099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
Size

1.8MB
MD5

7ba39ce9b8e16254d827272c0fd5de7b
SHA1

fca2425b600aa8f7a912ab961aae2f768b1f6967
SHA256

099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599
SHA512

ef0e7ad96f95cdda36a6e1a980aebff18a92d8188eaa0ee04e68ca4f69a1e4ae3bca2d79268324b0e49a46cdb24ab3093ecb4a33109ad654bb7b869fb8984913
SSDEEP

49152:eKJ0WR7AFPyyiSruXKpk3WFDL9zxnSqgFIDRRAubt5M:eKlBAFPydSS6W6X9lnUUf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1776	alg.exe
2116	DiagnosticsHub.StandardCollector.Service.exe
1584	fxssvc.exe
1228	elevation_service.exe
3196	elevation_service.exe
4728	maintenanceservice.exe
1844	msdtc.exe
4436	OSE.EXE
4580	PerceptionSimulationService.exe
2500	perfhost.exe
4324	locator.exe
3556	SensorDataService.exe
4492	snmptrap.exe
1284	spectrum.exe
2568	ssh-agent.exe
776	TieringEngineService.exe
876	AgentService.exe
4504	vds.exe
1920	vssvc.exe
2120	wbengine.exe
1728	WmiApSrv.exe
4832	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Windows\system32\locator.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Windows\system32\dllhost.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Windows\System32\msdtc.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Windows\system32\vssvc.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e2cda169293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Windows\system32\spectrum.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Windows\System32\vds.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Windows\system32\AgentService.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA7.tmp\goopdateres_ja.dll	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA7.tmp\goopdateres_nl.dll	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA7.tmp\goopdateres_kn.dll	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA7.tmp\goopdateres_de.dll	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA7.tmp\goopdateres_it.dll	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA7.tmp\GoogleUpdateBroker.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA7.tmp\goopdateres_ar.dll	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA7.tmp\goopdateres_ro.dll	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA7.tmp\goopdateres_et.dll	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA7.tmp\GoogleCrashHandler.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA7.tmp\GoogleUpdateSetup.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA7.tmp\goopdateres_gu.dll	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA7.tmp\GoogleCrashHandler64.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA7.tmp\GoogleUpdateCore.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002bcb28f808a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e297bcf008a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f85413f808a8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000261837f808a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000797c1af808a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c074b5f808a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2116	DiagnosticsHub.StandardCollector.Service.exe
2116	DiagnosticsHub.StandardCollector.Service.exe
2116	DiagnosticsHub.StandardCollector.Service.exe
2116	DiagnosticsHub.StandardCollector.Service.exe
2116	DiagnosticsHub.StandardCollector.Service.exe
2116	DiagnosticsHub.StandardCollector.Service.exe
2116	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3032	099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
Token: SeAuditPrivilege	1584	fxssvc.exe
Token: SeRestorePrivilege	776	TieringEngineService.exe
Token: SeManageVolumePrivilege	776	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	876	AgentService.exe
Token: SeBackupPrivilege	1920	vssvc.exe
Token: SeRestorePrivilege	1920	vssvc.exe
Token: SeAuditPrivilege	1920	vssvc.exe
Token: SeBackupPrivilege	2120	wbengine.exe
Token: SeRestorePrivilege	2120	wbengine.exe
Token: SeSecurityPrivilege	2120	wbengine.exe
Token: 33	4832	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4832	SearchIndexer.exe
Token: SeDebugPrivilege	1776	alg.exe
Token: SeDebugPrivilege	1776	alg.exe
Token: SeDebugPrivilege	1776	alg.exe
Token: SeDebugPrivilege	2116	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 3416	4832	SearchIndexer.exe	115
PID 4832 wrote to memory of 3416	4832	SearchIndexer.exe	115
PID 4832 wrote to memory of 4520	4832	SearchIndexer.exe	116
PID 4832 wrote to memory of 4520	4832	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe
"C:\Users\Admin\AppData\Local\Temp\099bc7c132af5efc20bbc110019478d51684573bb1c0be5570a2bbe7f48f1599.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1640

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1228

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3196

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4728

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1844

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4436

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4580

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4324

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3556

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3736

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2568

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4504

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1728

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3416
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
875e2ed00406598f4125e7543ae59b9a

