601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 10:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
Size

1.8MB
MD5

d78f61c3cb7f2f156c602d41dd56bd22
SHA1

06979e83fceef4054ae15d3b48b3b2fbf741b794
SHA256

601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4
SHA512

bc20051585b50cc8bad49e4f1b1120052528ac2a6da2fedab3ef1d37a74a5972e182fdd43eb3d5cda28419e168aef9f5e01dfebf845f0229dd387cfb00ef218b
SSDEEP

49152:3KJ0WR7AFPyyiSruXKpk3WFDL9zxnSkcW+S8:3KlBAFPydSS6W6X9lnV8

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4328	alg.exe
4192	DiagnosticsHub.StandardCollector.Service.exe
4536	fxssvc.exe
3552	elevation_service.exe
1176	elevation_service.exe
4136	maintenanceservice.exe
1608	msdtc.exe
4088	OSE.EXE
3500	PerceptionSimulationService.exe
4444	perfhost.exe
4376	locator.exe
2112	SensorDataService.exe
4856	snmptrap.exe
628	spectrum.exe
2508	ssh-agent.exe
4592	TieringEngineService.exe
4608	AgentService.exe
2096	vds.exe
3732	vssvc.exe
4572	wbengine.exe
1824	WmiApSrv.exe
4792	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a9e65c0bc3136770.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Windows\system32\AgentService.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Windows\System32\vds.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Windows\system32\vssvc.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Windows\system32\wbengine.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Windows\system32\msiexec.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Windows\system32\locator.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Windows\System32\msdtc.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Windows\system32\spectrum.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM44F8.tmp\goopdateres_bg.dll	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File created	C:\Program Files (x86)\Google\Temp\GUM44F8.tmp\goopdateres_nl.dll	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM44F8.tmp\goopdateres_hu.dll	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM44F8.tmp\goopdateres_fr.dll	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000069f37d15e8a5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097c41116e8a5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ea4da18e8a5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004693e316e8a5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c7e6815e8a5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf812a15e8a5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008707be18e8a5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030d01915e8a5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000858e816e8a5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0910217e8a5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8fed117e8a5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4192	DiagnosticsHub.StandardCollector.Service.exe
4192	DiagnosticsHub.StandardCollector.Service.exe
4192	DiagnosticsHub.StandardCollector.Service.exe
4192	DiagnosticsHub.StandardCollector.Service.exe
4192	DiagnosticsHub.StandardCollector.Service.exe
4192	DiagnosticsHub.StandardCollector.Service.exe
4192	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3768	601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
Token: SeAuditPrivilege	4536	fxssvc.exe
Token: SeRestorePrivilege	4592	TieringEngineService.exe
Token: SeManageVolumePrivilege	4592	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4608	AgentService.exe
Token: SeBackupPrivilege	3732	vssvc.exe
Token: SeRestorePrivilege	3732	vssvc.exe
Token: SeAuditPrivilege	3732	vssvc.exe
Token: SeBackupPrivilege	4572	wbengine.exe
Token: SeRestorePrivilege	4572	wbengine.exe
Token: SeSecurityPrivilege	4572	wbengine.exe
Token: 33	4792	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeDebugPrivilege	4328	alg.exe
Token: SeDebugPrivilege	4328	alg.exe
Token: SeDebugPrivilege	4328	alg.exe
Token: SeDebugPrivilege	4192	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 5004	4792	SearchIndexer.exe	108
PID 4792 wrote to memory of 5004	4792	SearchIndexer.exe	108
PID 4792 wrote to memory of 3888	4792	SearchIndexer.exe	109
PID 4792 wrote to memory of 3888	4792	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe
"C:\Users\Admin\AppData\Local\Temp\601068d2288eaaa6303b283826c1c96cf9073ebc03a771506517cb0923285eb4.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3416

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3552

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1176

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4136

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1608

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4088

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3500

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4444

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4376

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2112

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4856

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:628

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1356

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2096

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1824

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5004
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5c65877fa06ad79fc7bf4da7d6ad092f

SHA1
941decda22181f93e7642be43a1114e43fdb9204

SHA256
60f6ef42f76f58a49becbcff180e11d9d6cdf9f52a751c7ed534e5d9287c859b

SHA512
96594cf41b148a61da629e783742c89484044625cb68f015835ef049eafd6a420eb2d9d3881a64632437cab01c91e85885d2e59f3192d950d1fdb18a33b2264a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
d30ab65026ed2c42251599d2db376f13

