1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2024 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
Size

1.8MB
MD5

bb0d5a47d215f84edcf7a0e193950532
SHA1

1255303108c490135cacf68ff2968da1391e6824
SHA256

1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765
SHA512

7b21fcd1e5fdef706205aae3baebc5f0031310d8d9dc332f3db4eb249e83daabcd50717c8142ed80be83168e7e5bd51c73b683e0db84f6a11499159d1cd81d55
SSDEEP

49152:zKJ0WR7AFPyyiSruXKpk3WFDL9zxnS6mgiTd8DsMcDKGfWbYCGE:zKlBAFPydSS6W6X9ln9BiTLMiKGu8CP

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1124	alg.exe
1940	DiagnosticsHub.StandardCollector.Service.exe
3672	fxssvc.exe
4724	elevation_service.exe
2544	elevation_service.exe
1900	maintenanceservice.exe
896	msdtc.exe
756	OSE.EXE
2392	PerceptionSimulationService.exe
2380	perfhost.exe
4160	locator.exe
2600	SensorDataService.exe
3612	snmptrap.exe
1172	spectrum.exe
1292	ssh-agent.exe
1492	TieringEngineService.exe
5076	AgentService.exe
4956	vds.exe
2976	vssvc.exe
3452	wbengine.exe
3836	WmiApSrv.exe
3800	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Windows\system32\AgentService.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Windows\System32\alg.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Windows\system32\locator.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Windows\system32\spectrum.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Windows\System32\vds.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e144a4db92be0f3e.bin	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM32F7.tmp\goopdateres_es.dll	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File created	C:\Program Files (x86)\Google\Temp\GUM32F7.tmp\goopdateres_mr.dll	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM32F7.tmp\goopdateres_bn.dll	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM32F7.tmp\goopdateres_ar.dll	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM32F7.tmp\goopdateres_pt-BR.dll	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM32F7.tmp\goopdateres_ca.dll	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM32F7.tmp\goopdateres_hu.dll	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM32F7.tmp\goopdateres_id.dll	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM32F7.tmp\goopdateres_fr.dll	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000727c97829a9dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074e23c829a9dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c420a0839a9dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d82624839a9dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba417d829a9dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004133b3839a9dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3c421839a9dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b942e829a9dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1940	DiagnosticsHub.StandardCollector.Service.exe
1940	DiagnosticsHub.StandardCollector.Service.exe
1940	DiagnosticsHub.StandardCollector.Service.exe
1940	DiagnosticsHub.StandardCollector.Service.exe
1940	DiagnosticsHub.StandardCollector.Service.exe
1940	DiagnosticsHub.StandardCollector.Service.exe
1940	DiagnosticsHub.StandardCollector.Service.exe
4724	elevation_service.exe
4724	elevation_service.exe
4724	elevation_service.exe
4724	elevation_service.exe
4724	elevation_service.exe
4724	elevation_service.exe
4724	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2028	1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
Token: SeAuditPrivilege	3672	fxssvc.exe
Token: SeRestorePrivilege	1492	TieringEngineService.exe
Token: SeManageVolumePrivilege	1492	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5076	AgentService.exe
Token: SeBackupPrivilege	2976	vssvc.exe
Token: SeRestorePrivilege	2976	vssvc.exe
Token: SeAuditPrivilege	2976	vssvc.exe
Token: SeBackupPrivilege	3452	wbengine.exe
Token: SeRestorePrivilege	3452	wbengine.exe
Token: SeSecurityPrivilege	3452	wbengine.exe
Token: 33	3800	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3800	SearchIndexer.exe
Token: SeDebugPrivilege	1940	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4724	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3800 wrote to memory of 4608	3800	SearchIndexer.exe	112
PID 3800 wrote to memory of 4608	3800	SearchIndexer.exe	112
PID 3800 wrote to memory of 2140	3800	SearchIndexer.exe	113
PID 3800 wrote to memory of 2140	3800	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe
"C:\Users\Admin\AppData\Local\Temp\1b7f4fe885cbf6cdff37a835020dfcb3d1bd71d21cbb7167cc3b638cfb9c6765.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1124

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4024

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2544

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1900

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:896

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:756

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2392

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4160

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2600

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3612

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1172

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3084

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3836

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4608
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
df8398a114f1192110f83e5e75dea702

