10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
Size

625KB
MD5

450d06f6238b9c8f3b169bc00dbfd533
SHA1

729c7ba1968731e391c5262c9452f76102802a2e
SHA256

10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0
SHA512

726c14e0bf4895bc0f04a211ef24a9f45e9a80c3055c54786f7056a1789db096c88a96cb5a133252e8ba9dbd91c5b258af0c3313856f4930352150050c40f122
SSDEEP

12288:d2o4+/x8J7ct3z5htUcQ1MlhrmQgwwJzt5+7fyZkCtXFiWZF/3o:Uo4+mIJz5IcuMlQHJxrDiSi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2412	alg.exe
1624	DiagnosticsHub.StandardCollector.Service.exe
1292	fxssvc.exe
2608	elevation_service.exe
624	elevation_service.exe
1932	maintenanceservice.exe
1500	msdtc.exe
1608	OSE.EXE
4604	PerceptionSimulationService.exe
4496	perfhost.exe
2704	locator.exe
1240	SensorDataService.exe
1604	snmptrap.exe
4404	spectrum.exe
4376	ssh-agent.exe
2792	TieringEngineService.exe
1528	AgentService.exe
4788	vds.exe
1596	vssvc.exe
2572	wbengine.exe
4572	WmiApSrv.exe
3392	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Windows\system32\msiexec.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Windows\System32\vds.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Windows\system32\locator.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4c8a28e58beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Windows\system32\spectrum.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Windows\system32\AgentService.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Windows\system32\vssvc.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Windows\system32\wbengine.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\java.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e38d1437da1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b4f87437da1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6b4f1447da1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000004136437da1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe12ab437da1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa663d437da1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021b22f457da1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051eac2437da1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1624	DiagnosticsHub.StandardCollector.Service.exe
1624	DiagnosticsHub.StandardCollector.Service.exe
1624	DiagnosticsHub.StandardCollector.Service.exe
1624	DiagnosticsHub.StandardCollector.Service.exe
1624	DiagnosticsHub.StandardCollector.Service.exe
1624	DiagnosticsHub.StandardCollector.Service.exe
1624	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4836	10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
Token: SeAuditPrivilege	1292	fxssvc.exe
Token: SeRestorePrivilege	2792	TieringEngineService.exe
Token: SeManageVolumePrivilege	2792	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1528	AgentService.exe
Token: SeBackupPrivilege	1596	vssvc.exe
Token: SeRestorePrivilege	1596	vssvc.exe
Token: SeAuditPrivilege	1596	vssvc.exe
Token: SeBackupPrivilege	2572	wbengine.exe
Token: SeRestorePrivilege	2572	wbengine.exe
Token: SeSecurityPrivilege	2572	wbengine.exe
Token: 33	3392	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3392	SearchIndexer.exe
Token: SeDebugPrivilege	2412	alg.exe
Token: SeDebugPrivilege	2412	alg.exe
Token: SeDebugPrivilege	2412	alg.exe
Token: SeDebugPrivilege	1624	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 2564	3392	SearchIndexer.exe	115
PID 3392 wrote to memory of 2564	3392	SearchIndexer.exe	115
PID 3392 wrote to memory of 4588	3392	SearchIndexer.exe	116
PID 3392 wrote to memory of 4588	3392	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe
"C:\Users\Admin\AppData\Local\Temp\10a0e3ce97be442ca0b8982bd7e2a7b6049109a192b2f1b1f634d67d0f69dec0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3672

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2608

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:624

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1932

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1500

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1608

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4604

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4496

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2704

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1240

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1604

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4404

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4612

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4572

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2564
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
24a7d10cda3de58a3c62d32f9d894be7

SHA1
91b878f68fb1e72202be4328f7759afd0bd70e36

SHA256
4fafdd6bdfdec4f2967251ec166964a40f3d3367254d0bee5c1c909b0cd87b17

SHA512
ffebec69150ea130f600e1eab07acafcde51eb2c989e64baca18bef3e013a4e9b5555ed386eb1b922c33861c12fc83ab3d46293a11889bc4a9b0f41dd2ce74fa

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
e04bd48446321fb159cf3afe90d124fe