SHA1
3b70efaccd54ca6279a1af96abc324c65cc654af

SHA256
6a11125ee75888c351d3d2e1313f7c36a5877a67ca8b849b4d2a4c5f16101ee6

SHA512
1b7c0467ac4e4ebdf5d135aea95667dc6ec2f9e97e16835dd20114ac78260c15ea0dbf8bfe8b6fa78130f394fed34b6c9b19b99548eebec413fa3339cd9b1fe4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
ec4e818d8be644e5aaf45860dfcc45ac

SHA1
8a328ca02fed3cfca55e4daa909fc5bd33e63e5a

SHA256
e327b2be98ef40227fc521f3a94b1fd97f7cd332ffb5ce1a01fcce3a6cc3248f

SHA512
f1d71808fdf089a05b1b957bf2caa8111655bcb49d25cf31f210715ec532a9c06b3f2eac1e0c9ec4f2830c53ad2d3c3baa47faf28ae8d72914dc6771c697a88b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7087f683908817c9bc60519e87ac8200

SHA1
48cb9de22c243ea0a343dc87a54798c13077ac6d

SHA256
25ecc7f7e9b721ff418749ae98c4dac28fbcc412c44a812bf4a4ec03c076473b

SHA512
bcebbf3a222cc68422928bf95f24ad11844d7cd4ee293b9cafa2b70f48e4aa259438b2bbeeec4e1da0bfd71ace150e3571b919a8fa8880afb8ae12f40c525cc8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
673767083b3d86bb5d5e4a96ca69870b

SHA1
a21cfb507e00bb6ec06b84f0572da660e3810907

SHA256
7e7250e6bc3c90babed4afb14ee6dfb2af08d8f3ce61e4e80f62ec77a89ef9a5

SHA512
fda9d24392d34011e30fda062bf2ef40545550524f8dcfb6cf753c1109368d27fd834ddff6de2ec66ac6bfc834830d319127056dff66ac2a897b898d91f11f50

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
b8ce41a5f855925e4e3dab917d2cb0cf

SHA1
c00f1fb7772f3c1a175fecde4b9f10dd513359da

SHA256
fc20fc671d61afb5aa16d67acd67357c62d5b1b8dcab6ab70cbf5de420098ff1

SHA512
b88823e0dcb5b5d5ae1636c4899223f22b8bb6eea45fd5a2a2139c319a22b5cc6994d63c2b2219ef2f6f7599fb2b0a6a4cc0c6b56cba4096d94b97fc82165061

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
5622231b290e26ee8783e5658a163906

SHA1
95661c4a4c55163dcff2876a17b733df313ecfed

SHA256
e237716d028e57a9721ffaa47bb17281b040fbc3932ba0e155931a925a8206f2

SHA512
81f9c8a820d1d31d6cb705e58de592cbaa6fd83b1afdd0af53e9e7f6b6314b218d7b131432565ebde1043efe9367196e6971d6aaa3eeac5eb967df91eb3cd010

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c99f1c9995d50affaa0cf5bb41cffc3a

SHA1
84ccbb50bb92689f977cc743656b1c09691b861f

SHA256
ee1d8637164d29a6815e63c5102fbe7fa82e4a98a1a38abf932761847f20173c

SHA512
7b0fc7e88f1c92356eca5552a0867c0854a8a9d392d47bd56933cccbd97d0bbdc0bf59d93a2cbb20b96a8a944bc1fabedf2e1b1e8082500da8fd2d48bc8ec4d0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
71ed7a7f0a387359c72f0db0b8c9efd1

SHA1
5dab8c4260d3cf46fb229e1507dd9e84171cb2f5

SHA256
bda075d37fceed6dc71c5c9504b87048d9bb1ab5adabd938e2782d254c6739c4

SHA512
10f0d0a75f242286b90ba771275b28fc9c2d6e884a495d8dcf727d34e97802cbbaf47c9c440bea5a5a49774507e656cbbf757651a1d47fea39b6f890541ca775

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c8b971a0818112f16a7863872f1e825f

