc67a864a0037190f133421bd701ac8412218a96c6aaf13b67b2f8c47e990619843ac2283262a35e45b706bbd8d60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
9cb0db54c746c0ccf3ecb83ace7829da

SHA1
b37689340c1868845e84ac97c7295f6d09090a5e

SHA256
b60b9b15dcfcb28a56e318b65a9959688808af35806f036797c757f028f47883

SHA512
fde88c2c538e5af78a2f9d7d099e6487bc314cdd2aee9bb41243f422ed514cfbc484cf7c86fa8a3767ad0fc470c63fcde471e5d9c879b60b7509241c55449ab5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
cf1d55384fcc09fe8ee465fecf8dee0a

SHA1
dd1c32d187acd67a1fb6a169d945c4c2cae83feb

SHA256
6a3db5e3cef5b420ef1e54ae47c552992084466711c3ce28b16fdc36731f722e

SHA512
cca1befb861f5b1fc39a4e3fc81bc258b212e7fd142aaa8da8460a2c913b9a1d87cb197b1f4af9dcf06eb154a069b948460f1f1b317ac8f363d15f773c948413

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
06ff122f8c444077286f53e85240a1b5

SHA1
80267b1754583d66aedc996312c294cc092c5617

SHA256
204fadd82506ca3874331ce9198ec4b6f53a40c4e37cc4ee7c281e96e3a24fd1

SHA512
92d66cffb9856c9c03a8a92f403b6901e4c1b0f6d8f442893cb55e6ec812b492d3a6cd93a716a46d9767e1c5c0ca92428df04e7671a85af01922d7406b505739

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
1c41bf1b5c6858197886a0c8b02a398a

SHA1
ef432e5f6c160e52633623a08216fb5dd3ab1885

SHA256
db4ae2590f38ecf059130cb60d2040d346125d858e357891d1472443830f23c6

SHA512
b11f586d33ccbc6b009d39e392f1bade0525acdd6f1b9d31af5d46c8645cf3b87237382b13f3e9cb17801b97b72883339cf4b502c4c507a333f9b2640ef25142

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
91834eaa5b2aa1907d920145ece4665f

SHA1
fa4c9ade76d59b24e7fab1af5e0184e625a30ae2

SHA256
a49468322b07dfea90ec7c3b2cfc49198e6a9ed1036d01fec6705a341c3ec579

SHA512
f49d92899c48bd4ffd0082c74acd1f19472e144f9fe3519628c9e2b73b9737564cfdca51e22c1a31c819078c6f3acd89e13ae0f74bb21131de0123f9d838ed95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
3f171c9dee0b28e42bf369bbe9ab9ae4

SHA1
4568d8a228c2d8ff26fc7a7eb0cbde9ad2f64783

SHA256
dab69a9210ef74f8dce3ea223cb67db7e4cc5555f91f16d4bd3e8f5d97be29cd

SHA512
a3d1577e9a2149e8ae260fd86b0eb346e3f634d70e5e80aa72417206c866f03231fc2da7b7295d3818f4f1497bc7d0b3200f9e83ae50b4bc836cbcb2504ba3db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
a1588c92b37c4f7c472b305e6e6b7dff

SHA1
2daa590bea4dcb391767ae15d033d9f80fa6dbfd

SHA256
ac81e2eee79864633600f2652dbd06c30566d07f9a5186f169636e4778bd2137

SHA512
c33c3deaaaf0fbb835ea10679446bdfda9df9e314c16e3c954fc4ea8ceb020a25fdb4072c65340dfc0dbe9c0a91134ce06e6885b9081c0157796423e16c69a96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
9e4c84662183b0a4ea1e2b0ce10b5658

SHA1
7d4e7cdd120dcb47cf36d7c69c1d77a1a8e40d55

SHA256
bd62ea25c8e81173b776999c4d8a879eec37f9ff4081ef1452a4f77f6fd5a29f

SHA512
b0d82303be7e417b47da22d46612b950fa845dc11621336b6e533aa9b0d6c164ce4dec8bc61f92d9e39783f0814fe78a1cc87be41aaa08cc930811afbc3178f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
45d93690870246b3ff5c5c781fe449be