SHA1
d81c75d08cbaf74efd7be152bdbaba5777f1cd0f

SHA256
e7aa6f2598afc86914537d28a471fcc85ab91fbaf450f0c94c04e844a0e2aab7

SHA512
9096cbf20d173e38ef6a0dee78242b0949d5b874ecb01892b7aad459a83a26a1b30e36a4e90ccbf6109a021b2987aa8e079ebfa584b6e98425508c10ab3c99eb

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
e67a15f53efe5d76ce32e42b060974a3

SHA1
15001d2fc5c678a246cf472da3858e6586433957

SHA256
2b0926920526b902fb2c2034883b00ce31d320e1decaf4169ea27bd6c9761bda

SHA512
4466d1f1597ef6d8ce799f081251c5753bda4c4fdaea8722d981e1d93130953aa7a4081ee7f64e868d930632c35113e24959c54b54a2c6e13eb6f0c436686eb5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f81684cd56c4ba6c87f2b77bc38519e1

SHA1
952b02cdc6bdf189504a1ee7fa86ff37b770af74

SHA256
b60dd0e43f89c516643f11e11608a5bd88cc2b9c6d6cc6065594a6aa40dbd680

SHA512
bd3a747eec416410adecac0eb95935781207fb18aed94b138c12d3dfbe2c40e2ee7ebc5bec3bc002d9367c0f0e6550745f5cccd67acd229cfa0868464e67a670

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e091b3357124f6af975e7c1464e4d85c

SHA1
df01366dc9767f95248497e88d6f89f155f4318c

SHA256
8b6882c0d40777c545478a80ed4685d482c0cfff1845933e2ab75b2ab54f3756

SHA512
1269d10ab4cede0d2140fc6e41e8e396e8ad29ae4a4a6e362877d920f79d5db8560173f757ed7682df26460f808b09a96c474b466ed641bfe7881a3c5dd8458a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
de9905bf39631a998c5edd0fab161a55

SHA1
b1c8dc41b54bd4cfb53b10b8319de5d075dc4578

SHA256
75503628a54a3d16dd32b3088833f5e4ec285f6e446173da1b464e104145ea21

SHA512
604b95f157395b73bcdf0461a84ebede06f3eec1c33d976b3d909336e0b7538f873a1b4efba0ec8263ef57841fa4176e8ded2dbe3450eadfa6a0fe2e7ca98e01

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
16930dcc08eb9cd3e7191b5401b36f50

SHA1
d2ea987cc8e555d408ff388a2b720542fe17b656

SHA256
6f38394b5178accb544809c9f0ae27183c89ac1e2c630237897a106b5b345515

SHA512
2e18875844041da420f82dfb879a30cf18ac5a8996d12bb3b351d062b916b1f31e1ab56765e5425b882a4f7b3b99dc18626582297be68432955de3fea7b85948

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9f0005ce09a305bc1f8ac8d4e1d3565c

SHA1
99c991235e9ef05d7970cded12ba630ac026ec30

SHA256
26014ff419bd644d88ab58be26ccb9093b7cae447a9ada262cbf97206ee4a3ee

SHA512
29a8919d1057f2af99c980631b595402050c95c9aa2e43f3869748f39e120ca7b8506bef0f3291819f18863f95277141620fd733910c405640cbd01f15143613

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
c82ba9cf8d183f5bd9ac8f72c8f556f0

SHA1
7886f6cd34d701e3d05bb3687435de8710411ee3

SHA256
bf42ecca064f3f5a29972e5ca4fe000cfd84253f5b79a5f392e8d5c6cccdec91

SHA512
138d9ef22df8d19ab06485a1cdc88b1756cb7a2b3677d80ebd4a6dd26d06b21254e9cf6cde30bd139c4e7321d1736cecba6ba3f92886524ed841f7988c4dcd1e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
51b05bfabc231ff72f2d0e2cec5731c1

SHA1
214b2f494e9b19678e52c91053323a624b9fc8c6

SHA256
43115623094ec1b42eee1698212fd766c5606b8fa509a169cd762d4869d1ec9a

SHA512
3ef48acbf4e64e332a3635c193c722e96189e7313a6a08462144c98ed1f867ca0d5ad7696074f6ada1e8bc5123a0590f76007da5ee555276b2e95860fe91ac30

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
34885e594f4b7367a84aa9d8b4b6f1b1