SHA1
0bb8f18a2d39da385ea39aa4a34f7cbf87ce438c

SHA256
9f96fb624a5dbba6483ba31dd2b0db4f656c2bb6512b4ee3132e54a0db6c82ed

SHA512
6f2a2778ccdef524e2b02780c1504458dad453ea5ecf9a08412616f3443615be5403f4a332148f091c4137dc209d2681039c51ac3bbcfcc7d2f6c106dd44582d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e5c581693ca4b7761db711c7950715ce

SHA1
55804c1a7c0139ae4c8b9346d1561a046a83737b

SHA256
286107e556f71125739c1543a9c5e5e85536a96e71806c57619926f0268ad6d1

SHA512
42dde7154cfa900f114defad879c2421af9fd4c7b5b37e9dba31a86ffbb76504433585025c793cba917a4c196eb7b596e545260cb2db1d10ea45d756b4029800

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4917f0ad44ba549f80b234d75338eb90

SHA1
bffa18978e4d6289e416da78e1e3b637f034a791

SHA256
6e0f67123022c4021d76c0e132f1b16aaa9c7e1d90bd9e93b179fe4da41b7087

SHA512
7ac851bdbfcfd0cd600a8fc87f42b0fe61c9aca98739c6d3bf0d94975cbddebcd02049674b83ccb8ed3daf41e42019e0d967088cc5e0dccd1bbb198560735dbf

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
137450038f9444ed76ec3a173d26ff6f

SHA1
8851350eda4c87af2db5e89d52a026d91ba24b36

SHA256
4cc4c42b9755da48bc0e33e35b0c47f77cd9b3be2709e4a06aa8a0c8bf315e4e

SHA512
d2717de5292b6c94e0d007b16ce6972defe3f2d9802012f3a77e8b047dba5204af22546ef6acd66995912a002c14adb2a40946fdb713a5965bf8b338218ef292

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
c782fa0c0f09477b63219390b6173fa6

SHA1
54ffea68e71f7b9f4e2a9be573d74b5eead78eae

SHA256
ce2be3e160cfd525c9f76c8fcade95917025c69d660907f4cd1cf7a78378455a

SHA512
245e38c7fb8616f590daf7c5113354663c9930ae1bff3763c605d711840058b3595049c77c63d8ed7f32d5c86fc87c8f6ff629d3370bb095239504958e64923a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
6d65257d3c9b81211ccd005635837bf8

SHA1
4db1c83151e98b8f5cab355b6d40328494221b21

SHA256
034dd029e35b5e56a3f45a3e64ea7b9ce59b198f75861b04be6562dbfa8fd7ad

SHA512
9cd609405fd3a8e174f6498c7eda4486b2f8a84fe4280032526e35554982b2a543e56891327b3ff20cbdd736ae178d12ae04ac00f23331737c5d55d9735fc66f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
ad5bcea8d27561954e381f37acdd38c5

SHA1
19e4681945aae25e37c5903bdc903a35df1da222

SHA256
6055d544c07112b4965101a9190624ed90d8c6538d9036e6ff37f484b846314d

SHA512
85f7e5e6b35682fd81dde84e4627be6bd68fefcb380c5d98934484cfab31eaa9d5335704959c3d8f0586b6590108c918e2e386a85243f712dfedf97bd6e40ebf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
498a89deb6e366571944ffc5ef5629a4

SHA1
1b038456634898039a06291b51a94bf5bb096730

SHA256
c8b0bdbf747ecccd35361f6f857d89468764ba3509ed1aec274fe9bbc772db6a

SHA512
b6361b7516ecfad91710335d19207f57c4d97e47beae66ab67eb548cf39542e8fa0c4fbbb244bf3a4bf13bf93d58f8cc9b75d02683c0d1451082ac03db7c9cf3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
354230ae4916d0e710165a4dfa77547f

SHA1
76423fe1f2eace5d96fab6e904fd3f1c83862cbf

SHA256
0cf6b41b370380b02d90c551decc5d316a911ff93f7606db3f630f12d4890be6

SHA512
3f37ad5cb8ad3d6d46e0f226cb8db47ee7daab16f3cc25c9b720efd767ace8c3ebeded850670c27dbbc300c48d5055c497c150fd4fbbc6750810ac0c0431fa6e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
2515e537b9408757349ca528d01f6327