SHA1
a3d0d26b635cf44c689966f1f3b5f67159552808

SHA256
54c30fe61e9578c4c1f54aa02c76d39322d49af9310354230e4d901bd8d1a111

SHA512
fdb77690f99fee39dcd689eaee268341adeea399dfe8ff9a49ab5109d48fae4a160e21d3586138b9f598a57a841a189229090fa5b3dbc8f19b45d7ed2f6f8657

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
d1aa50d8b4a16fe11ca5fb7328566349

SHA1
0614d62f07a66dd0ca25badbd4ac92690f6d3187

SHA256
95cbdfe664fce2a48e52995425ba3084caf9738d6496f1c47d936f9f4539160b

SHA512
4f9fb19ed623c12b0ce72d554d1685cdb508164da6f0deb4a847c3d10bfbc151ab30d802ae96f40c8d64d36a928f3363cc8266da64a8104dd7a00eefc5f8ed92

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
5babf2008f8ca21a8108e55034389eb2

SHA1
57bfd50df6756f45404abaa4f12c5dc38cfbf5ca

SHA256
9d935a963387f958781dc2914bc3c007af7892b206fcc9ced1151f0526592b10

SHA512
7e828aaa6711d80370296227d22f087a136b16fbeefc352b7aea78a14df303f6af35defa2f4cc9e954a46903853841c47d487b0c4634f755a0a0a5b3e5a008f1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e5e583e36705dc8a78414fd5848bf5ca

SHA1
c8c45d7ba7a91877fb47026b51619962d8c92a43

SHA256
a1707f993d02f80ddfc56460cb71bf506d24907bb44bc630b64ef1041917ada9

SHA512
0a7b174b5ce6d95da487ec961ac6e95f75cde451c4120de7032ed5144949d4d7576dd1e68a085ad78c7ad24e18e90b4876fdc245b710f18fd37a5a7f9eebbbb9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f4f648335020e7e68a29415010ba0e4b

SHA1
0d6d45335eec304ee69d516efc6991ac15dd2757

SHA256
539fbc42dc63a1c4cb79a5c6932e252dbe648f973dc00e652ebba9b36e6e54ed

SHA512
fd8a33a3ae5f4f3aeeadceaff70687f308c6cc67f73caa8d5dacd795543c84712401be383cd6673a84454f2572775c3ace829f23972097079031d7350faf3787

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
f015c2ccd6282e911b421e86f9c0dfa2

SHA1
ca45e97a6bda2e888931f5ef7fd7a3ea25fae71b

SHA256
f1d4a970f42f7fd7ddfbbdd36ef0d8a5cae2de63d899c6bf8c5e8276f65561bf

SHA512
4491cb3acf41c133b32e13710a58c741231000f12f972ba460849e4f091355a3e542d0a695cd188e325949b2819dd523f6baa2da8ce3ffd060ffbb14d6531a09

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
f751bebb9495107fd28929de96d10d7c

SHA1
6100117a12e951e11473f20e030e57bfdd54e47f

SHA256
63b0c300857573bc9b5ebcec9222d8f03c369e26cab779edf109d0590175dfbb

SHA512
5dfe848349bdb0bd11a0c6bead2ca17551ef69ad30d0fb8f7492091a9e47137c5d0bcc2411f3dd7e068d38e2a16297269d8f8d6818af2612e9c59536e5cd484b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
367e990bb2d55a99d026a551d237c7f1

SHA1
e111f61334fac160d375a65f606b2ab76d8d668b

SHA256
0bf0287142545368c6ccb05996bd8ac2d1a30c758528b044ced2cda7929b248a

SHA512
9b7a6807336d4e759c7e78a5ce519b07f9585ce7cf71d949e707354b15e4a0a964be3387511f212f074c6445eab7010796d2ceacbf7868a675419e544e9931bd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
88ca706f39a56e552a8f5c4b32134951

SHA1
51a797d6775aca1707de9bb6d2374b5ec956b59f

SHA256
ac84368bde0151a207937db7e64bb121cc0d232c923f38269e952a1b15b7089f

SHA512
4a8647d58c5edb8c7af25a6cd67ec8a759a17f6c493b5d25b69aa519261dbaf4529cf5a7283badf30bf8f6171e8feab08270769acb89a14699305dea18656e25

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
37294a02e52cbbcbeba6b4440d73092a