SHA1
beaebb2da778e07fb79c17766acf87ae9984947b

SHA256
734a0615e7b3ecafaf3c0913c104fde96c0c0a3919c48df646462a0a165f4b52

SHA512
8412f2061f6190ea814ea573ab295128292f8c4769f0627ddec1bcf5a5938742dfedde13e7e81893b286f150a9ad25b1b9a25e957da7fb0557cbdd896b85b07e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
934979a8f04b235a22e2e420a7bc0e42

SHA1
4baa67810c9342ec6f08c00f35d2af4c4db4caa0

SHA256
0eb7982782bbef0147eca9fb499023a45a5b25d63d40d1c70ab42c0aad8a41bf

SHA512
37598a11e93e56b64f79b22ec902bf8bf248d3dffbbf477f5c196912643ef8b0b1a4470b0f685be104f1858daffa455da5d67633f32295d387f9445cd04ccba9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
aef99360c22911dad76908601b339ad2

SHA1
ba64ceff5cd1bec95503fb653c9133dafdd265c4

SHA256
42f980a161b2181ea6f45a9e5b3b85ce66b5d723fde7c3c8700afc713a44f0e9

SHA512
1a833301312064025ccec0380f31f7d5886367089f91b617f29568eb454881f5a34eb7034255b07a35e0bd12bdc58481a0c1b37bdced99d838190ded2af40e20

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
7fe409ceeb310d8b9b61ab9a6a229647

SHA1
43e6734431ceaa9542ae78c7f32d7c93c7215ceb

SHA256
1790b71c3825fe5e88973befa181929c65edf6a6d4d413522c0b4b7a9d2dcc7e

SHA512
7a18836a8f24397dcc76fd8452e1b40824da044f1fe83f551fee76950f01ad2087e7bf866701a3c6c3f67cb3a253870a2ec902741cd981c931e7eb4e8860af63

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
43d438f24ffbc335b3fbb4892ec1289e

SHA1
440a9bc8cd2e81f0b6b17a2b4b25aa4350f99a20

SHA256
54a24db68225b015ad6710c5234e0ad0f0ec96d24e4183b22e6054b79fdb047b

SHA512
43d5b2e587d550655b41665d9c84a9d530ba94cf304cf12cac6e9a06ac2dceec51668487e1efb278159659337f152cd5e7fa2502ea812964e2b6fd9eb1a6ab7d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
332636de66b7a200915d2993ca99e7ac

SHA1
0be16c35db2489ffd5ca4c98aea5cfb4e5e0a0a1

SHA256
642b691ed4021b908d2c87cac01aebf2389fc32dd45cca010a5033bbd1f5054c

SHA512
07dedb89f4948efa1b93c30b5a0adb6f47cca12165f1d87efe563861fb54f6386c3894e230c9d9fd4a5eb92dc4e69565a53dcd26e61c53d0da408958c5110b46

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
924a428e3d56d8a6210a08f4412f4e26

SHA1
657d95ede6235fc16e3fc516dead42ae00a4e85a

SHA256
96c217fb1c4a58ba34b3267c90d3abd17b009f7c4ce44d83baf43815cc70384c

SHA512
4529d3cc8c9ead482671550d5a80cecac555a1cc34e262de6bc42a46dbdb6b3ab1f6625bc7a3445fa1799c7a0d97179c6c5004f8ee7f0f0d13928d832725238d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4c38e32c51a6ad691c9c8563d9af09da

SHA1
41b57a46e203dfe7360f91a20070e9c0ebbaa1cb

SHA256
927b48efd12efe7d7888baba79e6400fe46d8868d83a25d7795247e42b79686f

SHA512
0ca2eaa9baae23c05946554e6d4b0cfd26e092836d8edf680d32f09731d22663da41fae7adea22ed10eb99f1ac7b961e05377762c6627451f3b24cdcd86895cf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
5f705fcd81881e8c2890e42016054afc

SHA1
fa02ed44a262f53403f0b017084336826eb0956d

SHA256
28e7858aaddea9a54bbcd0f1616e57b161a24683181edb4fb4b3620e3c9b3aae

SHA512
bc7f0689f2d4309934f37b41bade86124036315ca0605f7b6c1c936fd9f16f562614e19a0f08e844f2b87cf84ae94b8b62cf0522e8531dff1eb74c5e957073b8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
e783ee298920c2cb9a5e88418a7cc5f8