SHA1
db5d4c2c45b06a545caa9b66b79471926b50827b

SHA256
95b9dba5270fab364a367335fc69a06a7ac1796a4e59e0d3adf7af1234706ae8

SHA512
f30546a8b06734fa08a6ed404624a8d18af22bea556ee7c2dc66c54b9429f8623970b6e0e1d31154b907633b58e626b702e898e0af1f5a149da70f6ce813c221

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
5b0b893e2851d986362638197ac7bb4d

SHA1
c89fce62fb524236db8c3a372b08331224093e2e

SHA256
bff501e696984d7868a0d99ee8b7a3e5f67ca8e1b4ed36b7727390a30485330d

SHA512
86397b4f229202d2bea03a66c8d17270bfcedaea83b1d3b12d095d7322f74d3445961641972cadf5f29572a7d1b987d10e86d59c8f1f94c4ec633d17e93208f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
99a5f323ebad6fbcffdc3860edee3b88

SHA1
b0c20ccf7b53365e1c5f1e4572a30a1a572725ce

SHA256
edad8df71277dbec85cdac663fbdef0424f0876d6f8f4d99e03c8388fbf2a858

SHA512
1813db2356075e5a68cece04aa5516dd27e861bed42f294625aae0bd56c7355c67ac2df0e50866b4dd6f1d97bd4d2f85d875928695198e8d3a4fef801f5d44ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
b9ee4869d2c5447a89bd85d08316b2d3

SHA1
59897998bea095853865bf97244e04de651846f0

SHA256
7536b487ace227db50d46066845f28ab9c1a2ee8d1af8e7ea3ec684502da938e

SHA512
ce964c85f5dc6230a84208043e39443d060e4a5a005916319f040aa5e394b907aae035545cf3affefcc9f832a72cf1e49a242f318887b32e2396b0182e79f61b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
f5b643e33984d18321ef07b914c6797f

SHA1
a80cedd32c17a9e688c3cb0b1ca36b5d0e03a9d5

SHA256
3fe8820d5089ca0b09246ff9f2dcc54c24f1523c3de4b81847face475c636585

SHA512
bd791fbe2dadbe39843bcb7c044438bb4916d3076da79ff7fb3cb891229f56cf1cf9ba90e1b694d72d706f41f31125404a194b16bc8cdaaff0fe5dd71459dd4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
89ae951fc1a420baa77ddc631f3f8675

SHA1
44d2b9888e480b5ad0418b9bc4d5947e0fc27734

SHA256
487aba6555c729784617ff40cf8533d5a26ebaaefaf6de2d56c3120930e79d84

SHA512
6362ed831f5a42c61af86b704198bbd5e65dc2d2e02590e62ed7b60a13fada556e727622cf906fab9a7ea709814d0c2e6d40cf9ac9ab1d967c7251bccc199edb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
fa1b87c2114ace486758d9008c20ad08

SHA1
7a6b37b083b662f15333092ae14e40c5458d2dcc

SHA256
a9bbf3fd24cb45c59551fc9c5b4304c05540de1edf7f45cfc097385444b038d4

SHA512
ff2c8fa77f09f3094c2b589eca24a361d930b687a273d722890e73e1c6b38e0dbdaad2d45aef619fb9ff37cf2d4637b2c6d09839e2ef1efe54bd69536d8e1285

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
bd93c4f187ebe53221c0da83f00ac95d

SHA1
676f24ea1bf7a176f636375a00d579e53a119017

SHA256
38c5849c408292c7b0113c82505c8903ea5b0f1eee183160ff4a835051fab0b3

SHA512
5c10145706075fc6a3f5226403f6a0466e48d6fff83a8ee92bee8ddacd23735332bd6d3b04a110bbe5d4d371f00dea39a2dfb7dfd3eb3241a07b6e92c292757b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
e09ca05a2544b07242fe7441f4e5f37c

SHA1
c8b03f82c4442560436ca043ac0783922f2f63fe

SHA256
eaedbb3150edf7604de797379a7d41a0acccefc21580b2f9ad073b94919762ef

SHA512
32091e20bf490c07f0ac87581062ea480b5a59e4196ff5563b0ba258dff3d353a1c170c51e5b85f77574b28eef106b54f6a8ccc48be0b09afe79a1bf100a276d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
6df0155eb2415b99c496d61d5fd96ad2