SHA1
d69db9ddf83b9d0f0cfc3c093a1ea6591ed5c6e9

SHA256
d9f44d1f851160c6c3a4b61fc20c9b42e26ef8fc19a9d7cb28f9620b0b0641c5

SHA512
2ed6b16c8b8d1a20291eb1035fef99760c82d170d47cae61dcf294889a2b8afa3a237939bdbf8e176b8ac1887ec4e9e3d0b52693197278c668cc79e88560636d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1bb11ceb4318cec5c0176892d3565e14

SHA1
44467f054ee023777579b0fe68ba2687c535aa24

SHA256
82c2fe65259b901b9f48042352868f9ece755e672fb229133a8819afee9b7878

SHA512
b128f6a008180b1c9acc52a705645659c508a0a5caefe81f0d9585e89f2b296e45339106318948f20f9cf6e6e8d22f7b61a1d302a50ab1e14d5ce82ea7ffaffc

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a55dc16ca2512dad48faa91db2991b80

SHA1
75c7b7c3a9c95e5e47db7a7c3eac577adb9fa906

SHA256
2ea93acd2391ae8f485a032ee7369e09a8547c37e67811fb469326728b577267

SHA512
1446c5a01ab52046e0980cd2fe50312ff3a28cec001349f67c58235950a0fc5715a0d1a50c40b0b062636c04607ff650584e6e07484c5f399068ae6e1cc1db03

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
170eb338aff4c71fd880bcdf29745835

SHA1
a4a2608428152a76b390f1269a345ac995580b90

SHA256
52d1d2f068fa9806f233b47e69869984bf4daebfe25a569fc92d6c735425b587

SHA512
a346014f1358d7eff69b8f699434ca87a4ed07362cd9cd86d962d2673e2fb06a626a29d50dd178c6bf9745e96c50e27565ba8f00692be07d7b1fb674526fa3c2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
b0c64316f0fc5d88dd67657bb3e33938

SHA1
e5e5ee4cde99d4918d83982bc0cf0f69f0dee6c6

SHA256
7cb89f8c855a318057c0fa7da30434e0559034db92c805b33c380ab92aaba1c9

SHA512
a6766e4d83cc36028c900b583ac410a81ecfa51c1c30586ac626793eaa9f56799393cdc986c0b6fefe0bc6b8a2e88ff67e3ba208cbeec8e0c085e855009b1073

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
52672775e2c1b62b5039a4b163115276

SHA1
905999df1ea2f9d6ec506418fe4f4596e3281e82

SHA256
3a9f6eef5868db133f08b974d79c240981bac74509020b73d1c360d96281b8bf

SHA512
59599c2322c1116856fbfb234d411499a45a57cb79c90938c46011e34b180597f4144b8670fdc7938653502b31ef08b51be8e67f9079d04cc22197519b476f17

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
807965dbf721806671e15b3ce0fbc464

SHA1
40d3266ced4c1828049a7abb4ceac406ae80cf9e

SHA256
4dd019c9914296e92990f3a0dbd8f9a4addeed4264ebcdab50cf685538aef0b1

SHA512
d6170a9392d3774b73ca445c424f3a818746aac38117fb86c5d90273fe96b2b62b257a0da8e026aeae9245cf5426ce5902b5c0688c696763eb81a8a9b6d7da26

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ffbcade9614fce078b5b1719c26fe769

SHA1
316c9e57bba70166a046f0d396a625b0351fb114

SHA256
f5d0e9efc3e79f3143e2c1dfac81382144e24083a680d333b05c91a14608593e

SHA512
ff0e5db1f8a76973284c3eef59080d46c6a03088d5ba6b2bc5c1019e9b1574d937e0043c0672bcb1d23291256fb8641d3ebfad042f8818c68312fba250720018

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
a9f466ca7bf8bafa9c0e42aec5c42714

SHA1
920e8e0390ee8e612e7ce7d920f707a49a7ac010

SHA256
d11335ce8a111f1280ba59bb37d823c4397cbd5ca46a6dc7a9eba6394938c292

SHA512
20a4430024a180262a6d934d6b33ab30ba079e7fbf5094893580a8f426d5cffbb4a34b51f4db507ae79d8eee05badb69d655736ac5cdb68f3b906507e88a25b4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
2d4170bf406a8de0efa3ca70b1285e63