SHA1
3ba3cc07dc99439b581471514c08544c22bf4877

SHA256
d02b97ff09dccf4ec9a83f0adf06c6a6dafcc85e3ecad84eaeb42067609b5548

SHA512
defdf441c0f7e80e4a5ab1a59495c78cffe6eea5e25d43c4119034c0bb6b857401e57d842bc5e35f7010a0dfe133cdaf547777e78f7abf9f2d33904b4673cfad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
817afdda1a45aee36c3117a453587dc2

SHA1
5e26127b4b11df8a25e4b6e22ee53034061bcd78

SHA256
bc57c6a0e564e22e43bcde30e8ba402031e80af1e8d852ad2c85feb68f684ba5

SHA512
193780300bb9b2f527c4bc5d88d9ced8a97ccbc3b2ffb95695b62ef185193f49fd3984060c9fb517a23470ac836ccd8d02df24f595168de090bafd5c5c9dc3fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
e8a5e88fcd63b1f3dc9db488715a2324

SHA1
bf1a89ca2ae06941681be46d692413dfb315a41f

SHA256
292dc5fbd29dbd9a5a850c8f335bcc412b7c6ceed4e3632a998fba5c0b4854e4

SHA512
f16e7ea4844922dd69caa0a17fa1a020eaa5a111474cf81a09fcb40b30a42cab8e430aad1ae2fcebbc3afc3a9d2d072e7a0f4f8f72802fc133b0bf87c8cee216

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
62b16b2334c94b724074375a15bcdd7b

SHA1
96f306443340655cdb64d6a31d1332f2b1b5be10

SHA256
a0aa2251bf22e53e67caf1abefecebe99f1d5ff593e9962c50c7b7817ce3889f

SHA512
6c9591afbcd3ae1ee1ca372e1793b86c479c303be79d0dacdc1b070f3d05059fc079d6117920e8fcd9ea860e78539a635d30a1c2e6025ccb2d0036cf29c6fce9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
d0cd02c2db0f0bb81ddaea9f3f1b4a71

SHA1
bd743fc9f7bf2ee3cbea519ee3953b3922b4f0ff

SHA256
a821222f8eb3ddc3c7d98f9c3e454d26294bf027898ad65702e7bd37047e25fa

SHA512
d796c099547252faad918fca13fb1a30ebce910ca4b850cb25aded645b42ab5aabd11f8f9beb886a50ae9f4cf75d933ec085f3d48f7a08e0ee0c85d74809dcf6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
fd12f9545faba1dc3bfd0a8adf2d6b75

SHA1
1a28ac05415c7622ad10ee1a00ff2a49cf25fb51

SHA256
d3053d55bc28554a6c0ddd0ccd556070713107669c48da8f9b7735d8ec508bd0

SHA512
d41674c175ef652f6caa7443f42ed50408e8def8b6fc0b67c0686223f0ecc6469987b53cd7020eda70845154191409b3bc090785ff3cbc0f62c9e45139caa74c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
7c47cefb4ce854b071ccf4caa954b3bd

SHA1
56999d7812ff8ebeafe821955f83fea7257ca8ce

SHA256
688c9aabebcc0fc0883faef8126f4a45b097fc3abe3371e9dc6927ccdc0877e9

SHA512
b8f28af8c66c94b82f8698131d303c08e84463683717da4571acf4ec8ab096027f1e711611affad6d67cc62e45717096ff4cac8d164ad9264e63015aeb4e0791

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
c2415bc503011f7aa80df4f33aa8668e

SHA1
4590cdf163033452ade008d6f5ddbf38e343b3db

SHA256
1dda01c35e10d6590ab923d1ebe78ca56442b1197e00d592e4599cf51a51ca52

SHA512
db561562ee8a57896f35e610b8bdfc9d523351d2e5dc4d0cdccae108dc00af77a25c084d7526796d274ce22ad77e00ecca1942cdd28c6b8932fbd2fc4338d57a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
9d6f1befcc77f2dcbad80ad50ed5dd19