SHA1
98ca355484ae59955d1e1fd09b60e47eeb269a73

SHA256
46166182721fc188fc8a2a134737d57575dbc3e184ecbecacc7a325fe9facec1

SHA512
de8ea32f477fecb0b40f66cd2773c0ca108a38e0963bad19bdd1af75e4003213f30965b0bf0f890659c0bc59d6855631c6e8ddd3248336acd577f544b9535249

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
00188797022cbd7389084b4dc65079eb

SHA1
54379f4892c90094e1253b35554d9eae49233751

SHA256
09d12fdec48a6de45baaa2fc67cfb5095557ea7efa85ce63b5182c6c9a1cf905

SHA512
06ff975d1dfd65c5397b7f1d89772d734bc1c4cf94b1075d25a2c73711c838ea89ecccc6e0fe1066eb6fa8b72506d68dc45680d554cd9e72ccaaf0402085e97c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
60ea526d037a80e86fd903cfd8b6f0a9

SHA1
aa44d795bce6cf424bb7cbb68889186faf7c212f

SHA256
93cbe97fc7a006160eff3503d891064d3421c0b214f55b25dd72ee8cc12861fb

SHA512
a8fd94f18bfb829f74fd3cd75eb7054b293815f58081985c4069375e42fdc096de0c54559ebed8c8565f4719cdbb6987620947a0b8481b01c0adc41d490c8463

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
961477db22514798054085870da33f75

SHA1
f0f23a5a7e4ce8c29da809d6ff8edd767e21b407

SHA256
35b585b449521c35b1fbb3095f000274c14958cd10782261409bed56f9073c48

SHA512
41b07017c564a63c4f2eadfd5739c538d42d46138edd4825b400321b62cae68abbc9566ef8a436a213d9a48797b9f402262db15f6bb28404b0a4ec78dd91015f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
f72f6a8f16dcb4d6bf8e6ad7ee32e3ad

SHA1
9374db34c9a6892af531d9111f93353ca121dec0

SHA256
69c7803a4e1ec975e87c64d20b8f286cd31c97f44454d4bddd4d78b1fab08303

SHA512
30e086d90369245b1de632050687ae8dc2481e9c4582bee4b030e65bfc46c611bb1a4e2a0a22bcf3cca757b08c895c20ff56703acb0f910981b50141aadb0cae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
a64b9f11d3efaf3bf86f32c12a72f7c0

SHA1
d240cb5e8ef9dabe613e019fb719df697ea522a6

SHA256
4c95379f5cda192b7a7525c20962fdde7bbfed0304550520ec459291e48f9148

SHA512
dfc616419fe8891432cff41a1eb9c4ce8383e1229bec83ca9556505b625ec24c29f42dd54192e8c3d7d423c03a2fa7bb12c9909c5bf8e4e7554329a6352edd53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
bb8f74fd17430db378f27bfd8aee1f54

SHA1
1674eb6c7f173c02aaea57a06a7fcface2752ca5

SHA256
681f55d784bc8626282630819b9bf7ea0daac3bde3b7ecdc43d71403dc66f840

SHA512
a872f1461a878aba126b72c525657bbabbcf6fdd4d539da17242a532a96fd071c083db8b016f29884622089ecb736105dcc5a659b1f160da23d151b65c2f824c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
a55c0acebaa7cf342c152dacecc76bac

SHA1
753ba12e9c96310d4140c866d9b613ef6fb026b0

SHA256
e119002f5427b1127ae75a3ecf9893e653bc9a01b1b04f5786543dd3f9122558

SHA512
399350608dc11b28d787573bd8481e2e72e9d9594832dde02bb643bc295b47c8c4f162fd041511cc2bdfe7e668ec5c855ea035720c66a80687f6a9f21d23ab27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
1e669313a3c2e668605c810e9ac9e1cc

SHA1
5ca2b5a13933067f2e638b4a89510710242125bb

SHA256
fcc2c24713a41c209188ba78f68bc3ec6cb18cfce689285cf1dcca9cf8a0b3a8

SHA512
e3cbdb262bffb9373e161d6b10e52c83315996853626067c13da339f59ab79e585049ddf466a8f841ce8759b8af6ae2fe72651977aa1b2001f871536b7d7f606

