3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
Size

2.3MB
MD5

68086d898430315f623dd8c3f25def49
SHA1

80b50f470100a11b5a44bb0a5b715842aceb220a
SHA256

3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb
SHA512

df91af032dbf1b8b30e15b168b34e13f8ece259a7ce3289f8f4e311bd149b68be1c4b9caf102e742a7a56451fa2cfe70c05a55cd9421776ec6ea3320471dbac9
SSDEEP

49152:EQixbpVndRcpfqwYO3u2XoKNLlMDEe/pmVS/F0jr70jIpM3kiSBM29mhNq:Etdnfnwp3oOLuB/3/ur70uMhSBrkNq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 23 IoCs

pid	Process
684	alg.exe
4768	install.exe
4424	DiagnosticsHub.StandardCollector.Service.exe
4716	fxssvc.exe
3160	elevation_service.exe
3180	elevation_service.exe
1104	maintenanceservice.exe
4196	msdtc.exe
4120	OSE.EXE
4252	PerceptionSimulationService.exe
2588	perfhost.exe
4808	locator.exe
1700	SensorDataService.exe
1400	snmptrap.exe
752	spectrum.exe
3332	ssh-agent.exe
3548	TieringEngineService.exe
1292	AgentService.exe
4380	vds.exe
3184	vssvc.exe
5084	wbengine.exe
4592	WmiApSrv.exe
1076	SearchIndexer.exe

Loads dropped DLL 1 IoCs

pid	Process
4768	install.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\System32\vds.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\31700a931012279b.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\system32\locator.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_120984\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ecbfbac7738fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d0583c8738fda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf17b5c8738fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac972cc6738fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078b0a7c7738fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f0764c8738fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007e81bc6738fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009bc36c8738fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed91c7c6738fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd7fb4c6738fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
Token: SeAuditPrivilege	4716	fxssvc.exe
Token: SeRestorePrivilege	3548	TieringEngineService.exe
Token: SeManageVolumePrivilege	3548	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1292	AgentService.exe
Token: SeBackupPrivilege	3184	vssvc.exe
Token: SeRestorePrivilege	3184	vssvc.exe
Token: SeAuditPrivilege	3184	vssvc.exe
Token: SeBackupPrivilege	5084	wbengine.exe
Token: SeRestorePrivilege	5084	wbengine.exe
Token: SeSecurityPrivilege	5084	wbengine.exe
Token: 33	1076	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeDebugPrivilege	2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
Token: SeDebugPrivilege	2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
Token: SeDebugPrivilege	2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
Token: SeDebugPrivilege	2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
Token: SeDebugPrivilege	2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
Token: SeDebugPrivilege	684	alg.exe
Token: SeDebugPrivilege	684	alg.exe
Token: SeDebugPrivilege	684	alg.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 4768	2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe	86
PID 2036 wrote to memory of 4768	2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe	86
PID 2036 wrote to memory of 4768	2036	3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe	86
PID 1076 wrote to memory of 2112	1076	SearchIndexer.exe	116
PID 1076 wrote to memory of 2112	1076	SearchIndexer.exe	116
PID 1076 wrote to memory of 2192	1076	SearchIndexer.exe	117
PID 1076 wrote to memory of 2192	1076	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe
"C:\Users\Admin\AppData\Local\Temp\3c1e7a7cf079d2f654c6e708f7022825228a8b3cfd1aa3f825b9d77b2b4419bb.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- \??\c:\52e12616549814b6429a5c\install.exe
  c:\52e12616549814b6429a5c\.\install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4768

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1620

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3160

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3180

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1104

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4196

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4120

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4252

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2588

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4808

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1700

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1400

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:752

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1804

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4380

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4592

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2112
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\52e12616549814b6429a5c\eula.1031.txt

Filesize
17KB

MD5
9147a93f43d8e58218ebcb15fda888c9

SHA1
8277c722ba478be8606d8429de3772b5de4e5f09

SHA256
a75019ac38e0d3570633fa282f3d95d20763657f4a2fe851fae52a3185d1eded

SHA512
cc9176027621a590a1d4f6e17942012023e3fabc3316bc62c4b17cd61ce76bf5cf270bd32da95dba7ddf3163e84114be1103a6f810ca1a05d914712895f09705