SHA1
29515838af5ba6a6cc288915f1febe84be41308a

SHA256
d217e99c345229598822eb9166183156dae53db766a26e789fd513b568b60956

SHA512
2da44ddb7e2e636c2dccdc60003426ff174b264e77a2d676adc184bcfb666018e90dc4fdbdbc6672fbcc0b7eadb2559dec11c1bc5ecab486271a2cd3b4890ef9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
121445389febf16f8537e44be66a115a

SHA1
f5915ce7e9a03e536f51ce504b9c5ac8b1d38c7b

SHA256
b6ba1c4aa9c35a6a6894079c4f179905935d964dcf3d75301ae2c51d38cdfd43

SHA512
6e6e5c5dcd915383103abf88326a1103fc0a577bb4453ccc746d4ffdcbf50e222d4346f7ce2f3834bbb055069573a5fc5062dc782e28900251e8c19963e5f105

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
1725e3223bd79b6e6ace6889338b88ff

SHA1
41bb80f7ac9fd6bd66c388ae8d0e09f50c346d67

SHA256
f732a0580dcdf67e7084f713e4fc7623c8e5f5b7e1acd0bed25aa483ed3a347a

SHA512
1ea8b5d497f0295ae1503006a7d458fb680883074ad651bebff2e2d8871b3a2efd797e8581fee8fbec4040122cf10ee96721cc8fbba670ab20ad23a63b9a132c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f6405f6741661f94804f6f8d531c8ca2

SHA1
304f7a6bb4ccb6e3c5fe85380ed2068a87fcde4b

SHA256
647836931cae72e17c07284843bc19cda55a956da38c730e17bb6fb6a180f0b4

SHA512
5dfb659d531c0bc4a1eeacbaf9a32526772308cc37cff401ec321df2779de8526cf65ccf98e078f523028bf8a45e8789fb1335fc87f34b6abb2e9a476038ab6d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9b16993622a63dafcb6ba41aee4b9197

SHA1
4cc5f03e7aa488e1345944f07d97183a7b73bc31

SHA256
f21e2b1ef93c69c46bcfd8196735519c71322fe337a10896f1b8bb67ab08bf30

SHA512
7322021fa70043870f832437acf74bee5b7856ed7f4fe4be2e3077f06fdd509ac0ba3c030decd2a9e13f394ee4672ff467bf948275e352ce817edf097ad66e3d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
7ed155105cbcfa3d2ebd4113d1d8f035

SHA1
42ecfdea30c73465de37a95e3bae718bf2c65049

SHA256
4d4af31808924b9c4a1c06ea0d9b1561b3ab3789f9d757800ddf6e060bef6d44

SHA512
e83717b29754f715bc953f00c188199a280ebfedf95a825bc462e97dfd7c80318be122ec61d6a2419eda41089684fe9d8e03acec1657b3aaa79bb41c133eb662

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
c7e08edf31e2a8455c5f9456c08a41cb

SHA1
64aaf7781f7cede14c240f75996324330fc37e6c

SHA256
9176884e6ca8c0a30630289e16f6ca3371c2295702f09568ac3bb781feb8b140

SHA512
64f3d7691577d1d799397452d36bed9b017eff64584bed685ba4a6b4fb474ab1246f6ae9e7595d66d4d19a2f01f7924c352df11640e3602f734f7224d586d1b5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
df50c12411878c3a102c09206d6aeb3f

SHA1
b1972d5bd1d04c8b238b00f2cbaf6263a4c934c7

SHA256
b32e24c91f9d3221aa540ab862b15ec2062517da8c44a6b233d4e9f68e289623

SHA512
2f8a2613af96447ca745d752669f3c098f3347d277480c8eaef494b4526b19bc27fe578ced9aac7c9896539a068f2200e9a8024f86925af71ff4e8a08570e27c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
d83cc272ced6a897a327b478c307bf15

SHA1
40e97d206b3747f64bcbb8b5cd5925bf5f855b19

SHA256
13ef77bb15f5ccf1e1fc449d126c38adf313ec8f600419c25a1d13c9773e1fef

SHA512
95fa63613e6bfb6d291a2b0edcd2bd553c6d952908c5e55f54201325d50970bde5c6689c4a48438e56950d84975d5114b08ffbce9476eef4d02199ee765cf03e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
435a0f00f8d907dd4a455d4003ee4d44