SHA1
2c6dc52383f825082bd0f971c7ed7617b53b9f73

SHA256
35a7a2e56a29b5b76a3eaed8ae21bcd22c8de64bae128e74ed7d2b360e15ee91

SHA512
bd0f930ad9d2c938cc97c86a3ecb98e58d6971d4e48e4135f5fed76220c405a78034ef8db5eefd3b2ffa204d0c2725b8b9d7b8909642582541decccadd96ee71

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c85e86ae86df308c494f657a1d747f0c

SHA1
d38c7a85ac9f065b87f8f2751651212997816dcd

SHA256
8f526dada9a9559ac26a23920ac26c32bef2a2095e52ac95f2dec62b6cb81659

SHA512
4da35799370e8081b013905191b2683c563a5bf3354159781941fde9bbf8bce596eacc2954fb82bfeb430597caeeb97ee6d5183d54fdc54996ed28c48f349ae5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
6c2268e3b5b1c5d112962254bb5842f3

SHA1
5702a75de6be93114dcc72b91e5cc509f191689c

SHA256
4be154b546727075756a908b34139f2390fbde268ca65b093d3f6659d75abc70

SHA512
0e9b92982dea0a102a4c53702e039423a022f977cc3ea0bdd3a1e75e9b527499bc1cf2275f1b5ebdb66789b762f420be7028611f706a0b2d2600a5b83876b8da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
9329a9d187435c484d58a46857b453dc

SHA1
7d2b323a776d07996e3006fc57a5b2bed81af1a3

SHA256
b88f01548e99f1fdc1e1807c2ab1f417f1a82927a35676309e006f1f186f4ba3

SHA512
6b3eff51607f0076a9157c3447f6373125067b34b00d6ce4e1686ec79d0fc05309152e4db7a412bb88c01d0f74c0504eca167626efafa8ab12d6ec822864a30c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
376607cf1b53048f2dbe2da6db1b0f8f

SHA1
a60fc3f15e0f7fc32edaa36846dd1ff7a7f8db00

SHA256
76450f8fd7dfd6d27547fe7ecbfc533369e4d9c8e05dc3805bfe1dc1115df1b7

SHA512
cb7f483c81582a369db5146124c1c56403300f9e473558b3c82b84d42056cb4f6d3abb7fffd6904f4c371bbbe5046fc9fcb68e74bf53f39bc2d8f589a2bd60d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
687169063c2754dc0cf7e5b8cbb5c658

SHA1
38783f40e9e6c611aadfffc720587da2180cd102

SHA256
58fe25271cfc79d431f08c243c486b8c1baf88e388914129f765e682b74bf311

SHA512
f1ce400ae566dd86e9ea5f81cc3414449d0f8c279c180a3be1b24df03e99df2ab9479ea7666809a4173b0be6a149fede9dc1b7ab1961fb2dcd753c087c4ddba3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
1a97fcd12e5c2a83c890ee388c79a449

SHA1
3bf5e0ff26f81107b71051b5050c798df5af0be3

SHA256
35388cab7a5b629cf4958a0b69d5c512860f2ac4ecd8fb8fd03ea0c4d20e100e

SHA512
a23d3ccf64a6631600cb146d02d0c1cedeebeeb773687316539d7d1797ec58095954798b14bcd3cad84f5b8d5c359f1bdd9343a0e3063c37be88c1dd2d4debc4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
9c00782fe7f76ea2da9b051092a529f1

SHA1
d003f48403190074d4c3d920e81a3eb666de8eaf

SHA256
ebf8816f732a9a4c4efc94fda41d921ca7e43bcc6ff9b2f448c0c694f6d07b74

SHA512
c1b318d83b29bd8748e1469a04aff167e8070e88395362605844761d943fc7600284ff5074d53eaab070e2c12b7a57d4cb8d37036261fe183f458f77a4eac0a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
e3e1b5f7c70fcb5074ce799c0163b60c

SHA1
41e4842953986be5a13f13cf3ec47ac265f04561

SHA256
6fba5f1be6f293d914352822c6efd15a6e1c7faa054c8b6401c044f61dbb397a

SHA512
5de1736bf47dbe278cabd21f43d82c836f4627a0aa6ff6e63a769a87d5a80f137bcbec274710832bd1ac340ef21081310143f71e585da3cf89506b763ce35484

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
3112f613401050b172179ea8d575b3bb