Download Submit
C:\52e12616549814b6429a5c\install.exe

Filesize
549KB

MD5
520a6d1cbcc9cf642c625fe814c93c58

SHA1
fb517abb38e9ccc67de411d4f18a9446c11c0923

SHA256
08966ce743aa1cbed0874933e104ef7b913188ecd8f0c679f7d8378516c51da2

SHA512
b92a32b27d6e6187c30d8018d7e0a35bde98dc524eabcd7709420b499778159e2872db04a3f2dfacf016d0e6d97b8175920e83fa28804609786828e52f058ff0

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b236c260443360d0dba0ba596bd704df

SHA1
5b8c5f954c17e22fae44ed0331d810f247027040

SHA256
05aaec216e9232f07aa2ccd452b6dc26071030587e08e526deda8ada9834693c

SHA512
8cb5775391b6e37eddd24126ab64b3d28475afdc521b4747865c61c1a4c8a6118d3af31e8492de635f384dc60d2cf8ff080133f15af08f3d161257b181810446

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
1cb55cc9d309df392032570ac806aa21

SHA1
1144bbc36cddb0b47e86f190851d543fe3ece3cd

SHA256
21b5a1eb6919d222c30db4c28dfa0c0d4ede052e32447e023a0a35e2e856b01b

SHA512
c3fce48f6b41da374b18494558a428cbfbec56d768806b711e28979d5485d4aec747ff277bf0c64617befc3b3b533a1ea36a7fdc8210f05cff3fccebd9726647

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
d6361298cbee1f76635d7be52727c7cf

SHA1
a73f4d83411a9be8ba28811f283b2ef8914bc9b7

SHA256
ddc418e8623bff65de05c60dcbb37ee697cd0352d721ecf0655ca116cde11bcc

SHA512
a17392396c1418c50e6b5dbb6840aa8a711165147de118262de4d647842500e9eb4a6766c98140ff14c21e95d87b6e8144dd56620100358b4e4fd3b94c6bc146

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ea8292b86d2f161ea06308e83a522022

SHA1
f03e8633b2e944bd045fa17b1301a1b293ff45a8

SHA256
c072c58bae82bc1af6e11ac01348503135dcd6b7de0886d3d48127433ac0d263

SHA512
db29ab04baf1bb036fc1257b1e45acefa7dc46f21a53c8c751784484549d0f4efceae1a33c4ed00f1ebcdd4f04030263ffd60c80f2350de1a0164001969710b9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
47720b4d5384306ff8fe7cbef2e8ec4e

SHA1
0b35ad95af3f0ca57b5f5721c9cd0577c31edd5e

SHA256
113f0cbec2408dfba52a2b0629fbb8897b661ba7b899d7b200ce6747499156bd

SHA512
5888e08d1dba3923724813f17f14a823c40a75b80f987fc4c79600fa1b59cce7655d5cd972dbf8367b6e4ab3c8601849759ef87392a9a169e65d6b7ecc5f2228

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
18fa5d1d26c60c5d1e536154934fa227

SHA1
399cbf4cb3becf8e7483b2b81509a48b4fe8cddd

SHA256
59509a08aa0aac42dec447c15fae7256e0c152c630901034051aa7a371645fdd

SHA512
1704003c054265fc1298181b897a976833f5fba6765314b88e2e63feb2e8e55f0f9fdffe812e1b95038d5fea17c3bfa940416e327a51cbbd6df7f611126b3a1c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
64c0ad76b8dd01d337e3f6092e91adfb

SHA1
6b70300217b85bd2ddd0511c57eeb030c67a6525

SHA256
7bce6f527dad1bf649a48ec6497da0d53bf2548f7b0200599b88bce0c81c7217

SHA512
313f2131b8e9c5f009aeb19ebbf73f302af78e35a6bcf59f563e437ab8e579e30085e4574a51a69baebeddc22ebbe7624ab5c52cb2186800c3f77808724786b3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2ca381dce8ac7b2ffd62c1a0fa6dec75