SHA1
051a0d4201d9ae549abd15c620b47f4bada46b43

SHA256
e139368f062aeff2b86817a9f967553365e865ce85d5cbe3d1353584d2851727

SHA512
9bce4b36c22d3e276ea0ad4ceb0a1cbae7fff3db1f55653f25e3a9d2c4a7ebbdc32ebbc227873b0ee4df2758f1d976ac9daa33409f5039cd819826b357037727

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d78d3bac3309aaf4b6d5a0d493f45aec

SHA1
263d94cda8fd8d7d55f64796ed7c428b88b07d2d

SHA256
620b102aa2e2978efabfa9d211b39082a4f60cd68e6c24b61c81b9076fe10771

SHA512
f18c000904bf28bf094f2dced9e56d4529d47de78eb8dedc048fd6de46b64c12ec348523cfde71e7924de2f1d70181805109ba2c4b8f331f4b796c337c090a5e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f24399cccc915ba9e9abc8e12108b4a1

SHA1
f1a7fe2a64b77862663a67c29e7c6d01e6b9c838

SHA256
c96e48626b0497b5706485a14961a0e452f3e1a514b2b7c3812bdf5f556ae4cc

SHA512
eb99767f3368ce4a7c474cfc6e02f0933dd8e6e7d3cfcef93032da289bbf8dfd074e701aad41ef78033892f171f88fa9d575c5403a7446349f2ef0ba72d7a62f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
e4baf84e7686d807f1f3b75c84f640c2

SHA1
fba3afc8875fee3d13c58b8b9688e1eccffde653

SHA256
7bd39de29b5f6c0525b45f75a15e6674e1f20564950afb80a323a06f83660cfb

SHA512
1f3ced34d56131cd572cb7f75d2534235c3e6376d61946d8427ad398a14c11b0085d0abf6e77bfb308981199d9fc82679a12a3b11a96eec4e83545dd764a4af7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
04910e6a4879faa5bc51d64019248584

SHA1
1ef872d3a5b634a230d00c50f855ae359b5800b2

SHA256
d42cc54e0c01593a8d2f8794690b6e14f84bf50f3437e231a5d36f3a6a0ab4ae

SHA512
552d3577cff3e8fb9472b2697d5353ea28a02cd13d37c81c39ba41f9d00e01b3a8df610c56cf88e5e5196106ba1f2a3a104c36429e258dd779eb89eb557d6f81

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f50fad65d082205bfd4539c0f4a8abbe

SHA1
fa7ed3f5eaea2312c0de68421ea6e3e5b5d26c29

SHA256
0e965ae8b7c55e9655b806f67ca3b7aca6c6f6e6bbbe73ee6e64015afbcaaee4

SHA512
e84b95c0521d9b66d096db08fe25bfea9bd659a8744b2c0ca972eed9abcfe0d8a98222094a8691cd0ce2b94e5dcfc83b9113c99df81363e6315addfbba7323f8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
c8c3bfc01658b8cffa1b22b5d1d07c1f

SHA1
1757ee54b501fdbe4d053f17ecb1c682b4134b80

SHA256
3f0a3ad3929b992cc91e6dcd52fd2dc7db51cd6494001e4e9f0c2f3ebb3e2f1f

SHA512
cb23cccce525de3c1bfb44a11d3572c0753f7de2713e67d2d63508ff09d209bcab761f3893cb9914b8df8c42d29936d00f0848a766651f6cac7fc92983e29ff6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
a336947cbcf3d17a47eec313aa2a2e6f

SHA1
f45dc4a7508906fa67689ebe33f41e3b60cef633

SHA256
1b35b62ab75a880feedd814482dc526369953c0cfbbdfc76b69d499bb06e1fe7

SHA512
18fe120fdcfa54f9014f4a1744b34c0a0ff2eb4b46a386c26c23a2668bfa0b79008713134585b00d1bf01fe14c8a47c48d85d41fc7997783f06e13149f959124

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
ac2a843520e166de68b94105629e21ca

SHA1
e81ea2241b6aaa87e0499cac0fb3ed7e4537b284

SHA256
932c354fdb38c2e28d98003fc0b091065f680d279c2bd8ffd44a47af24c1bccb

SHA512
3f35be477a1792f7c3528b8a556bfc3c03093014cc349d552434cc0be02350c0574ae12bfdabab49c585c07f352ddbbe095e2ba711374f389515169f88bd4a38