SHA1
2e3a1b6c5421e0234f3fac1b45c69e229dd6e3bf

SHA256
3248e60d08933bb42f74d50f384c28cd47c740eef797f2d950a5e6dd84492397

SHA512
17d927a8142d0cef63913068c52d124fe4ef97d1699a90515def1696fed3aaab0d6c03cc28325d65daa1962fb09ef9a5bbf11f02d5004959705dc0e04af66fcf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
d95449fc7c6629d3fed3c8f6aad50cd4

SHA1
6f8cd32d0dc921e4847430013a8238ca5459959f

SHA256
00a815a78b1cea5af56a8f6c063f3b77bb6811c04e330dfa0474cdb40f84d958

SHA512
73aa23ae678bb492d96b537c68734a1adfd929fa05c59f7309610e8bcff74a3c67ecea2ff1a3063ca802f9090e2ea392c25ecc5342b740ea11a17fcd6e3bb9c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
5719bce497af6bdae14f5b12b638e7e4

SHA1
3a98165333db3659deb724eaedeb2748131dedb5

SHA256
2c726bffec618211c772d90dfac64fa70958fb22e7597ad1a588f5e312196d24

SHA512
f4ae83ad55bd2e4215a1c656db6e37c8851ec9413f26095798791ecaf069798503a985d2da69ea2573c15dffaf94897c91555c6cfade5382e7086839c1072b20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
09779cd53e12d97db307444c6f9f0fe5

SHA1
635a2c79ac0bd067e541bf40fa7b4014af6b9e7c

SHA256
76fd53b1ca9886c227f52e4dd58961c31c8a4cef0a2f7da71eccf35c1ab69e49

SHA512
6566be2a386817bfdda79dcd1b35ce3ad49167cf63e4ce03377e3a79daf7a3fad2d76c2b1f3197cd3fc0210ee57c3ee6134c4fa53298e5750eaa1da49605b955

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
b06bff94b81754dfd4201ea44433cc9c

SHA1
91f7342be4028f1676574d31e79b24fd6c0c7b7c

SHA256
a032bf46884e24e24d24994477f45eb1e5a9aecb8e3d5dfd811ad4c68ea6cded

SHA512
8933f60cd897af6d4c88c4cfabcd9a8f54c9d12a50286e4862a820acbfbdba19817c7383afa9091a0b62f411f836a38f5c4b5509807064baa5d523cbcf9bf58a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
f2f77d739c36445767b2a39c1968fa19

SHA1
a2d91c458200c85ce2b018a3d787025e6c71237d

SHA256
ef9ad456a6729badff152acbc7a1f5a7fa07cc535cca3c69b2dafd898f6dd489

SHA512
661625681ed47dd1919b1682f830833a3863a1d6b3df76d851885f8d5302ad1277f4bc893305af6b5f084dd50598fb299a4a85a16cf8344f63f62b4ad7dee971

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
89fde2bd3b738078bbc379f82414c68e

SHA1
8a5d72cc51b02f4df5bab13fbc908d6b17190bdf

SHA256
431663b904f0204222ba7cf2620cf42c9a0b3affdbb4b6e5d5ac2a70f18c3895

SHA512
ae8cbf0037039da12bb272ffc1e3ba157ef5b58c7b778100d0ed4f3f0b2201c5bb08d8237ff0760dbb5952994b5a145bfc40e84b95927f200ab31a0996339461

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
cac44abb86ff2897149847073ccbace3

SHA1
5b743fdec624816663f4dd4856cc4d45feba5fab

SHA256
64c89d7709b14f45cee43e67a5253655a23db6b96cab4dde0887d1b8c6bb29f8

SHA512
cd9c013871ea9cd869d1957c3053dbdf2f4140726d26cc5b8fc36953feb024a1d358938e9de6eefc17117dfaa2fa943b2d835db022d90c393763e7e449faa8ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
255f0bf4ead2613e0776a86339dbc2e2

SHA1
e9254d60b1041ef5803533295a36edb80a810a71

SHA256
62781f5a3a1d56659f9f95402bb30a57758254956285fdce2540180c2822570b

SHA512
c45cfb7f9f364b45ad27a178912effb4a0dc9525c1defa66f2402f263415b1c6a607c80f4e230b1d20f8a8af6c2549adb478b17ee10b927fab49a37f00226d7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
3dba1d12a73b3f7d637911badb296c4c