SHA1
2d7c0b3bf99daa27f2477d306cbbf72cca3900a6

SHA256
94e5d9a33e36c0501846552938e20f36a15e1a5af267662e12f38f496a1af52e

SHA512
1dcf430d7e99700e96f611f615bf1e5ac56cea7dfd38d269d70bf7e007958ab3a601b6f24e75e1c5a59eea1bcc22f554f9658d47b6c1ac3e495eb80f8314949a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
95624d0b28996a7879864f97f39f271e

SHA1
a2c875fc4580451101569e2f6263dbe498ba0baa

SHA256
52098d32ca771654c08c1420f10991e23ec5040b8201570e4097e73c5d13c37a

SHA512
e7a6fc75cb392bf8250664bee4c0fb3a59a1c50605900bf188c7ee72441e7a979e474067aa7ecac1d6b6ed7e50346dcad0a6a7d728686899a15ec794a39ab426

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
e91d5f79ad02d101c15d35f6a0413375

SHA1
2fb9dc6d33662fd90899a0ee6ed44eabe5561111

SHA256
a40fcc1902c263a5fe2629025b10c20f370a1ee4c61c7a2420081bce4c5ffb47

SHA512
cb4d5e04d45c208a1890f28b5c8953ca0e9e5e073a151aaa37488bf173c2e0649935c252312b3b310e3b32de168060411a5a15bd0877f6c157495add112e13c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
40b788574cb286501bc6a355c7a8aaaf

SHA1
8161b63b7717273709527d86b5da7e1ae0e0174c

SHA256
e65a32d60bb48fdbaba9fe805fd4b878b3eb56b2e86cd9445557ad8d88776410

SHA512
22c217c8842cafee5735f98e65df2bd19e2c0a5535045fd7a608cdee46a1fa5d046308628abf5df86a9381f492d4588f98f279a9f109cf5ffbb01c2b23acdee5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
589502c2f1423fa66bebab7e1ea5e343

SHA1
81891fb8b6320a2bd7e463a40a9863f84c834bc7

SHA256
0949f5e15f26301186df207a6ba5b1c28d60eb4945572db4912552048b925d59

SHA512
d3b925875d69ea5d4150940bd31ba254bcd2c8d2c08081e2994cd88f6c9dcb4e52a447b53ad99b32e7a733d5fa57d0b6dff1e94d56d2f340a76fce36097044a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
793630a2f9f22b9163ad031dc167731d

SHA1
928af23ce292d5bf93f0ded6ea71bd58b9b65c2b

SHA256
2d58c347585fd78f39611fd4d0057b6284249d7fcc5bf612ccadc4bac5b50ccb

SHA512
7a53c46e67c88850a72d06c78236a537e9096a642583e21504825ab3be4c52e8eb3c3847543f9faeb71c29dd50eac5addc7e3b9d8f90d556a3c44fa719111683

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
17d0d4481c3dbf31eed02dca03e2b475

SHA1
97cc4bcaeaee8b56ee97bd2b11d3b3dded736474

SHA256
15a767d5f920f72287d1aabca5273eec61da17bab1061a57fff713a4dc7ad900

SHA512
1726cb12fa7bde3e4116a8ba5d2bc08dab8ebf3975e677f74eb4c5296f9e16d2009af4839acf78948a86838fe80ddd5cf9a953b4327caf8050aa93cb466bbbc6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
320f7844429d2c372d261ab505fd7a80

SHA1
59506cf017c3dc8d51748f23aeff701798d06bd7

SHA256
bd74b98416a119e2061d3d6cf1d33cca2f690067218dca3e77287cb54a3c52a5

SHA512
e5711002fc3f5ff55f6d1dae8fc8001db99d7ec5b23c69ac88b39ffc9dd63dbf4a84958cee390ed746633f09ff3d02055c616b4a071de230a111ca17ca613f04