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
7e71c4af3611c72231b390fe9088331e

SHA1
8401fbacba74f48a016a785d560d00155c99daff

SHA256
a1a85f9f8ec80d84128bfd3d74ea29a489454bcc51c0bb552fe7de129e4773f2

SHA512
e8b61c0f23ffcef6858ed7ee4b7a2dffd4daf5d0a4585f6e29eec56377973559dcf16dd11f19cad906f6df3ddc206c011625d6d04b8650449f748f159941ce49

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
a80b080eb31ccb27857c63f4c504af3f

SHA1
9d24671ce7f2d4a71560137721f4c7a6bf80cdc2

SHA256
fc3c084cb07541957a30e4bba0f921d09da3483fc92d16dc37d9024696608959

SHA512
05542abcce146852c077d933f9c4d39dd3364b3d8473305298c8bf9da994bf4879367f1249706b860feca6ea3cf9aa9f796e7d8521867c58ebbb98b506d8758d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
ace392c22094d25f614619bcb2ea0798

SHA1
ff3b9e986527d54e41815ec0218b74ff216d65a6

SHA256
60cfb063234b33ab31b0e3a90fdc3110e7dc59e0a39025d466def3e88dac7312

SHA512
7663ea2c952fc4ac798c990b04fc825b2cfc42efcc25c98e2f41d767a6af1832e9235240c9b12264ba1a039b04e5e519ca25ae273cdee1ecb21dcab0ff637cdb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
8fa9d536839dfe6dad85e149d84e5215

SHA1
642c3ae4abd626405edfa1ba84b2ba813c33ed7d

SHA256
7426befc83d9cda2f2c83343e017cfbd32502d8801f80e31f47d256d9995a15b

SHA512
7cb080ff92f8b9f2512f109e7af50ce7b521e616b1e2eac0e134706956a095c57db94abfa8a722a9c262f9a6e11dac2bcf98953d0045ca05192c244c0cb0b320

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
3d2618d00fb5745115828887eca5aaef

SHA1
edf86d71bac0cfcdbbf1c2e491d71a0980e05ecf

SHA256
142cf021d00a058f97baae6868740364626e37199eaab7fbd725072e689e9a60

SHA512
8a6908399e401382e4ebd18a667da0374cdfb9e0080c71259a78f6dd758c640ba0be1258b4244d6045b427b2c414b6255772c1206387e2bfb8b5f89fdba7f275

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
4389affc4ebda044a1f925ac25019818

SHA1
1e549e30d05bc7dda2116bcdab726de161e39fc5

SHA256
693b11eab679cf456f7ecba75744d380c2cdf353d9cad241e5c0df56daa55ddb

SHA512
4bd479fe4b5e8cb78ec8119e9694a064476b65ed34c0268c022708c89cd9d1f4007c44ec5fce978f7e541f5e0bfd2fa2a24c4591daa5aa8361d1bafc531ccf95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
53be941796823a8666d4d2a1098f6152

SHA1
652852ee725e794e208c0574952152909113871e

SHA256
907a584e79afbe07a57bad9fc943098f8dae8a8bf06805aa7b6120825e6733f8

SHA512
f0b99fa2ee74a5d02e827605c3707c8e03c5845fb27cfa44ab94defe13056bdf057ce10622e2bed1fc0956c30c947fbf263aee5ec5e32be0788bf8e26a9e3e58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
25e2183b1c38f3905a5719533266da5b

SHA1
688ac713eec2dbf7fc1c4d9d67c046144b04bb45

SHA256
beeeb1c14f94c4b8f7023bc9ecdb12e72b548120151921e904d02a60e64b3e50

SHA512
d8bc88afaeba40e3743fd8bc54b66f8334937f0046c539cde6c13c7787b839a65de7a69449d9625e918430c0936e079c8686e05122bcf4b8703b69f36670f8ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
4b7dc3adf5a15c962bd69f54e00653d5

SHA1
09ef09d746bf75bd5f037381791addc3a472be14

SHA256
52ba1713d2bde3e153d9e16ce8516a003c378aa44551a73af702cf8744ac7fa2

SHA512
2a547905d9470ab968a8a84065a1b887aea48f6b0a1660c55c947a9564a919b81ed0eaaf58dbdbfb601209df4a597c6440f447c35fc30e80095817c910d911b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
7b2742aec58ccdc34306b62613ef5549