SHA1
378deb5b6b88e2d36d6b1201c06304f966920fdc

SHA256
f80a93b0a38c0be156d4ba4ac9de74318c71c4edbcc9ec0213aa28b3d0b2fe4e

SHA512
1b1bc8d3ae2c05ae2024ef66103fd89181b8f57b532e21c0b1bf7f1b3cb18359ac3b10b05bf7a3c26eebb6caa29650d69f72faa25c32cf2847800c260ce21304

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e113034ef080bdd67b80b209ef95d8e6

SHA1
83e27a6dc87adfb2d6b7775c57944a711e76eb5c

SHA256
2427af7fad5c0c3006b05ad2569de696f3d010cf6f8a837086841ba5d70c34e3

SHA512
5d6c8ce97c1827732dd42e70915f2802015cad7f3e512f2bf0e9a97be890d0405d8c28a25f11b0023d38fe4c00756b581a59d55f3ef841d5a0fe81e6d5294fbe

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
a63cdb1a48513956250659cc533f4993

SHA1
22459701356c039c24d06d3bce1d8f2d8a1fbcd1

SHA256
ac7b8ec98fea9ce67e9915de574f420de414a42b1288555822d4b3f66c759e33

SHA512
be0b5e548126477d17abf942a81e0abc20d41cf1719789df316a9c19bfa65a96f402d6a35e6fd0e2b1f923f86c21880da0ea48c8c366180a1dd6f7c8ed1d4a4a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
aa63611b773d1ab6eba9864579f830aa

SHA1
900839d83d7987d4f5c15524b3a7e9bd8b6e83c6

SHA256
1202dfc1eec229c0f0edbd6b2e9ce15d303fdf5e8760ee3a668777cd8358d1f8

SHA512
a67dded86bde639b221ac0e0c3aacf02e16b59f7a69d2bb797668b70a8dcd89e7820cbe02768ef8224ffb166d1581a97d56d88664ebb9f9e78df4a05f0f87130

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
aa75f83661a54f8116406ba9dedc815c

SHA1
cdca922443cb5d8efb4793cd97f741b831c7a7ad

SHA256
0f96b3810f316f2b9d95b0d4dfb11c88f101ffec13c44a2a1b0b2d992c93a0ff

SHA512
1ee90e4492f8803d66bf191c12b7ed21441dd26a7e37d4e8708a77d6e3514199cda2bba5d47c2bcfc2c448018d7732f044901330256107a6fa9fbb590ad77f34

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
ed5ff06deff898331c55ebc449b87057

SHA1
aa89f7db44e96022cb3485f02a67a377d4dd202e

SHA256
54a16677a274382c9c251dced2ecb716a4a85027d2e5aadbc3281656e993f133

SHA512
df8c97ad564f156c47ca3a40ff4358c7fa2b08d18ac969c02e6f1c94f0f548e85f6fe0499484f887df8c8c22141fa5406b6098e09328976a1065f7251193bb71

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
433bd4e933db4ae5e4c6582b2f56d7dd

SHA1
bc8e469444578b504ad0c86dc6abc8d067e70b08

SHA256
9c394b62b499fc4b998f3991c8b18f5969808808e97ea84f80206e6bf1231efa

SHA512
4efbf28767e72153edfebf6db09061a5498c667553f161324f8db3c63c5e63441e9b695259c0fb7352b5eb983e2e58d42e03f211ce14bc1ee8cb5cd03866a7d3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
5954935b9d5938a8d8420f6dcca86208

SHA1
a0c777aa191ce1e7c85a3fdd6e2d81a0993c71ee

SHA256
5e8bf788fd817056c2a81d5f4e32570426f5e1bd60a9674e6aae6bc345807461

SHA512
7fbf5f623c8f54aaecf363985485e54cc13c754d03297dea00b1fb582fafe391a30eb8147ee1572e2f58989e820f8930b48415ff8c4ad839d041ffcc52fd98b7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
0902dae98aed2e5af9dcdd43882058b4

SHA1
2cb3daf33dee9227821ec6f53535b34bace77a88

SHA256
4c3837afc410845d70ac8f60218c33786e8734296b16e5623a2503c0ca5c050b

SHA512
72eb7cc1fde9af1e2551020793e103245a24d78a66f69fe7d68788ab4bc306c13de8d05af74e4fe2cef0ef504889c21d598651bb0a85c10c1e2d3197c4f96298