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ad600e8b7a4813dbbd456320ae0882e2

SHA1
a676833fdd1db731ec3c96a90e9da5f766251782

SHA256
13de4a43761b4592cafdf455bae8a60ec7d909ec2436b69fd9325b6f914fd5c4

SHA512
6e948e0b109d896ffcd2ab2b47d0f0470482e0fea773563cf622c80719655256738db875020f0e91a64ccd34509eda741b17bb1b0e837ad4fa2b80a0551e3dcd

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ddc71a1a0a73718914448d11b49bf03a

SHA1
cfb03aa9af08f97ac4513a1b83faaa47f6547cce

SHA256
f29ca367c79e8d69f192b8337826afb17f04afa74dfcc5578b7f2147243eba2d

SHA512
c56d792c39308d3611970d6c5f310e10f072bd719de4f953994d0fc4d2429deba5a90b0f87c08b479ac2dae9941fc2143c7ddc87bb564e190116bd6d3da51d79

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
4ddf77be5359f9c545660083bf8d4750

SHA1
b3ad406978149fdde35c19b6c273e0d4831a09c3

SHA256
0c53d6c94f33400f5f6f0347bf9dddaebf9c36a1fa752838bac2033870d0d1f7

SHA512
d6085f73c8bc4881c1b0d7645e1078915a5ac805a81ff5e894b32b9a435fb9e1cf200041192b68e0ceb1098746aac1231383f7b86a1b9b1d2fb2444affcd950b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2db3a287864dc3463775eec7d9262c27

SHA1
50a805b16aa2ec32d42356482b6c5d2243bc91b5

SHA256
5a105311f868c3b031c82e97369c2e77fb94202df02f03d8d6bd44dd49fd5901

SHA512
2486900f439989a576dcfedb10b29a46676fb27030557501d190b135561557eea993adfdffc709237a2e45cb115f535b84d33a774c73b661e70bc0c22c432442

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
217956e1dc94e02c82a89634963942f8

SHA1
1932aaf98ee2abbd183ab00cc16c1cd68737b18b

SHA256
995ba60a708a9506ac02b97a643fe75a94eb171afdd1b2c2f498c3db0b3fe2d5

SHA512
6732085fa9bfbbf67706b6fec4f2da9fb5eaf73fbe0ca4c07f41df1fc9eef6eda6a59fa2dbde403416392489ca135aebaccae6df68fcbc2358c20bb8ee0e5dc5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
c39c38a15c1b2dc390651329cbf3cb28

SHA1
49b86f1be4b3946b416ee478bf1fa8b369b3f017

SHA256
737cd0263937e2f3787b9da8b5db1bc4de7db46ead30a2f74d17e1127d4ed65e

SHA512
0b2bb6655fea1be6f9e256d6c3fa9ad865703136be64c03accb8fa28be8dc65080902a5cd3e2726a116a597b0c9f2d72214bb6240c6f9b40b304020327caa713

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
92ac5c60851601bc114feb0ba467a6b7

SHA1
41981592730ebe44cf0f1cdd4240881122795462

SHA256
a4cb05513a204457258cd00a3521a3a8b77577863a9a219abea3c09a85e292c8

SHA512
44557f0da73e1453954863dbd3c2440ecd0575b263cc09b5aa0e64763d89614a5abfafde3dce0afdac3500d9b1dbf305cb5dcbe28006d4aa0281815c0fbf5731

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
383a0fb7dea28967097863c6ed672b8e

SHA1
5cedc163d23b8181a466698bf1831a544bd7c190

SHA256
7a186d5581c286830bbdf4eafb5d606cea9642be1f51a04d50b62434c1a3ac29

SHA512
82a9cf451bcb00ed36fc5a1f9569513a286e9e14e37b4bf7064463b4872b0d89f67200bc0fc94c318afb0aed7f0c129b2ea2d13bb82f734890470a861a279c08

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5a7395af69ad5660f66310cfe8987874