SHA1
56b70510199e937c589c2d1619bee6e6aaba67af

SHA256
8c42889efe1bfd2891b6c33be9ec5c8d7639c6b04154cebf1c529a233f6a0e6b

SHA512
a78dd1a66e2e6bc083921b26691a2ca0a4d941da9dd92356e05f7d02e02e0ca2f2700616ebe2b086486553330b2ce4c9e568bb5d2f9e3771e31c99e320869a1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
5aab248a7215443e7da83d87bfeb1d1b

SHA1
7e38804f5b2bf5b5258a4efe02fb68342edaaafe

SHA256
deffe49fd23e19b7506bc4ad39e07c5422b39e828607cf5ba9e82641987dacd1

SHA512
aa66a9c97daf70205f5da0d3b7f587c9307b107146eb9f2bc480774f10a98109ee69e7df9bca63e31cba550d9fd213dd275f517201348a739cc5ce198fe063c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
4ae3de096e7826c023f3370eca611687

SHA1
456315b8d3454f9d7dc82e85cf84d97b33e38c10

SHA256
7dd9b1bd0e25c24f7895a3def4a223ead23855f67a0f8246bc83e05eaea12b9f

SHA512
20a80eabb7e286a4f91b0f9d0eab35c45c76be07b474f579e596033e83d181794145b03201d96186bf15314427db686b3c1c919bf73d54c54dcf80b185a516b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
af6f1120deb9f8d45a91e3bd6de62616

SHA1
a14c71e899cc066d9c33b875f952c22e8c2a3cd0

SHA256
1e3573d9c6ea13c80f8a1ac8d2e4395c32c149f9767faf2ae9605ef924723c65

SHA512
0b7398f37ccba6a097b5299e0fce0e38376b575f6d9462e12e8b4b15839d410840c5913dbfcc5108c766213f91109c75ad827532ad8521964f03c3bc61613308

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
706fae38089efa380aa9299f399733c1

SHA1
0d4a79df4840d56f89288ebc2db401973411e4cb

SHA256
5a7e6dcf71172c6cef9e1ed31b5c359ccfb28064db180f94473b3f9612c42044

SHA512
bb8764e6d323aaf944a1b6f996ceb1a1eddc0192be60e4e5465d609388e9d108b6db244987c76684538110842106242be6f5425f2127ab8262e4a8cbe56f7be0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
5e5443a72dbbf50cd51e7ab9f93f1f71

SHA1
c1cabd0d98a4bc293c93aad63a65bef860c0421e

SHA256
210733d978a2a5275932844115b8b9e08305ef5e73dba58b1f75c41f00aecd6e

SHA512
1bc763a37cb838e8f07357a1834d89fd2caf247321dd4e39d573692ae8bc5d198c3c419a53f1e2a9599d6cf41b6a608a77b5900ef9b48dbe8bdb0ae221bcaf72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
dd5fd685a11e05bf65e5ea32fd6d946a

SHA1
8fee04c4f93980d77f8837701f52252a34e72713

SHA256
108c96c30b527758f8110aca31f8ca2a263f4d8af98e3d0e63d46a9db72accd1

SHA512
382736335af487612c8efc4d3124b9002d645eb004eedeed5ba1b4acfa84abb1c103ea9a4d2b2e9dd9ef51b4307a4a6adae088e0d2dc6186eee87fb87859be77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
72745d07396eccf7545904e9abadc97d

SHA1
a7d2b31898923d9c790c8e5b7d288ffcb300b8ba

SHA256
7ffb1dc642e20a3fe16d4a0a89130470ec31f7fd8f88f57e8e0c93848d39c99d

SHA512
c998b44d25b05671bf5ce78182b58ac3fde2294083529b4cccca95a8316fc87eab79e03ec5de88cacf407ca89aa0c113e8db3a68c42fd2f90bccc353ba0870f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
c1146e28597ef5cadef931b1eaf038d8

SHA1
a87d250b154425bdf711dedef25bc9b983e0c610

SHA256
2887b6f3be6d05fa5d99a6bf57e284df765ee27b409dcdc4d3bf54782b2415db

SHA512
76b1cc904571f232d1b18d84821113610d02bcfd63da536b152be31873ff23429cb714edaf8c1a0eec2414d47fc7f32a41f7bf83f22c180a668e8534696a8ceb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
3f7718f4f02be3b06ca51948d20ca218