SHA1
f0ed0f57f6d0996e063f9e29052f5bcd1deb7c8c

SHA256
5e206e2a79c969c0e0178c6e4e13dc889ed079ea15ca4ecdac4dc78a3a086bda

SHA512
df5d8c2a2c9feda4955649d6d8e4d656700e74865dc46206e001724b1276afcbf2754c36bb39384c92a767e05fc2e6105c27e7db0983b765119daa8548dad0f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
c60ac95406d91b50062029d9447be7e3

SHA1
5238f5d2ccf0a36678cd1d703a164d3dc1ac18c6

SHA256
df9063da4a40e789869915fbb06fce97a48f168a83ddee0bd08aabc490a1ac7a

SHA512
d92228c4c42648c72fc5cc2b3eee2c6ef5f1ea13ce3f91724a8cdb6b81b428f8c2cb9e1160cbbfe819069a50935cc2d52b8705305cd4d20c72a47dfbc5105a4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
7572139300800a310284a794d5a66a69

SHA1
3621711612c738bea6f10b1777495c8b0c2bfda1

SHA256
1ff8fff6ee99c12bff72f0871e7bd3843465d47fa59b92fa5664cecad59693a8

SHA512
6f0d6af9390442870b911c364c545aacc64d954615b8b676a14c20f85ccae8b53fbb9127f2568bedfc5822446d258721ca484ad9b934b94136b46a57be8dc6b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
07d816842e5fa61f3fc13a6dd6580aec

SHA1
eb56bba23e60be637e1a1812e757b1f7f9f982d1

SHA256
15db52f92b0b3ee802e17e3429ee7bb73b3e296c245cf1662649f5722bb3afbf

SHA512
07bf66e4da36db0c84a0fb61038752e8849a7f7c4a9d9dcfa5d34a4bc335e2d34f29210f64733d0d2c743514b20adcd3a494c3fd806ac49a32b409542668bb4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
54bb690d20664cf6d0967301e32fc452

SHA1
70647bbcd1834ae1e745d1cba82944e5fce27352

SHA256
4b5cb057ed70db2973ffc910e093b55a8a93f164258ec05ac25537f6b4610986

SHA512
543319c6f7c1fa1a233f870cb11c024643854375ad13f738139284a95a6970fe364c6ce571165f85dae29c1b9775221e22441f9aa29018dcf77e77ae00fcee3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
078efd14a553d45990798ebf705965b6

SHA1
c9fe5ee959c7c38be78623fa905599f20967a44e

SHA256
6e0a485877155d34c09b478f8251ab7525531b560052cee064ae688201b7c80b

SHA512
5536b43ddb50cde4ebffc32d48c87d8adc92caaf3f3c14068abdbcfca82b54fcefcfc064ebd056032b82106587f5d794048dd8ae26a189c8ff028420b61bdb98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
4c911a1cd176c0327ebcdddd39f6560c

SHA1
384c752d363d3154caf3e1319fdbf5b35d2d9589

SHA256
baa9999bc4bc5300988abb662c0415b3a2acbf9a137a3e5332ba2dbb78b9ade0

SHA512
bb82457c5925196c15bd34c3e6e9270e43777903a9df91a0579a18819b4f68f61cb59032b5f25e555e7d82257b1a733fca06dfcb1192ab6e6c8c6c713f82b53a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
1e8351d0f21ea4235eec7d9e89a52cef

SHA1
fc73ed3e57613db6a7fad723f7783a91b26717e4

SHA256
28ac61549f7692321045c7ef4abd9b416c0c0a4619b8b1805908bc6d2706ec8c

SHA512
6130864103544441b3ca593f4f8e3debef10fee66cb5a84fdcd7baf7bbb7acf77d2b409a6dcabbbbf57bdb2b22d7ea225cc41664e764a6fb1d55bb01234eddb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
24e9343dc520caf10ecaf06f7945ac7d

SHA1
11ccdd96c6cc17b7aefd22164435fec3fa099579

SHA256
8f25be3737534e1c1a1f8c5e0b907e591473af9a48ef2abb2c40e6c91d1f6efc

SHA512
bdb084d898cac44df6b73fb0c99ae707108101e4ee21d0bd90ce55814d58b1e224f14bbb6a8d95ef67c9e3cc276fdd6f9c9cd0c8017f5522b963851ce1097b3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
bc246ab5ac354dadb6a5a69a1bfd7a4e