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
db82dd49a7e94d213f7a2d767da96259

SHA1
77c7b2d5e9e8ed90b5e7ce890fc6780f5f60cbac

SHA256
4dcb26e360e2d527e8942d26f6d652f38ed0cf9ddd3397b726fa7768984a1682

SHA512
a123e40a01a301d4a8ded1b997669cd27c43c7279362de04bd35b8f27444833e2237599c3cf355107c5ea42ee593e0fc3d6d08121591cf45f2afc36cd9a35480

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
628a5f7651f2f61732db3814f34df35b

SHA1
9cb16749d1825978ec9c8dcbb805b17a5f2516ff

SHA256
76eb5853cbbfc44df89f8672859d43466e6de4bfbef88bca5a9c67c4be8eb61e

SHA512
6364ac6c79500ebc023ef7c82ac3964e7e10e06687fcceff96130bdefa4a0856567700241287a17598c2ec3cd80a8ae5a0b6c562b09801ebebc9b35068df0e5c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
73aa386a78747e152f268ffe6bbee471

SHA1
f75fb5a704383340c91ccd06bf302679d3f0ccb1

SHA256
5f067b9c4d45a998f70ee541b6e54f08ca1563a7db9bb7571a035524733211a3

SHA512
68c2dd7bf211881bde15646d88bccb3eaa6707dfbbc97f00792d616842b0257ec7579bd29ccdf21f345a3cee91d88e62aa8e4a70bb9d0aa2c37a348c919ce712

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
eea329d213992667071c9992d4d0f127

SHA1
0f8b824d6c472891e1febb4171d9ade1e699a44c

SHA256
b5dda8c4296ea608e9effe78416e7a7c83b8749e9d3f4fae8d8e2973fcf5084a

SHA512
b33fb6a42944222a0f17fb7a3cb339ad4f99c9a91dd076c3b7f04c634420bfd755d9eb995b950cfd27c486d3460be167450c15401f2c51aa5fb647383db16858

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
e30436f841a426c334ab96feb4d5aa62

SHA1
eb16ef52ad55da13091029dc5640c41fa4104c93

SHA256
b2fdeb9657c9ba09ad9adadc23ecc50b7600eaf17f1e39e64f789c399ab4c8cd

SHA512
7a53d4f935d82f9dbd2696dfb370e2aa5f2c4eb2168d3b1bab1e714468303bbd2f863b6de1e4e1d7af0c57537ed6fd4084aee1661be46110db85f72620e40756

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
88c11ce8ce622651d8ba52434cf10bd1

SHA1
437f2b8ac4dcf68ab05be9cca7c188d1c27870ea

SHA256
de6435668c96a3ad9927415765d3fe4c842a3e8f0466d6da90d9a6c25afa7605

SHA512
eb2e530e317ad8aa79aa6d60e7e9e243ab19a755ef0af302b74eafb5a1675fc7ea4f1d0e4085ee21a5ed524827b1870497bade603128d4ae6c05e6f582baf3b4

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
ec39661f7832c89f9f1e2b93022531d5

SHA1
98314af49d9e900ed403f09700c3d92551ea3cde

SHA256
c2668696001b1021e18d1b1e3998f4b31887ac65ea495297ca4a4e4f4094e8db

SHA512
c8d3861150ccd82bd7bf23949cf006905f3747e4a2ff070cc7030810c862759895d533b5581c91cbe8c8b2ef40e910543c8d874ddfd55a0301eca498c1c9abee

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
21798b77c61a00a280009fba88c2881b

SHA1
d7da6bb98abd538fcfd50db45df6a1969ee10c06

SHA256
afc1bc580e8cf81533177503c3dac2e4fc0c04ed2d62be9d0cc3a0d572df4c42

SHA512
3eb136b830b01beee0c888ae2657757f9fa8721463f77433c326418d4028a5e094455fd9ee6b6c23510dcd76c576dc05e077e78e5cacf59844fce841f5f8b80c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
22a25dec3ecc80da97844ee9b1df0cf4