SHA1
d7d0dde9319246117641ae98e941735b1ee13cc5

SHA256
ff9a7c528dc8b66f00fd1f5930a2ceecccccfac2ace23c4adccd2e82af83b776

SHA512
dacb08b617f45a72b887d4fff252dfbc33f914fdca56ba587b96551537adda4c3de742ddce966ec54a70a04f6bf95fbcc5e103a42fc15545e8207cd70eb19ec9

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9b990f270942e882dcf8ddd58d81579a

SHA1
e8813f564f3704f55f66c8b9bf9fa60afa7e0445

SHA256
dbaf2612e9462aa7c61057fb69c2e70f05f1072a4fe36caea3860acd88f8c485

SHA512
bdb4a0654f1290a6645f4789a6199c6f560a60a53567f24f96ac013d09fd5bda37067631218bce3f6b9e2c5aecff8484f2103a31ece1778df6cc5f119002daf7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
29589aa6ad4468cdfa2564f6f963b062

SHA1
29e8debc8a588f099089531614be44e4dde272b4

SHA256
63d2f6ccfaae8e6d9bca272414802a982f47025beed7494c2fc89483e2bde4e1

SHA512
487a27cb5f03373fee6af1cb87028e833d22e3903e2a9f130a515d105fa1799e40deb2847f34fd4c58abff7b639bc355330de5e5e17d0ccb811b3ea8395c39b6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
7e553b23f31b2e553fb09f508cbc372d

SHA1
c71e801284e661c6e8731a7445e9db47ca4c863a

SHA256
da2df176862716da7b4f4ab0a4dbe03bc136da7927178f176e717243a0bbff06

SHA512
bc74f00c03284350b2e0186eaa9df836ea6bd84472e06712f065e19b2a4dca8f084d75bfd5488ab6fd36a5d7d3fb9967ece5ffe6b2868d51d47b546d054b91a4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f60232c3751caea9801f10886c4042c1

SHA1
89a035467355ba5f2625cdc156d2a729720b169f

SHA256
ca6f417821c41fa7d604acb23a72e52aeac8b49ca5de565b1ea4658c514badc1

SHA512
0216670130fee47b226a2cf60dabb44ff696080c7fbc4a4bacebbe2eddde5c06d2970f294c110cb6acd3e869f19589519f57d8136b70ffd191b138c767cad151

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
5d9c2046b06dbe29d943ad52567fbd9d

SHA1
2d9b4a5a984444aa60e3dadd1c07899badd8d606

SHA256
5a1dc577115526bbc7913c02c10a38cecca2954a7cef3ec21cbd5e6f004c22f2

SHA512
22a772bce4624be35c6b0e60b5c86b3a46dbd379071da59e5e8c5fd4bf553ce5b2f80bc148c63298db5077e60e08bfda1f2548d54d41263e6721c5c596fd70a2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
336795e29eb76b363a5b2106d809e7dd

SHA1
55a2c35c570b3d09a6ed36de506f81121372b633

SHA256
1570ec981e708524eca457108b4e0e09cdc459da0005923466aea8eb97ff683a

SHA512
3ee1b985ea661ad157c384c2de74fc4bc69187bbe276a0ee1477f27a12cfc175b2d2162faa55aa9a1ba9845ba5b478cff87dc269792fb246971d8b5d4d359d6f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
9a5e0a20a950ae63c171983047c8a631

SHA1
4ff94673eb100c428a367ffbac95c3521b8ed8e1

SHA256
fe3bc22603cc7251e490b2e54ba561c47c11ccb453ed056b5c02cbd003d7a825

SHA512
c2a9eb559c8fd2d5f5cdcd35e4d12fdd7afffbd488c23dc62010e58ae0038a323325805cae3d9e9be028b3b7ece01afd8001ce9513bf90b7402258a73b08fd4b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
ad9f8a3449e282db0bc4ff9aa94e3354

SHA1
4575a4c919c9fc57423242df5112a2a871d7ec22

SHA256
ab11e50fae2d12d914843ba13d520c1c5758a8b9eded935bb3c3c82c404f7951

SHA512
f75d24af2559e1b59a90490055ecb29f283d30ba8eb11dc047f06c0fb3ce674087c944acb02a0a0939cc680770167405ca5e1e260e29108ee1bebb619bedf2f8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
4cd35167460e21cf679f64f6b250bd35