SHA1
292777a58c9595355285ad8737165b33e503821b

SHA256
57d321c3bafbc719407af44fa6b6bdf0906ba670083eab6ae9a249a0c5dc4b10

SHA512
c4c7ede628dcc7057a5deecf6d370ce01fea1f39f4c3a497c4054ccb50638e58b0e2eed2606c9987f82007135e2b901eb5615eb44ba2b78158dcfdd428e7ce2f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
5cd59045a726f389e684e5b28f920af0

SHA1
1ac04bef9824e16a6a15992f71a18bc3c4298b83

SHA256
9789dc8318aa51a91ab086bd7426731b5e7fd1f1698aae386a398f883cfd43c7

SHA512
80b69882daa79f92602e8f9e374dc1839f92524cd7692bb3ea863bb2dbdbe0c12f65920f889235448de403015b49d7199f4fe18709037173a609bb3af1bc55f9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
6f040084132bd32ce5459e37387b501b

SHA1
306ff769aef672df2e78a4f4154f547105e214d1

SHA256
a0216ca5522b370d89cf21dbce07611a2fc608153b0a53dea19becc6c7568059

SHA512
a3b5bb5160cb94762d8c75d007c766403d2e872bd6286cc27fb421aeb28300996033c6a544b17798ce69da7281553e635b0f0c4f7804c8323ebc354a54ffd9f7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
56544948423fd73e98ae7140bbac8ad6

SHA1
5527de57cddd66cf7995877fad920e9c7ea130b0

SHA256
8c18af0d425a29e9cc70f2adeafbc39e4d337d5746cdec4d3a029e528d45325e

SHA512
795a96369ad75b21289bd4bc730534045e05f1d75b7e75ab6bb5052afa16e871369cea0ce7c1df9b01a3f46e5896fa9254bdec662df0fc6b09386921faaf033d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
520c9a1ffd15dca788340f6a68d138f6

SHA1
024db81ec05a26f22e7f3d6336ae4112a37e28cc

SHA256
0336ef6933c3ee792d89a3583a47d988ce01248932907d80838efe7a7de1cc28

SHA512
aa3d2e500b13b020b95890df0aa32aeb149c3707804dcc034eb25b21e74ea590b100cf0325bf98d0f385146aef57149a75135f5d91356df9ec40462d069c4033

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
37b8c7a0f868c21c26412044a6215e37

SHA1
bc540747f7f35ca3f728618bd6f0e675d6a51be6

SHA256
db0bd6f46e1814426220960dac90aa303fb7d59d6c319ab3305b0d267cbef4e9

SHA512
52213e4f8f1b070ac00bc54824c8b61514659b31a4fbf340f6f6529221036e0fd2f5c66e97d3a889bdb572b0c1b1c4358558696dd960754a165ec5f347498c92

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b96ad9ecd993acc8a4dd3f7d935f359f

SHA1
b4aed8c5b531a77363a968834477e1573cba64d2

SHA256
f50e61d5eef6562a432bb860936fcd870ce3d6a310be289be267841753b27b7a

SHA512
b7dca684e2bea7cdb394765a86fb55b5417dd01d878f98f3f945530d03f657aee787a8fffe4a0eb9a63e2d3c3400ae3f556f028995ddb133cd0ae16715b314f9

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
f5859fff98b204b8cbf72231685b54c7

SHA1
9b0f8645573acd7f56524b1c64b1f696aa756a73

SHA256
dfaed312c14724d50377db9dd968f7aeaebbb6d67a8878b58fc6264097a62dca

SHA512
ff37547606b97299675f996c36467522b4e084b11e905cc9d339d2ee1f748595fc571f174db9323e4b09855e21752d5069063aaa49627eb11a51c8117b13ffb0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
58d39fbdaf61c032933305c0bbf1772f

SHA1
92179f2bb9ebeb18bdc9ae27037bfde7b0a70ad8

SHA256
30264564ace5f92a7ac87ffd5a5239cdc8c2f9d2e9fc098cb2fda73e27ea1ca1

SHA512
97f5c8f06430cf4fa9032b5e97f60a74f750bcb4217ee2955fa379b732943877acb7d936f95658985a049cf030067380cffd6c08ab823ecc51992a9eb4157739