SHA1
03c5d02dae16be1ebc888890ec957c589f05cb2f

SHA256
4c6046d46b1d1c170051585dac237b8966293c1796b24b49d4cc7f5a6d248c79

SHA512
32a44273a0b9e85cfc9c5da80a72c08f6e0ae4f6b9daac58c6ee8d128b8c22cc69f5cd286ecc4aaf8defef9e3d91919be07ffb0e889a9ba4da3a1d325d2a6bea

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
76dc2d29956745d0434ab9e158e26bec

SHA1
f12f2ccf333e416af9c097cbf47bb7eb83b334d5

SHA256
3f47aba5dec93f5d022777dffc41e31d39ea29057037e9a52612ecce0773d4f1

SHA512
805f5ca5c9706b87c6d5317d65b4c23212b42ce88ce6c997874144de1d8581f8d3b8b28621788db5b4a137f836bc3e3cf553bac009ba210948405d8575d0c236

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
a441ef26a3f84e5adb23603d27b38cfb

SHA1
9786bd9de15d640a765577582d63466b57ed5137

SHA256
f216ad2896d4e2de51f22c77277e2645dac201d4d0bd0868a543d8da890cd9eb

SHA512
44783b07cf758c09ba71b42855b474afedd2a0fd7a3427de4c2a054d7a75f3b34c4c7e3802739b3983d952fbe9804afd25f65bf2ee4c03db0a5e8beca42132e3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
db27287e1c0260385486e6f3adf0f029

SHA1
5c0973701ca82ae616c63d0ec900584a728aa6eb

SHA256
15a1e3f450085bdcdc6c11e329139c3d795251876f32e7347bd4279a73bb94c0

SHA512
f97efd1084030fba07ca9560d7dd43010e5db08c7b5fa2f9a3a4c842673e3ac07c90d518d730c5919e26da89b2a08f7a5d5ca60cb6529b6ea7f6a052402782fc

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e9a5e583ddf4476b43061779cadff8fc

SHA1
7188a65c961811b5da9d89fb51a1e4b7701f8d09

SHA256
943ab6c25057927989654e2c6331fb1f610e2c10e5b1476c13fb04553870fa4c

SHA512
59c1604f649fa9a3e30f11b0744fa1c73808cf0e400aae6a5b640857a36c6a553c146b6f6e73b68a8cda7d1fb5c300857803a5e692f6dc43133234ac2930057e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
6d568ece3fdb57f94e3a375be89cbbbe

SHA1
a466195191f012d0d31ef5a00aa002f4a9456592

SHA256
06940f98f32cf3324e9c1d336d305fa01ee5fbf1817ea2d0519cf05391fef1b2

SHA512
c74449d9a363f18b189b7b8a6c27de134922ba00c4011e63e077677f14e9cf52326394a475d447f2358e4f64607ec7aeb3f3fc8a39f4e396821d66d4a21811a8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
4a43b35f9d4a2cde74dbec6741546ba5

SHA1
cc797d744f1a001b1d1c23b4d6dd99fdbdb208a7

SHA256
c28053feb6a920febf642b1db3cf585f4b82ff0712d9f23664dc9564772b3efc

SHA512
cd0021e742afaed92464bd0595dc3cd4e6e67ce7808b4da9c1d8e50058de9edc41b6daace860bd4dbda73c492e70960535ce6667bd539564dfe2da84b282c5d9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3a3f75a687fe12f7099d086940ce5528

SHA1
0c034e9a46ae1c22b44ded4ce9dada82e5baacb3

SHA256
6553912ccbaae1ae2a34bf836dfe45f47ac8984e0a409e1c13d4fe16f7cdd374

SHA512
2b0bd753af853d83a6670432dd3b30ff78bcfed15258b00d1b8c3e7e9ca1f7d511c91c1af8358b3e6549efeaa976e8aa250219469eac7e3030fa5c6359c147c5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
8146d0b93d16dee15d9b040ff1b53706