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
baaa5bbda18e99f320314fc07bc3b9bb

SHA1
cb0cdd22e0f543f8c241a62cbb4002ea7fea8125

SHA256
646838fcca3538959a0bc6c35ea80f80679e406ebca85a61376a0e5accdf8413

SHA512
a8e8cc3dfe1dbadc410259440be3330eebddb5c9a2df38a7cb1543943f761bc0d08d0b73bb4ef2c4eb0cd3128a5768abc1743dab1f5750e4da6dafc601a3934f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e1965e5251ef55ed34845e868ccccab2

SHA1
9c22b5a6a2da9d472267a9e19637866045dec3f1

SHA256
31eb1c9f469cb89a4ff2195ff2f1602732570e9e6af3d2eda96e70c747931d1b

SHA512
572c81d3ebb9f2fd7544c3a2a8e9f80d9d355261595f577debb53f79568f9deb21a5402a20ea4b03c79bde7647129b9ce3e3f5e49e1503d04d5ab7ac6011a0b9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
97996e48b6052e37b88c2814f009ae52

SHA1
e825478ac79a6759daa0ece565e0683018035e0f

SHA256
a8ae41ae73d64e09ae429263972c959b147d8d72c005619b74cac3d2564df282

SHA512
4a6a61541efc0ebdde1eff06d67f78195223caf40cf143d0b31588ba82cba459093831e58cd77a567f8cc9c68579f34a8376e2c510d03ff2f6cfb44c570d23df

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
907ada77661420d7f3be35a0f8aaca26

SHA1
5251f1dcb7029861b13d0c172dfddefa2258427a

SHA256
981c1dc2dafa8f25403ca5bb40b99ad329d113ab331cd65cfc62f4bdd3d82610

SHA512
58b1efad9c29df3ace9074a3279a1a80b1944eb13c09408d8b863f7d09bc9b406579c591c1a83965ea0ed47c2e97075f61c02723b8599c746eaec477f2b3dd33

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d0a69967301c8461246b61fb278cf136

SHA1
9bb9a60ac1e8aec39ae500026a2d6dd8945c46be

SHA256
fb1eb250228eb2c9893efaf5acdf7d5b162db1134831a398417b90f2d03e8187

SHA512
cb50f5b40fca2d7b6348de2337e28c2e050626386704a6ac78b6cd6ea4a747d20728965f7cf3713ed607ba0cb2588b47a580f2f24f740c764a59ebf665f9c53c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
b93782c0dddb94cead578744627e77a4

SHA1
a91ec71c4b85c01e79fa40d45d5ae0c9826a3d10

SHA256
04c92f444ce70cde539343ad433d3d8f6a61ef1468207e288569da35cf3c0ac4

SHA512
2dd3e306d886e4fca0c9bee8d1a3bdbcf7473cd992079ebba2a7df483ceb6b6fb2db42b06d4082da3b20f55c496697e75b2c1d9c671f3336d52d06154f9850dd

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d24a179b82d8de930c239122e1627797

SHA1
d234dc5a43424ca2d712571890fddadb4414d5df

SHA256
c319c345e64e9e4754151cd43618fa6996931394c7026a9efad85346dd29eadb

SHA512
74b3c91b1175b5a017dba8f8528214bb9cb3ceca378e16ff7d4a1e508eb0dd0cb61759c3dd7bd346061ff1edd6f28879091945fc065e16b8c1aea15a68cd5627

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
44a59a67b1de3ed583dc0888913df9fc

SHA1
e14cd5a82fdeb5880d5215465557abbe8d27cf20

SHA256
3e19990cc67e15a1fc7b2aa10aeb9e5dc5cc5fd56a10a05ddb978873889d8e0f

SHA512
9ae272861e505e42118eb1221c6cc395efd80af7dc3db93e95ff66ba9c85eb1598b559af1dcd04b7793e66654f6e88ad9f6849279e22a770d06700f815684636

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
3130e6f1616b4af1848b2945467541a1