SHA1
5ee47811d72865abcff2968fa38a6927b934a6c4

SHA256
d0e040d4195d088915e8f10f0fd24e0b24565f4afbedf683c6a2d2b17b63bf78

SHA512
1cc6ad73c4b55c03976f51752d22d39353283c8034d6d89c038b52e8e31310577559651d53b0853111b23b7de5d8e32503878fbdb90f5bba187518cc4308f3b0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
660ae63bc4bfab0506284b0b611685a7

SHA1
ba10baff9e17ac4618fc325f99096c7bfa68601d

SHA256
cb7974a52e2f67b0aa1a52dd6a555ede78cf490ef7c7a91cfd69627768439144

SHA512
ba68aed1abbfe7cd6f0acc174eda3bc2d762904b7659c456e065c7e9aebe80b60e61ece86f799bb45b63626f92ef8ea2c8a3196c2718429655f47ac57dbb700b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0b855384f5c577fdeefbf41e53f7f6e7

SHA1
c5a9070e3068bd64dc422379a8e6152da422ea4a

SHA256
bcbaa35598b1683e4bb285182c18ac636203d69d1a8879d2c426c9df3cc3000c

SHA512
61342df0e7f82949758012f42e0e589595802f601c8c28715f3ed605760ef589bcf7eb114d4d32e5ae754e8340e317dd04b986ed46f01f8583e1e626c1edb5a5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
06f32b82c353d710e0644a26e66c1f61

SHA1
8d1b13afe5cd04395ea6a3fe7838f0c7bbf9d151

SHA256
3b297023e4f58ac6f0492245b104b56e97bbb8031a85af7e0c679328d29aeb4a

SHA512
e1795802f67b6118acb91e35d5b2c85bc36bef2347963e3bf66f48ad1b5a3088d0ddd738b7c81fb46e68634ff6776506eea60de6cb72fdd8417f55a352204e85

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
1d5b1829139081b56eddf9818b569154

SHA1
61adfa9ba4cbdaf707ecead3e7c7d3da160eba13

SHA256
276a6d2deb153663b26b0401e77b41048cee7acd0a65911d4585ace5bcf457a1

SHA512
b6581ed7fc0446d4dd79a9642c7b6b7db34d139e2b0ae47a83118ec7c8dda9e050653940feba28d82aa6aace420df39391bb7aa47f2dad45b760a441ffe73294

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
57908c38852d94d2407e4d962236865d

SHA1
b25ab59abaeb3caa5a8b71057f19d0b7b9fa215b

SHA256
9a8eb8ca2c505e1d1160700240256722c936c921564f3f2705879f7e1c629dc1

SHA512
db5c90c7056dc9cff9710ebc8983d711846bf7c5584d1fc45f83a945ab3275b882a97bd3568e8710643a77e093033af8623f578ec3dfdecda89ea22abd0d2bc7

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
fb259f737bb07c667fe433b45c5e3953

SHA1
4b7ab0d5d5baedfef3b2bf97f1530fe92aa900ca

SHA256
06953f8aadf7238c8b55c0576551ef039156d824700f6bd1847a2089a023565e

SHA512
0ee98b5b046f1f83a48102ae26f3ba38998213defa0077f990ac2b110cbbff53001b2fce072b5212ad5e75ca5bda354350be249176736d56a31a93b92672b2ba

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
8a41df303515e5fff944ec3a95cfe89b

SHA1
541e2834eaea9a3690abcf16f4b8640aab371a60

SHA256
6e618b3e9ffc121f49844da3cb884b54cdbc0a9e6daeff2179b1ddb407808ea0

SHA512
3f4a3c3d708c59aafa45d7d8cf9b53dc1a45275df49bccbd2115ef9119440840ca3d19dd4774a1b46ae7240c4802ebb57d321e0a5b9a4065122bf7a3b85d6e4a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
977bbb2a2a826976f183823a15a87631

SHA1
69d5c706d0adfa7074e01515d0c03d951fb7c2b4

SHA256
0c886560a482115f92adaa19f7bd6f4a35d24f84c075f0d203f1d77ae7d7bf10

SHA512
11921bc375f5321246951e370410e931e3f0733e146cab4ab63f2da23b8583fc257f487ea5330bca80b2c8fc1e878386f25e0d4381f868312ba3a0ba2c1f030e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a2bbc8c60311ab4b9798764e448dd942