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
5e28b68c322ea3b3b4add01deffbfca4

SHA1
8922615075519565cd3af53b4fa12c24651e5d6d

SHA256
77b0e9306bf19ea4870a1e03b0b8e2f22a2b9fc1371f304fd8ff55f425cf228a

SHA512
581a310f66d9d206a1460300be2068670b0518ba1fb44105e48a16cf7a6b0c6b657e46995ed6b9d45057008fa649c3da880e5dd93f7f1fecc251bb7b39db0d45

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
deae3c72c03f174ed058e58a50d1ae50

SHA1
27ce179b2d614c08d40f3ab53168a0c7e4ff72f9

SHA256
c021e25479dc4193304321eeac6fbebed05fffc9e134b546c5c1136d827d8224

SHA512
441814b705cc064c8bd730615cb4f929df04ed69041feb99884ba2b523e8488518790a403e86d2a72d273ae7aeb4b93eee06964008230f6b9d76aac665129bb3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
055ded05ed70a080c3de89393eb8b2d6

SHA1
0a9924fdb71507ab30efc14a3c0442d1eba94beb

SHA256
05614f91b5dabe4708bba23498eb5e04b44a060b4fcd46e6a2ea957b50544219

SHA512
b3d5f8cc210e652f655c486576d6afb6ad8af63d25b4baa5e90c2456fb2a6eb8c503208adb808a096acbe9d8d9efd6627fec18c63b0a88e9af72b6287fc7343e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
862be412cfcbec656bd826594ed8ad76

SHA1
72909c2813d0fdd8599cf80521b79d3ce317778a

SHA256
35c7d0828f5ac95d48ccbdeb496c63fd2ae5e1126e80be198921e2b928561f71

SHA512
8e4331e6499309f4ecb3616f120d7c4cd7d634cb9cc0dd75730cc04450683262d1bf52e0255a782899070e1b5087ac72596e5cd94e9b238de1635fd0370d08ab

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
8dbc6a4ea18b83b0773f8c9753493a54

SHA1
2b289f1e78f8529775cdb7c05446428e11672761

SHA256
d26da15620e82fa7c16695c7493365ca31d6775b7153d30ca8be1e7a252a911b

SHA512
653d82a02cd62bd9bb524ec1a2f9fb166d508f302c530eeacbdced54a2916da292fa6a54752ade527b4eae834de2c7185ec32b43ac502f15cbaf3f26abe7a761

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
67354b9e59a3dd9733a056297e946190

SHA1
90983c95eb438cd25c26d74cc85ec0d242642d18

SHA256
19f6c2eae6741d009fdd3584a56f98448d13357b64dc1b503966276ae53baf79

SHA512
1f4b9e57e68f0c3bf77c3efe246f1b106b22bf4bde341500ec01543f99a190cabfa4fef953c49f39d70c7a3efc18dde1efcf80bc33a5afdd1479b8c2714d0ba0

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
baec229131a11a5b0a46271b040e8e91

SHA1
fad72f3450612c8e742ed5813a44dbea4d2e2eea

SHA256
bbd5a5b49960accbda412016c94534b61609fc279478c96e63e54ad20c1bceaa

SHA512
9ac5f2fe39acdea716875e22f4e6ac30f877abdcd1463c6df2d6ebeb2ed1f81b6f3efc5a797ca9b95c052d2217fb1096d89ee80c5dc4e5ad5b483ab85c97a604

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b3a9f2c9e7f9acee5e94110e7e6a5cc5

SHA1
9e67c3ebca65a376c9c0f3b07507343ff31e6c7d

SHA256
a73812b3a4e0ca2fa8c7e2034ce3dd5b91314006691b34f99d0882761270a776

SHA512
e61aedaccf90576174089523e51e59c95e6d43f4d757f5efce64bf2d40c1c8f0072ad6348c286dd17ec738a2e619111d27813e69795658e4ef74653559b83ebb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
e18fc030805e9157c1bdb9b55d6e93c9