SHA1
e41b78962a5dd2f86bb7d477269f6db2e5c1bedd

SHA256
7fddc2f8f51b6cc5963b54bae258baccae0bf696b8dd735e538166a2a3c13c5b

SHA512
b260268e0764bc5b60b7c55f830c69e51d3ce5974347d4c26d9d04e6e8c7081dec76b58bb7117e74191020a08104a377cbaf4ef72ae3000585d2fcc8273d1f30

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
bd3b7b3b33ce0b1d8d4c111ff1792757

SHA1
b5e11dc32759c0fb7e16bfd6630f4bd6fcb4fc0f

SHA256
d3b2d04cf07d7de67dd766795b2650426c1d0076ccd9239fb67a354e7c7daf1d

SHA512
e6ef1106ad5c6259231a3ea20c458496f0eaacc38606e564b5bb53857896903983870dd08c4a11d3ec4a383459db6e1e092265d89cdafee584b98ba54efaf527

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a397a46b0153d2172d37b5d860dbb977

SHA1
6729e63a925804e9c7f4d80d00b335827ee5b023

SHA256
aa1d913146d6919ccc421bf39e99139b2c3928ad8a38cff77d96359cacf49f93

SHA512
0cc78734bea1243fe6e431a87e31a2b822c4321189effd6e4c5bf4d409730e383ecc67334bed32ea28b2cd6da430b61e42a585b4027580319e4c3de0b79e908f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
17f31fed60a6f579cdf2e9212a713df2

SHA1
2f7848aaf2b3b8e7173fff069a16c1d7d30e4d47

SHA256
ebef9d7a9b2534b00de0d4e698d00116033d8406f8ecf7711a5c46ef86d3dac2

SHA512
55cdf76c6e26a6ca7ffdfe5d1c25e3ef1cc1b1399338bcf229798e6a1c566c7633f518d82943e25e4a0e436b29b1f8c23aceb4c0ab309ee206a925863a573c42

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c6b9e0d43cc914de4a1cf5c9eddac750

SHA1
5d076283b07fe43ca64aae29661d95575f2e1a1d

SHA256
e3e51f438b659d096c06b3c1208011655564daee5323f2329a861d2342548d7e

SHA512
71e96a252f2b165f0a898c2718322a36911d04e766160335a8e52acd952d3018c1c1708031dbe2f1bf70ec45789a2349b6c3a089f0b4bfebe5e2580c8544e045

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
10256e1590613d3ed6b5ce41fb7cecf4

SHA1
734d96c462c692b28b1f7e1ec7a8249ff6bf50f6

SHA256
345688e6815aa2fdfdeb0a9d0d1bbe73ac5aa31d1434b629ee35356bee9d0d66

SHA512
8a59a6019c1e42553f52426ce0aef946cebd76554efb3700c2f65ea5654be0efb1481b19c5c340604097c8a3b39c7367dc34e8a323af9c425823c00479a6e3eb

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
0c077823a553cd19f63884e190d6f257

SHA1
584880e5548e8781ae3a700d4f077ecd7fcb39a7

SHA256
014446e0533149cb2aaab704baf9b29f2128dfa965a7d9e6d8726d075448d9a1

SHA512
5b6949c574158369fa1f3797f4c9fd0fbcb7e99f73fc37bb77892c10ff2e14d9a1a151f2b677abe8b9c46b2d471ea4709b2fce9f9ee34b7001a7ffd37b45f5a2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
4f3d85aa6132711350f4c5b18ac1d7be

SHA1
4c4a3b19ce643caf16ca7efbbe76c0e19eb6ebbb

SHA256
a0b12d1a1b01e848417658de9bc0d891c5e28c45fc1e6af9ca8057906b203750

SHA512
eb990d33a57c8d0bd13c490c81c16327860cf74e6462515f68993a41a74894092c8133751f61b49dd8b52653a6dd83a9cc15bd96cc2edf6fbc8b4eae00733e19

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
5cacdd35d9481171f52a0d95ab125699

SHA1
3df809d879bca24ded5d857ace897a29be9cd4ba

SHA256
e22582ac5574f74990500298123273d149a397620a4052d573f1fd1eb50eb362

SHA512
f33e0a2ad937370b72a06cb380624eaba3ecf4911364c4143734c8becf62a7f82980f65cf67e40e27c65aa9739701b33abb7b574ff22094ad3d4f5e20fa9653d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
317a73072873cc0f60294f0766679931