SHA1
5920a7fa4b31a35b1ac0b412348a80affe41110b

SHA256
7870413ced20482438a82944d3b79d2eb099b7a0bdb5d50f18bd8ad8abe34ed5

SHA512
dcf2276ff9c7d179f15afdacdd1bcc61239dbb5054f4f81f5f08656f3c45a9e0f8cd528420b64aa607ecc8062b3a77c7de432edc1ee843ab9a87e51444865d83

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6a1d6255cc3036ea3ed34832fe882450

SHA1
281e4e755dd296bf5c9a76aa3d41da001260baaa

SHA256
7b77388ed3bc11dda4b4a53a83b1532f9e84fae563e8c2ac3564ab589c75b6c4

SHA512
27e242ca822be48f25dd8328d4442eb41d7dcb71d5c1c9648bdd9ab22434dce998e5e879e6d24ff5117195e111217c75f9f44903b398cb6fac642fcf06c7bc77

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
879f91fd92dc474fde329eeeff693714

SHA1
25865909ce0da19d2c107c89a3c195f29465996f

SHA256
3a358cfba47ebafec407c269abd9dcb04fe99d21d0a96622979a2af0176dc5f5

SHA512
c955a1f719d17ef0d73493849dfb3cf3bc647cd0a60b7259db4376b91672ca58786ee645631f7929e9c9476f2fe2e20d6b93767a5a6784aabf691342b88a4113

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
313d6c6d4d120a0a858af4e512ce1e00

SHA1
3f9bc4cfc5aba8b9eee57efd31ae94bcbecbed53

SHA256
f92ef5a081fceab1d8cb458163ab89f2bd9d890e38f32c9cfe3736c6006344ac

SHA512
caa6d790cdd5f6ab1ec30f8026190924c062858ca154b1a3907ff3469f9c1ccae0398201ebb58c1b37b0fe34364456495a2db15358dd60d9f6cdebde40e4ebb1

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
49134c95575e59714484ff3d8c2a13db

SHA1
dccbf27ab6cf722fd287d5ed7081680444648194

SHA256
886747b10b21352ad3a2752eb97f338a2b9d3b7fce84e69cfc0eae3874e946ce

SHA512
4074a3bfebf4c8bb6ae4cedbb8bbea790ae6a4aa4f0734679cbc418f9a69300946da6f4c35f613d836c2bb0b36069286f745cca02d067cc6122b1f111af4eaca

Download Submit
memory/400-210-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/400-202-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/400-271-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1280-280-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1280-272-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2324-128-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2324-100-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2324-93-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2324-91-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2440-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2440-47-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2440-44-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2440-38-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2440-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2452-106-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2452-130-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2452-114-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2452-129-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3952-246-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3952-254-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4532-127-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4532-62-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4532-65-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4532-70-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4660-75-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/4660-76-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4660-88-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4660-82-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/4660-85-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/4724-52-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4724-58-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4724-51-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4724-119-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4732-121-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4952-33-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4952-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4952-90-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4952-26-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4952-32-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5024-74-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/5024-19-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/5024-12-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/5024-13-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/5032-1-0x00000000024B0000-0x0000000002517000-memory.dmp

Filesize
412KB

Download
memory/5032-6-0x00000000024B0000-0x0000000002517000-memory.dmp

Filesize
412KB

Download
memory/5032-7-0x00000000024B0000-0x0000000002517000-memory.dmp

Filesize
412KB

Download
memory/5032-63-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/5032-0-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/5168-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5168-224-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/5168-229-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5168-232-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/5268-242-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/5268-233-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5268-370-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5500-259-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5500-268-0x0000000000B10000-0x0000000000B70000-memory.dmp

Filesize
384KB

Download
memory/5656-133-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/5656-194-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/5688-200-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5688-137-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5688-143-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/5688-209-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/5768-381-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/5768-380-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5768-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5768-156-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/5768-221-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/5768-213-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5824-292-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/5824-286-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5868-169-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5868-162-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5868-231-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5868-241-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5956-181-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/5956-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5956-245-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/6092-186-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/6092-196-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/6092-258-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download