SHA1
d618fe45d4c5b34787bd6a8e3913453072075491

SHA256
9e14fe9db8b49ee438c4d5bb021926141f1eda772ea4d8e8f94ebf444332b6f9

SHA512
a89cef980990e9d92d7a62af761f0f15fbfc4105694fec9db16de1dcaba2477104ce209397143a3fabceccb6be50f9b2eb0af778225d53fe4cc3d0ee5e967bf7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
4e3ff32a40ef7e3c2c273553c57c5f6c

SHA1
5c8e47d1fd53368c1041b1ec6d235d728d6048ee

SHA256
827f2345c85ab1af9c4f6c72edba926bed980c580af80ab993321b0b66bc634d

SHA512
5277fd5c28f210b9f3068a137441a56d5c76e65a3420de454ce49d8268223a7658aaabae7e58280d08781b7db8caa9d1ec30a9a6a321b79e13b55a1a5a537152

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a7164ac979dd2c0219649047a96c5a2f

SHA1
e37d51b7370c3b63f78e3d252fd7314c5302ade1

SHA256
d363411e624233f833972702b8a9e68cc04cc3131d192f843ba29d13ee49983a

SHA512
eedf7fc3fa4aea256f5f03c8cc27975510a29f439408af4a45b7bc0194c8eb42ad1c10dbe45218b67a5759ad19435078b08c6196713b6a20b355587d1694e7ab

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
eac9a2c7543d7d725af5000c6f6422ee

SHA1
a015657e66aee9f8b4de9a7c4031e37637589a4f

SHA256
6360b79e3ff469ff1321a83041f026bc1cd4e75ab4a9e55e60e1527cdb341ad4

SHA512
2470d24f2b6d4ec3c480652b8aa8ec0d660efadd8e4c3d84ed12871802e1c7915fab96c1ec46527b47918b055c28ebcb1b9a57f3227ef0cd3fb79dfb90ffc1bc

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e07155d7d032d0073779a847c5ed1b04

SHA1
fc17272a4ff08e693fc657a8a647994a245c558c

SHA256
0a5b34e6de4b765e99e219808319466ecb321f841d3f70ffb19c92569cdcb9ca

SHA512
d11b34cac901f38cd572ec51238a47916317540c2ea6c521a09dc69b3e112b8844c706cd0fd3de10bad4bd1a61cdd8a550c787c7f6984a4fd4e9200693226e7c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
c600af72cbc08a18b2bf7230024c0d02

SHA1
b73e883f94a011a8cacdee1a244762949ff6e37d

SHA256
7d23574fa6b1d46afcd2bf82417cd8fdac43cc54c162a83fda0ed7b9eef1ccfa

SHA512
bc2fce4a499d35f73e0951cb15e8e2dd4e69d0db03783a65c13d5cc8251ea5fed5535e91f48bcb0f18ca3021f371a21169fab8ff4c57a2214c3a20ab4b10c5df

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ca4d8e724abeb54d24ff369f1a0cfb5b

SHA1
cfa577149694398c32567a34ce8a48bbb3ecc94d

SHA256
53b9d125244e616a493615f65856bb085404ac0652cdd080bd6ce649b20997c9

SHA512
fd1ecc7c5fdc16135fd56932248dbf9aaf8a3c2f34da5353cafac1ae8df7c71765a9e36b98603ade64530a868554965296e8947f85489207c428c2f64fc53317

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
fd6d0945e75c0fcafcfb4f13fb010f57

SHA1
2d994ece32f25124cebc8d2d2993600426b3f67c

SHA256
d1e52990b0529a6673299b1ab88ae83d5e05a9dfd3deef1a29dda9a4f399c045

SHA512
204d6363d72cba2f716c493cc6584bcd4f87eedc136dc041805b7886ee387329b05a364f32719d85b0fcd7fcda919bcfa842a04273d64714f29adcb9b72bb70e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
011b1b34a5c2a88aca50e60c4ee2be48

SHA1
fdd638606d61704c4d29f82cfc1b4ed1e2d25e35

SHA256
2141aa51511ba599ea90db2ed3b0002fe37505209bb86655f366ff1f1f79625e

SHA512
d71dac667db1cfa20aed521a9119a9992b9d7410e9dc747d331da368f3d4f33fdc18e7791f3ead7d1251359d69d9e45ba4273b272b6c5da364f08e6684b4164d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
02140cfacbab5a1398a411b2e46a233b