SHA1
bf3a1b5f5324fdb10e2b15fc6f3597bea53cd87a

SHA256
e110113c89ca5c3b7a8554cd8bdde0222eb62353028a7ed225e67598a7d920ee

SHA512
96f698483e475e115ec26105d73cedea43d73965d42fbfdfd155d6513077255a49e3ab13fdccf07b88d2fc04501a3723cb69a1fe368621d15c46dbb924b26fd5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d97706baf6bf08665c8b3c4b43166b97

SHA1
fc147eb06f06abd020f69ece647409d52806b4f5

SHA256
753884d242f76c6633ecdeee1cf388723fa384ba83abbbc96aa09ee60b55b809

SHA512
ce20974bac643018847595221dc7ebac7e7f8343093eac8605358cfbc6be0f7e8994bd921223415092e5c917b3935a273003ad8f05ec2ed1d4ba58529d887929

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
ba42af23ab3ef7cea4da58a5e81c9456

SHA1
4f6cb83817158d5d1e41edee868feb43cb3f6730

SHA256
bfad01ef458c0aab8cb67ede7e7435b94e859a3321bf109ed8c8499810962e76

SHA512
4947f0ee41ce9dce82047a6e8032710c2a3846e4db9f7c5239b065077a0bd6bc5159290559c9318a1b473ca502c2f8fdfad457968f844469e5ef0ce18e5aa94f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
93438e9c94cd3fee0dfffa45f5c86ff6

SHA1
0bb10055418a60a4bfbeb2b361c206af74e84acf

SHA256
093026a3f941a9d71c69d7e87259f378dd369b793e2573eabdb1ab1fff10e264

SHA512
1626ba92ef6908a522ff2710a10c00d6d46d754937ea836868b078c3f6eb5993dc1e82af2ee6c2a9a784134dac49cbdf0798191e56b8c7d181c6bc12e4572b91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
db7f5549bccfca00d98d99fd5472abb5

SHA1
e8ca5252b8010a5b457fabf4b346d01b5aabe9da

SHA256
a15cda47634a1c884149b5c0086810805b7aad5fa7d24a3abcac347617be7673

SHA512
ee457c5ce2aa730680b8113b55f48161b7c4b986fbc185c0fd4338d77de83b6b4ede543aaf644936c80862668229c03d25e78c800d165449fdd625277f5c90c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
e026f22bb9b6f808f2746f1813690a74

SHA1
78189c8aa38f32a535c9634f1af32c76e53f635f

SHA256
8601fe6dd3f2e316dcf90180a88b89343176d204abb3fdf81244bdfb2f8aee53

SHA512
7a3d9ecc19ba6a3b85c730df9db960ee3e52f66648ba28ff5ecb47088692db13e68ac9ccbc343be50b9d060774833cec1526f16483cb495c146f6db70ac9c537

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
1568a38aeaba4a3170688809723d29aa

SHA1
067c9c24343c7bbb4873cada4b7dd9f5a3932406

SHA256
a867301c22efafce7635e25b8791584e32ca7b17d0b6b230c2aa1b84af538fdf

SHA512
cb0ef25b210e6f4a25746fc722d3f5d9c3d24afeaf8baa303a595e069740139cb984fbcdfc5fddfa2e43c908b6286d50d8e9b4418ca9ba4ef029ce492e7a0958

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
9190956f5e68a8f0b4bb6028391e282a

SHA1
3c1f6c5297684a1a27ff92496254e63e5741d072

SHA256
22aa439101105a2a2cb700344f9a092656b0ef746f05e0f46f560a17950ba63e

SHA512
c64face39b7052e3e9d2fc51e53926cfc358027d20fbe2dadd06f1df320ada6f5cd376aa37b905807ff3ee0b641b5d09b331f8a53fe305e3af91cfa2afa3a3ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
ada6bafd708c6de77a53d6bebbd4934f

SHA1
3e09e64fdf170dbac529a7d897659cd16d43aa57

SHA256
1d4672ceaf829597200dbc44423fe254da1b0612c2801da219ec6a3e4040c32b

SHA512
cf53cb36ad1d1403b05d033b74d3c4ebfc8ffb92c437595d3f57527f8fe24f8ef8566a479854cf102b33eca5768f04f6ea696e631af9baa7c6e0e0a6d73dd5cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
dfa07432c05f14071d5e33ac1f918b5a