SHA1
8557127062a56a6cf0fc93d55a77b8c76adfe4b7

SHA256
23cafc64f26a7cfb27c0b28cae564b39178afc21954d2b9c94d4f4096b445632

SHA512
abaf4c7171b10fe551310384d0959989823263bc85bcdf5fbc189a0815ec5372503cfcda846955addf4a1ca1e16234f3dc021e08eeda600726504458cbf6a73f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0f2786defbf912bd59fc00e05ae12d9d

SHA1
778d98af9d21d442702a70f9860d42a084d29ee9

SHA256
1bb786a0e21ebb219f09885ed70dfb75fb82258ca541b7bd9bb6bd0763e6ab00

SHA512
898bfe2be076296e9f9235bc337ed285feee2dd302ce806ad1b6330e2fadea2081047e2e97b108e9680c7f3ae13d72273f4852af95c103214837f112016106fc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
41ff37b82c55b6977c7f475fa409f041

SHA1
4086681cdc9eb451ea17a28bfcbe3bd36ccd71dc

SHA256
faeb725ce576b0000fc7dfdea90df88803f114f99a135a3b47c4507d082445a1

SHA512
b599fc4dc44375fe0684dfc8d6104eaa504603d2967ffba365c7b23c3055de622c10518bd5383a4e1c5027d22676720c5d452df082a2d6c4a730af3273bc239e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
80d413b6dd8fc7e55e549071d92b7fe0

SHA1
799403f4b357a3c415121cc4b971280cc3e3170d

SHA256
50b0768c30c1f9e61a534acd8ac0f39bf5dba6b81e4aa79c7c0914352ac2ce7d

SHA512
b41efe54060290d89b245adff6c5c9c1a2a846ad05db59d62e8ac02b2193e0cb6a5ca1194520660ead03df9ad9ec529cf4d7f01c3a7afc9fb23dbab3f0355634

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ff80e5b64c91455826c1c27fcacc56eb

SHA1
26f6cf9f829719b6c303f2aed3667800b84621c4

SHA256
5b09fc919976d68c8e25b963395d362396d2ebb85e32b9e5c1296c7cde206b59

SHA512
220f60e1d06ef65034ccc53f709ce1eca4cbe89cea85c9e814b5eb22addcd4e164e180b0e88364a53c71d97ee6f4a15ec79e18ad497052334af995cccf1d432c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
12ecdd7ad43606efd058e6bc65dd1ab9

SHA1
f0f9e3a5f42d7ec02a53e908a18def0760907c24

SHA256
a946449920ded164368aa5b675e2c0d3bfc4a07c117f0192fedd8304cf5ca13f

SHA512
2b8c12bcc568631a51a5cbb46f53067fe2d41c422635a08ed35a8f83dd9451e996a2851bd14433485c52f348e1b91b20a7ef412315c107d41d25c6d81d6f0413

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
5d1f0c99a21cac68fe3310d74874c6f9

SHA1
638ff0a8f59b8e707a367df67a3e8c3652138c10

SHA256
3f304ed149be0afcc2e897fe7114e31e9866c7ab0431a3dc91618a07b7416989

SHA512
ff0980c42a84b34cb0eb87cecc4e53e82f1bce3b3234194c14314b846d28eaa567755597da6a18207a8611bd993f155f815dd84d50ba0f09c780dcb871cef6bf

Download Submit
memory/624-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/624-185-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/624-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/624-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1240-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1240-280-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1240-684-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1292-45-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1292-44-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1292-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1292-36-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1292-57-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1500-90-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1500-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1500-208-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1528-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1528-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1596-688-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1596-236-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1604-453-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1604-169-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1608-223-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1608-110-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1624-134-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1624-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1624-26-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1624-32-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1932-85-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/1932-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1932-75-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/1932-81-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/1932-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2412-109-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2412-11-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/2412-20-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/2412-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2572-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2572-691-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2608-49-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/2608-172-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2608-48-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2608-55-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/2704-138-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2704-267-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2792-686-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2792-197-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3392-693-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3392-281-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4376-685-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4376-186-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4404-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4404-617-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4496-247-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4496-136-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4572-268-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4572-692-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4604-123-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4604-235-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4788-687-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4788-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4836-7-0x00000000022E0000-0x0000000002346000-memory.dmp

Filesize
408KB

Download
memory/4836-2-0x00000000022E0000-0x0000000002346000-memory.dmp

Filesize
408KB

Download
memory/4836-70-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4836-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4836-478-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download