SHA1
c054c0b85ed2c466ba7b472e8ae837c77364ec11

SHA256
d3761dc6451185502d49e127e137e138d24051b0d5b968a87c26d52447f701ac

SHA512
a079245d9f4570a286d258d35196c01e6d0a5380b182c03889a7786841be94ba9638d886240dadae9ac56c037a58b93afd494bc00c236f0ce93a97f2b08889e6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
71ad00e580871f3e670fe66c2f39c36c

SHA1
49f7fea1cdc892c92b1d3447ce9c91f5f0d05f1a

SHA256
27ea44b23f3846b41248d455cc64d3e357846a19e43ec3aabfd80743eace8339

SHA512
3bf7f33b9fd171f10d68758334370376d2d7ff7c19f18b1831b46a01f916cbb002e8a8e655bdbfc48381550cf35ab8ff53f7f870f518d50d87203c5a682c2adf

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
cf6fdfaf811bc97f2cd2c300ac5bd84f

SHA1
910b4d3e555a7c9579b7e63421df66c92f0afc9e

SHA256
a03c3d1f2ff2231245609dcc194b8b3a88a33f7970701cb6a151ca03ba9e3993

SHA512
1df0ad3f3951c312d22f58a6727aea228a6a595930dc7ddb003c31829f7f4c32305cb3f05cb1d631bb7e60897ed7c059280ece59a34bd0d2ca2c2e0e44e56c4c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
70b67c397747f170991b0d35dbb520d0

SHA1
733afd10f1b15ef3888288fbb119d5e8f2b30df6

SHA256
f092d4788130f1d20abfd04fccd29850b25d78f5880323f936fbf433e6052bb3

SHA512
b9e8ddbb4cd8bd9ad8ac6c0eeb838c3fa0d53978e461f9eabb8f256664c457e760fa1d3fbd4a37780160f641ab793796c1d3f38ef5d958e86a58d7efbc7ea82e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
20f93d87309e28c2009c9c896bf1bdc6

SHA1
5396c7d3c1fa1366c0dfaaed2d326ba399b690b1

SHA256
e7f600ff03fc9d97e03845f528248e6510e5b64aabbc71b565d73c4240460d84

SHA512
b162a27d8d91c6d60ac6b9eae5c3d821f6f647e56af75b35c4dbc9dbc2ec135788b2e183de21264c52c98dc4f61cedbe3e2ace32e0b4b40de27307faa0e906db

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
029361e978437aa89a607737400e5343

SHA1
6b5ce3c1736fa48f5183fdb56d9bec9572842bbc

SHA256
eba908936b8adbf4847cd598d83f17e8a68386c06760d7da617499ec9b7958f8

SHA512
838ed1dd6cc653f2821133724899186ad23e6ca338e8c7702fd34082ae5191205abb9db867e1a535b7d23492c0bf353ed3c3291fd84900cf8b8ab5f5132606e3

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
9a9b328340d2b11ff946c55b178991ea

SHA1
104448f813c1ed831b0cca8d9b6487ba71fdf3f7

SHA256
859e5bc2feeff7e055bac597865afa306287e41ae86c1e39cff1cb95ea0fa8ef

SHA512
afa52bb3e68b260c8af6cb0e1309c87538177d3e2c6d4bf8a6e9939118bb40c88fc97e6b0bd1338344a38a820f677f1948e3f18b3820fd20abfe648bb2d87470

Download Submit
memory/628-278-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1176-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1176-138-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1176-804-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1176-136-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1608-168-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1608-156-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1824-810-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1824-344-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2096-346-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2112-276-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2112-701-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2508-281-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3500-273-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3552-119-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3552-803-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3552-126-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3552-124-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3732-342-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3732-809-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3768-629-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3768-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3768-8-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/3768-167-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3768-6-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/3768-1-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/4088-807-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4088-169-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4136-151-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4136-141-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4136-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4136-147-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4136-152-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4192-102-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4192-94-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4192-100-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4328-12-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4328-508-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4328-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4328-19-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4328-20-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4376-275-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4444-274-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4536-115-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4536-112-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4536-117-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4536-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4536-106-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4572-343-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4592-282-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4608-337-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4608-808-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4792-345-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4792-811-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4856-277-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download