SHA1
3829c239db53b0856a42ed34bc1de72ddb5eaa01

SHA256
1d5a368198437cadc2c582a454994dca63781795f6dca739bd95cdd337fedf01

SHA512
fc5d0665133045578febb1eb5e850d70c1c934869738601819cb750cd96609fcec6d85c4b3b3d5e85b6625e4e56bdf462e6de5e1a5ebc88ca859638f6c956382

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
e88d34983e5929f26b756a80b647596a

SHA1
09b12c083f24973894929b8215a24efe0570f853

SHA256
b7676d95ded40c1070cd10e57ff256f195a64b21a1739f20c9a12159f49316bd

SHA512
fbeadc211da6a3e5ef58f0967223de6c23d2adb5373cce009e3cbf2cbc65a3aef39abf9091f1d8e831fb859d397ca9bb5ea1b6ab80bf174416ca2b0cca42c119

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
924bd813386f8ceae9fce5547a606919

SHA1
6f1e2c94548c4160970f274d8d23212566707ec8

SHA256
135f4dd081f8420662d24e9199d935c9cefd7ea4cd6e586c5aa0eb165335ecc6

SHA512
c788281e32224d8de24ea7f3569c8ab2e374cee540988c87c163199bae4d4c9bd4451d5318a7114f4091f16114f9566d5d6664ca8552ebac3a387b4fc322aebb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
94c326bbc77ed4c21fa74375aff15eb9

SHA1
965fb1cc8a685c3699e7dacfd73f35b9bfb33fa7

SHA256
56ac82b012a04f1848eb74c0339ed0b88ca6904d16e0782b5376eb2d729e3ec8

SHA512
ad29bb076d9cbff2e390d1dfb21a70ab29a6e7da9de98fb365e6ef66f92b969b00816657f629672e6f6901e4115ca7c1dba1180a2c3e8429515bf3523a01f574

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
affa5c3c1e71a80d3031a852ed79ff80

SHA1
03d8dc69a375cbd6742b49d0bf09124307827165

SHA256
6308e61118f333a562060589abd37f2d3cba22fa2dac38d8411bf802952b28eb

SHA512
35bea948b727e58805af442e092d1b7747b5a3b30cbedb668023dfeb282dc1cf92f3e9b5bf9609c35c58a574160b54cdc03c41c379c3db59a2297e98788091c1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d1958ee291c7e5d1b6dfbf0b8159f1c6

SHA1
7a6085d115dec9fe3344fa041adfef173ebbee90

SHA256
0ec2dd2311bb817b9a953b6664ae7610e54b99a0b1b160843832e7567cec0d0d

SHA512
6c673a91c616c36ecd15897593cd196facfe3ad00e07b9818d18b8ab540489a5cac7987c98a263e8f135a3ca7eee1d6e2ec21798b5e5c83f336f9301e6ba7c9e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
0ae2e46aa34e759d6fb5e01b7ca76f13

SHA1
5e314bd49f49bd42893102f18dde21db7b012037

SHA256
6c6e5884916e9a749d437040317fbe9990f753b05ca55c9e35315510d06577c3

SHA512
fffc0e3cac08b78778affcc57ef658af848dc7a6ae8e35bc6790d7ee5262851c7e458c2dcbab37440658d40fdde437b61b52107ab827ca0350a5d473681a5e16

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1e3475ba7e3f577171fe176e696ac442

SHA1
963c6a8fc4397d0a265d3dc21b19ac9f81ad3b72

SHA256
efe5137ed7ab749cdbaac2b99d3a6c51543c3b8d49f455c1b98a1358918cbdc2

SHA512
a59bc7bc280dbab9c5c3b04dbcea783252c220ad92e8c40a77b48cc886348925414a6cd26746be0e8b0a7bf8548836ff690ad77575f8caed70fe4863c2149806

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
5f621885c2ad29c32271c82842ae11a1