SHA1
dc8e55604744d38ffd8225cc5cd7c7f8dc825642

SHA256
7ffaecd1e009e4ef17d22f0ab124b952177787a6807c69a0a874447294a486bd

SHA512
e480bfddd6a3a3e129a276a6a4863bb08fabd3d6aab022ffa46609cdfd0da55e4f3712ccb9c5c181902a31cc0e4731d0d11cfb5a6faef3df5b43f2ae4f9d7b04

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
8e9ea3a8ffe6a2192122aa79d65a9628

SHA1
33846c071f46db3d9e0d6f33d4973801edb2ffe8

SHA256
809ca9f98903866c75fbf0fcd2816ac1e4f6eb2852c7c33d367d500c2d8886d2

SHA512
0531c6c36423b8cb63c0dbab4401679e197a80c9bfa1c247fef8d250ff131e3023102008eee79aec20375d04a8b8201c72cd3db012a39a08f1c25f9359b2701d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
058b391d39b0075d07afab620bcb52ee

SHA1
e89f2f5cf7151ba0c33419a5d5008ac9b39e1380

SHA256
8782605bb9af2bbe6c16df039a4c58650f8af02569e906ec4da0888c084165ea

SHA512
65c9423ef4d3e518b14169216ab66f7bfd1f97678619a529070351f7301810b96431d870d63aad4eab73df6904f16756c68b286a6b9bf9255903a4a6e3c8eac6

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5042351ff1e2ebdcecde72b4b2983087

SHA1
890db0a8300e8f1ba814b48aea3a9819a1486d17

SHA256
46de3b20cbe6525b4e398c718ff9ca8cd9b3bac3830d049bcb4eccd119b274d6

SHA512
589c0556a39fc6a505d89ec1fcb61165f8b1d3baef8f004146760c8784c23e697912ff8f31369a0fd1879df87edd9c608dacbce18d907456e08e72d00f60e0a2

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
6d50e84c373efe79e088690acf382587

SHA1
6d668dc62f3b67fccc2a6ef638b8e828d4923de8

SHA256
c6ebcc0d7a9ec6bd2959c9b911c49669b6ad7798033ab9298fbde70cdc354a6e

SHA512
7ebfd86d9d5254f1388260f2d9f2661f7d07dec2219bae40df4def4d027d22b57054011df829d849b38ba274b3934f7228c5eb65eb8673d2e4eb3a071b2f3acc

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.4MB

MD5
e78f9a44762e5222c64aa0210b142b5a

SHA1
63cb69874e48cca73e9a0857d590c31f552d6053

SHA256
a401aa63ea1268f38e8cec1a1283b6aa6adee2a901ad410ba36338d501d3b17a

SHA512
7687b3def0d99e1749eb0b94c18d6e170bac4bc6935f1bcd66bbf00fe6eb303177035aee8a67d0bb0e0f1327b764bb8ee257fb23a0720cd3543e6f0d797a0ed4

Download Submit
memory/756-224-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/756-151-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/756-147-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/756-144-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/896-138-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/1124-11-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/1124-178-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/1172-661-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1172-199-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1292-663-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1292-203-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1492-664-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/1492-215-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/1900-133-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1900-122-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1900-128-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1900-132-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/1900-135-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/1940-92-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1940-91-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/1940-83-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1940-182-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/2028-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2028-573-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2028-155-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2028-6-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/2028-2-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/2380-173-0x00000000006C0000-0x0000000000727000-memory.dmp

Filesize
412KB

Download
memory/2380-231-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/2380-168-0x00000000006C0000-0x0000000000727000-memory.dmp

Filesize
412KB

Download
memory/2380-167-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/2392-157-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2392-163-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2392-162-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/2392-227-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/2544-119-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2544-198-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2544-111-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2544-117-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2600-660-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2600-183-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2600-385-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2976-225-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2976-666-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3452-669-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3452-229-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3612-186-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/3612-654-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/3672-96-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3672-107-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3800-236-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3800-672-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3836-232-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/3836-671-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/4160-180-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4724-108-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4724-105-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4724-99-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4724-197-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4956-665-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4956-222-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5076-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download