SHA1
b6b54e5e87876aca7184b44a9e29b1b12dd03629

SHA256
134f3ade75659d9955f1c18be67689900d954b76dccb7d93842553d07afe54e5

SHA512
10e80b0dd22c16f09c4304437aebe0b982220f34e5322b124198bd9708b5e9ca39e25585c8ec26f1511425b5d5ec96d1245fe260beff0883603dda9b8969f2a7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8a883e1bc9968e6d1dfbe80f20fb1e42

SHA1
f18ed665cade465cacb0bcfea47ad427b3178247

SHA256
db29cd85d9b83546762e796313805eb612aa21acba2ba701786ea23be4d66009

SHA512
cae7fd411d2bcb806b29922578ee5dacb1e8f5f3958a806c566a5fbe23b5ff6738256157f70d93b3ce654da78a379ec3f5b1e2a2a661300d89652522c57de231

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
39fbe64f3061c4b3cf324eb7e15c1489

SHA1
8c62a47d903a639a96946e00c1705cf5ced45996

SHA256
f1ffb369d5fb3fb52b0adafdf35ec60b4f554d6c5698abe5890aee36b68ce5ac

SHA512
fd30e66b30f35ee283a29306265553042c7c94e0aa79d6c4cd8bfa43a0c8b728fb21b60446be2d5bf0019d1bf8fd60ff7c53d00b8843f7abf7e5d2b6b2a66370

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1404a19df28af7a3f75289cd6f3cb135

SHA1
0d99e28bbc2709d1cc35f9501d72566c108417c2

SHA256
af1d7c0363cdd9b0cdb66f3fc28616e2e63232dcdd41c5d544a04ee5dc6dbd05

SHA512
068e3a562336c7763ec9e26cfab7f6988ec00936e6f81495baa377789c0b980bfca348226c3d38e2ded80e7a3624c4483884027c63c5e630291c250790e83e35

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d27c98e0c2776487c2ccdb60a80a2b6c

SHA1
699a394d141fb580239c130c2e9273b8f8dde51e

SHA256
2546c8d34fa42cbe9f723a289dc2bf294ef751a4de8f39b18ebf6471cf6deb82

SHA512
baf09a72c4f731b481d7ef0ad4f3210613b0e3358d5754d8db3396539969f1d181ccf7c1cb4c730cb7dc81691937b2d0ea937829f032d80ca3483fad012ed663

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
5654d73d49f6615e93db2018cade899a

SHA1
67691c21fc4ff4da0a6d9b142f7e52884b855e42

SHA256
0dbd5d7e4e6f8b603c5ff6970633d5760343e01371e855195aabd23b79ca8320

SHA512
77285d1c03ea3a4533f05238158204ef58ff69708b4d212725e37eac7ed4ff47b642d6436286a018d3e1e7eb31ad226584535b5e2d272af9449ad6a11a22f520

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
784b58685d474f0ca25cb96f6390d3ef

SHA1
db436874a3d88f4d7266dde0f33f8d2fb38be4f8

SHA256
e50da310d9d7666db3f70e3b9b7b23dd66550285d92ca0335e89fc9b161b7660

SHA512
17840ed914e548ac6301bd7bf7903bcb6c96e94c5ea3e57463fd747f0cc51758ccafe801a3a3603f68e1c4848eb083b6cc4fda46378f2ea9bc819a4d944a2289

Download Submit
memory/776-662-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/776-264-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/876-285-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/876-288-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1228-239-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1228-118-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1228-124-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1228-127-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1284-660-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1284-240-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1584-112-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1584-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1584-106-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1584-126-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1584-116-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1728-335-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1728-766-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1776-21-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1776-19-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1776-11-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1776-194-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1844-156-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1844-157-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/1844-283-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1920-303-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1920-762-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2116-101-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2116-102-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2116-93-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2120-323-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2120-765-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2500-314-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2500-195-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2568-661-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/2568-253-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/3032-6-0x0000000002360000-0x00000000023C7000-memory.dmp

Filesize
412KB

Download
memory/3032-1-0x0000000002360000-0x00000000023C7000-memory.dmp

Filesize
412KB

Download
memory/3032-180-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3032-524-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3032-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3196-136-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3196-252-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3196-138-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3196-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3556-216-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3556-657-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3556-346-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4324-205-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4324-334-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4436-181-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4436-299-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4492-618-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/4492-228-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/4504-761-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4504-300-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4580-191-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4580-302-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4728-141-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4728-142-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4728-148-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4728-152-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4728-155-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4832-348-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4832-767-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download