SHA1
26f1af88c89f02e1ebc86f0af7414ff03146085b

SHA256
a2bcbd58ff978e7670a7add95234eab99bdaaa1643f6e018defb87bd8cfef87e

SHA512
4259e086a2ec95c98644087bde4c064677111472badfb31c2c1ec308da330c76887c2917c171b2963a4501400804230cf894304e4edfa9f3bea71b25db15999a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
3ee5ae40188fca346b55c1cffd900f9d

SHA1
00f9da399457a0c63699e6a7349c409361fef369

SHA256
6aaae5a39d0be7286e5ac83b5060a7e2726d130a9f7efa854260498e569ea493

SHA512
63fbea6904abca2a427165192c9612780ef4775cebce7fb8b499f936489005e26ad1f405d55bf465918c16e09aed7911f94b9d4314d72678c8eb37a583417e4d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
b26d51e3c933224dd800d9727dc921b8

SHA1
6a11184f4779c906aa84c775250568a720c72171

SHA256
3009d6df795afd315c4bad0f85c7ee1e0b6b6701668324e4cc49948d16675740

SHA512
e7e73fb49b603cd962754e60be2d0269f7397b74f7421c6af80fa12dffea54e1de242c9131effc05c9ac89665bf7c5c783ce876fbfe4082c8a5709818ee485fb

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6425f36ec9989a0dc4ba2f2606174fc7

SHA1
d098f6c6a8b04c88341c0fd42cbbbc02c21e1ba0

SHA256
e953788fe2cbccdc55bacca100f601416e8fd0af0da33efed0644c710ad5a3f2

SHA512
7ecb59ab17d3e1c5008ca95795b617b2157f3f98511d115855ff80203a433abf38e86cdb60c420df1e3c43a60182622ebbee3a5ec73ac21d98abe2231e357891

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1d2ceacc601f70052f55cb8620ca3c9c

SHA1
2db014f8d186317d2329d5099286e034c47ba1fe

SHA256
c96df856039cf3592cfc7d60762e28827ddab371ab8467ee0ec382fe62a66cff

SHA512
b619244314ff3d81458425aed1119a10c6f82caf58fda8b6c1619f3ab6c35c5db32263206dc9fe58db7edaff9511daa90d2a6fb21158b62bf5f39f7ecf3400a7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bc990ca39bd30c30e1f1efc74653ec5b

SHA1
8f24efef6abfaf069f887cd3a025f625ac8739aa

SHA256
7fad31884e01c8372f5b70fe8a74c0d03d2c2a13974c13b2bdb896350922f947

SHA512
ae9ed389a7cb8fc8fbb92b55f6b6e5ec546d8cabcd57265c22d02e1bc522759705578fc462183b3eff6ce3768f9ea9ca23a7758ff41b48cadfc4baa0714d4b62

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
514b57a4bc42251e2b4e6e39addb598c

SHA1
5755202e6dd85c784929eba74580fcd381b03fc6

SHA256
b4619113d39e1055779d6204ed3550524c591420c74d7be7478ca0e694c14c67

SHA512
8bee48416ae08e6a7f570311d6c5d5d4e3283fe39bdc6714f44a2b9dc1580fee50e6821d8ed8041095a2e947c79617f9dee7ebab587bbdae349081fe881fc71e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
617e94a0c4f58a94b6a7132b3230a35b

SHA1
33236a907a1b2e52c3dad3fbdd44c00d2930e5e7

SHA256
d791959e3977cb028517b9259e87c657d594a59caf23899e834018f9bd25f5d6

SHA512
8d55ff61b14cdf71f12cb5e5c453a7a603600ff105c73f75444732b6932108d72e2614e0e86416a764f092c3f004b8d7d2d8defcf00e147a78ebaa220747c415

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
73c1865df09e2e980aef44b7509b3b3d

SHA1
943fc129d3c36ff312d8fd5be2829bc0076c3ac5

SHA256
30eb8c5ce3d7809f495b6c690b76e5a3f113c2a003c41256d04ccd6259169178

SHA512
4f60b9091aae8b50775ac45f7423d2dde86e04b6497bb57512eaa68cf533d0d1a3d68ea1f96560145b08531d829376df739d331d56c76cf8adfa8cd99b3ccdcd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
09916cfcdad47d387acfe6f242d6e2c4

SHA1
e0445690aef1772fb5b0155abe61148a466eb0d5

SHA256
e8c056a8b0829b79a0034862e8f5f684c0086ad94dc4bcc2a166838c09e025fe

SHA512
9e7a951d881f22d71147c186ddfc6776e7820664fc47ef058dac3f560cd30fd605e6a935ffcba7d5c01d0fc281642ed117c8f794956119d51890f4d49919b8db

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
bd74e55d021bdc04f364106682094d8a

SHA1
1bf755b373d39609bbd656be4a94310a05760f23

SHA256
acaefdf1db190217b844f404a61ea60c0f88537dd8dbbf374737d09e3654fda3

SHA512
03adb00ae03775b5ea1d517a074fe5b96beca8e89e0d1f4a189c0216f5974d475b390b21f91717fe8de03192daaf24bf1c0e8af5fd30bbf9c5c9cffec91993cc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
14c182456ce82bd280e9c7ea01433635

SHA1
d786bcf8ad446094f1bc87e6b06259a92fbf7e09

SHA256
411c2decb95e7b8d242896c049b9cd9ce6351f7b81e1ffb537946d9098a79cb6

SHA512
a663e8aa5f39c9a16c7112bbaaeb4dcf5265f10c5c7d9b017619870bf426d00dd0d7060d8a99d8315ee7e09a3dfce3a8df650e7429a44fef9849f642c1cc4988

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
75ed13d1257602cfb08a5e87d5586016

SHA1
d8ca3f968033ad63ec9a31f2e37fcb4f9922c2e8

SHA256
836f3c901537d7cb15dbb5199c80b56011447e8f8494987b74e3593dcf8e4cc8

SHA512
8c597fc3380ffacc0581894c8395f4bbcf991218c104ac906069f8a080d4e3bc8fadca9c161bb3c1449049fbba3e7360fbb95df8ca7145608d6dd2329878c1af

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
317929e8654a5a8803e4fad4b8f8a2f5

SHA1
8e5cddea53a6642380d585d45bda8f11cf53cc8b

SHA256
f16ed7621eef75d047de78b9d39636e6b561ad8442d21525b3eec4eb47e84daa

SHA512
1e8ce6075994453105ff0bc48455b27bf4ce9abec438fe73da3b268318631ea23c4321bbcf73dccc614bcbbbc90bcb28f1c497fd16f76b71235881e84a61d6be

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
73a8b08b72888f42be26289cee602f15

SHA1
5ab77af7c1bd374e3e8a4c919a3fd3e6feb2ffed

SHA256
c236634954689c43ceaabd3fb653f0b6ff3fc13b812fb7afc9497bff19f2edae

SHA512
9a196156a46c61bdc3cd748d31e6e5e0b641c5450d610b12e83ec58438845500e5158e4d47e4a29a3b4c6cdec96c3ddc2659dc865abeba25a342d8569363009c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
a6df981dafafc5a00dc45161c90093aa

SHA1
beb13b46e8af656fba40c45b7b608f535a261914

SHA256
fbd6b3e40eff2b48213d953579103c5b4f47229e7d1daf4e685487bc7c71f78a

SHA512
84844ce2ad7e58a63b03b94c424ceaf3105a66533733192bbc2f7435a758e462465e6a274cebcc6f8b5c1a839009bcb5a5071a05a18024443aa138db8654b852

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
dd1956ed35559090039f3c21a605217d

SHA1
36b6a94c53bc752d166032b302d1f9fc4193a9f6

SHA256
de31221496fb0b1223ca5d6e4099dbf6dddd3b3596d72c4f1fcb7d828724367f

SHA512
536bc3831a525b9291c36ee6e094762e55ee1a07a8e8356c06c37195bfc697bc0fd1b2c792ea7d9fe44c62110d1521460bcf7fbad3a838bb7f985bf6ad3addc4

Download Submit
\??\c:\52e12616549814b6429a5c\eula.1033.txt

Filesize
9KB

MD5
99c22d4a31f4ead4351b71d6f4e5f6a1

SHA1
73207ebe59f6e1073c0d76c8835a312c367b6104

SHA256
93a3c629fecfd10c1cf614714efd69b10e89cfcaf94c2609d688b27754e4ab41

SHA512
47b7ec5fed06d6c789935e9e95ea245c7c498b859e2c0165a437a7bf0006e447c4df4beeb97484c56446f1dae547a01387bea4e884970380f37432825eb16e94

Download Submit
\??\c:\52e12616549814b6429a5c\globdata.ini

Filesize
1KB

MD5
0a6b586fabd072bd7382b5e24194eac7

SHA1
60e3c7215c1a40fbfb3016d52c2de44592f8ca95

SHA256
7912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951

SHA512
b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4

Download Submit
\??\c:\52e12616549814b6429a5c\install.ini

Filesize
843B

MD5
0da9ab4977f3e7ba8c65734df42fdab6

SHA1
b4ed6eea276f1a7988112f3bde0bd89906237c3f

SHA256
672621b056188f8d3fa5ab8cd3df4f95530c962af9bb11cf7c9bd1127b3c3605

SHA512
1ef58271cdedbdc53615631cc823483f874c89c2d62e0678de9d469a82bd676eb8abd34656caa5128b7edb0eb24dbf0992e5e571a97f7782c933b2be88af3144

Download Submit
\??\c:\52e12616549814b6429a5c\install.res.1033.dll

Filesize
89KB

MD5
9edeb8b1c5c0a4cd3a3016b85108127d

SHA1
9ec25485a7ff52d1211a28cca095950901669b34

SHA256
9bf7026a47daab7bb2948fd23e8cf42c06dd2e19ef8cdea0af7367453674a8f9

SHA512
aa2f6dde0aa6d804bcadc169b6d48aad6b485b8e669f1b0c3624848b27bcd37bd3dd9073bddc6bde5c0dd3bc565fd851e161edb0efe9fcaa4636cdcaaec966db

Download Submit
\??\c:\52e12616549814b6429a5c\vc_red.msi

Filesize
227KB

MD5
e0951d3cb1038eb2d2b2b2f336e1ab32

SHA1
500f832b1fcd869e390457ff3dc005ba5b8cca96

SHA256
507ac60e145057764f13cf1ad5366a7e15ddc0da5cc22216f69e3482697d5e88

SHA512
34b9c5ed9dd8f384ecf7589e824c3acc824f5f70a36517d35f6d79b0296fbccb699c3ec1e86e749d34643934bf2e20a9c384a5586d368af9887b7c2cede9bfb8

Download Submit
\??\c:\52e12616549814b6429a5c\vcredist.bmp

Filesize
5KB

MD5
06fba95313f26e300917c6cea4480890

SHA1
31beee44776f114078fc403e405eaa5936c4bc3b

SHA256
594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1

SHA512
7dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd

Download Submit
memory/684-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/684-13-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/684-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/684-109-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/752-213-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/752-223-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/752-282-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1076-324-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1076-332-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/1104-113-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/1104-126-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1104-124-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/1104-112-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1104-119-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/1292-266-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1292-255-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1292-267-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/1292-261-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/1400-201-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1400-269-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1400-210-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/1700-252-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1700-186-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1700-195-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/2036-0-0x0000000001000000-0x0000000001260000-memory.dmp

Filesize
2.4MB

Download
memory/2036-1-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/2036-95-0x0000000001000000-0x0000000001260000-memory.dmp

Filesize
2.4MB

Download
memory/2036-7-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/2588-171-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/3160-84-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3160-157-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3160-96-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3160-85-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3180-101-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3180-107-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3180-170-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3180-100-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3184-283-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3184-292-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/3332-236-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/3332-227-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3332-295-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3548-243-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/3548-308-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/3548-318-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3548-247-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4120-208-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/4120-145-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/4120-153-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4196-137-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4196-128-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4196-194-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/4196-129-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/4252-160-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4252-221-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4252-166-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4380-407-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4380-270-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4380-279-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/4424-120-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/4424-64-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4424-53-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4424-54-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/4592-319-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4592-310-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/4716-80-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/4716-72-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/4716-74-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4716-92-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4716-87-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/4768-67-0x0000000001310000-0x0000000001311000-memory.dmp

Filesize
4KB

Download
memory/4768-135-0x0000000001310000-0x0000000001311000-memory.dmp

Filesize
4KB

Download
memory/4808-239-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/4808-183-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4808-174-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/5084-305-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/5084-297-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download