5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
Size

1.2MB
MD5

215cd16cdda08688e45c25123d0956e0
SHA1

21e4068c723f4833c69af829e1eba288952deb48
SHA256

5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed
SHA512

91c3ff47889a52bb83e6238e5effdae1dcf54d8ff411680c86a3942dd6af33b70a13b32005ae16348bc6288d00670f98b4caf252f2d90bca4f31fbd819e98736
SSDEEP

12288:HwF3F4SOpFjn04R4gq4HSUQH4WT65RShG605414IQanx8/6:QFV49pFT0SLTQYWkK2u4dax8C

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3224	alg.exe
3964	DiagnosticsHub.StandardCollector.Service.exe
1348	fxssvc.exe
4684	elevation_service.exe
1060	elevation_service.exe
2372	maintenanceservice.exe
1992	msdtc.exe
3708	OSE.EXE
3240	PerceptionSimulationService.exe
3912	perfhost.exe
1152	locator.exe
1428	SensorDataService.exe
4596	snmptrap.exe
2680	spectrum.exe
4900	ssh-agent.exe
412	TieringEngineService.exe
2544	AgentService.exe
4636	vds.exe
2848	vssvc.exe
2052	wbengine.exe
3840	WmiApSrv.exe
2572	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

alg.exe5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cb74d0148beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Windows\system32\AgentService.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Windows\System32\vds.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Windows\system32\wbengine.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Windows\system32\msiexec.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Windows\System32\msdtc.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000395ad22da1acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef0da52da1acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000437d362ea1acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010930b2ea1acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000075e942da1acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f528c2ea1acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006897ae2da1acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023beb52da1acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
3964	DiagnosticsHub.StandardCollector.Service.exe
3964	DiagnosticsHub.StandardCollector.Service.exe
3964	DiagnosticsHub.StandardCollector.Service.exe
3964	DiagnosticsHub.StandardCollector.Service.exe
3964	DiagnosticsHub.StandardCollector.Service.exe
3964	DiagnosticsHub.StandardCollector.Service.exe
3964	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3688	5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
Token: SeAuditPrivilege	1348	fxssvc.exe
Token: SeRestorePrivilege	412	TieringEngineService.exe
Token: SeManageVolumePrivilege	412	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2544	AgentService.exe
Token: SeBackupPrivilege	2848	vssvc.exe
Token: SeRestorePrivilege	2848	vssvc.exe
Token: SeAuditPrivilege	2848	vssvc.exe
Token: SeBackupPrivilege	2052	wbengine.exe
Token: SeRestorePrivilege	2052	wbengine.exe
Token: SeSecurityPrivilege	2052	wbengine.exe
Token: 33	2572	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeDebugPrivilege	3224	alg.exe
Token: SeDebugPrivilege	3224	alg.exe
Token: SeDebugPrivilege	3224	alg.exe
Token: SeDebugPrivilege	3964	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2572 wrote to memory of 2044	2572	SearchIndexer.exe	SearchProtocolHost.exe
PID 2572 wrote to memory of 2044	2572	SearchIndexer.exe	SearchProtocolHost.exe
PID 2572 wrote to memory of 5076	2572	SearchIndexer.exe	SearchFilterHost.exe
PID 2572 wrote to memory of 5076	2572	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe
"C:\Users\Admin\AppData\Local\Temp\5992be260d6b2e26d0964dd3ca37ab7759e97b8eb447110d311fd61c35e605ed.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4584

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1060

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2372

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1992

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3708

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3240

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3912

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1152

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1428

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4816

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:412

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3840

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2044

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b688955bd89075da0f6f51e1dc1f3f77

SHA1
8a9104e99e77df5be8affa730e653c593526abc1

SHA256
bde6e35d604ca606f75802e67a85da478c9744a9536b2d80025c019bfe6f3e92

SHA512
6d05d3361291a5e77aca13298ef21fc9d373db8b7dbe7531300f00ef2fcb500aed14a34548d02c7c77af81f65476472b47e14141a604ddcea8f26b470d03cc8b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
a4d9366657f24c478fe26a1bc94824b5

SHA1
29b56b25eb718c10c573dc548da3f143234e7700

SHA256
714025bca809bc4b815640e2f445bb1c7b0610e9ddc13cd14fc497e8aa61cc4a

SHA512
e29b540c81e0f93de5140685da8547106136b5023990003de27146d98aa5bddb35c3f99127c4e0b8c9ad1f3e24bbb41925d0c105f3d8a3a21d7193aa029c486e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
4fb30e81cbecd4f80cc2f3ad896e87e3

SHA1
d84d2233d20a70f47a8d108d582e4135ae1d9dea

SHA256
5f3dbf2bcfe1d9f8c5b6ec296bc253817d570090a0216c986444b3a508a9327e

SHA512
f02b7a579d9288d1c565a07b308bc4dfa9ac1945fa158efc94a09e1eea17f38f9918791992e076d971e31ce30bb38865862c0891b2bba84ea3fca5a9bf98dcd9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
363bd7acf7ad1f83e3a77eb6b6ad8c19

SHA1
47cf5dfc2eebc82b81a50c19be68ea51bc2873ae

SHA256
4f6ac3decc23206d79c800fac8e9ed2646c3e154bb597c4233bf0e44804d6e33

SHA512
707d192dc78587288f590f04aed5e251fab22abd1e5c36d2b3a7843b0f932e91a64de3f93779ffc607160c3aa1543e2bac7cd10d77a8a5a7765200997f935507

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6d6f3858381402ce140acdabd1687abf

SHA1
ae51072941ad55548a3b316ddc46a7dc4b0aee3d

SHA256
ec4481e81307f864417b52ecf2682c266378092149d69486fe4f3a56f24a4678

SHA512
dcfe1bf91dd418b9e522caca072aba3e5cba19f0c417e8084a66a4c96e9bb6f4e9e1c86bfabe16dd7125286e291155993d3796ae057c26c11371a274e08f7ad0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
42abe7a8596a8792108d1c4a576f70bd

SHA1
e2555e99fd46c9f19c94aa76803ce74b4d086d16

SHA256
cf3f4ede2cf9f02bc7d43c8fe154eb140134b848bf79e9b17382a72d4b39c3ce

SHA512
d6f75af3c96c639d2d37266ee12f3017e9586d48e899902234425986748d1495c2ab06d4662d1313bfb411d1d4a0a3e3f5de6444d02480efbb507d38d6520a30

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
a2ac863734c40e040ae38524b2071002

SHA1
2e17ef726e72a60dcb7b0b34bc2614b34c07c1db

SHA256
2951f8ff5ce7b43e65268712204a542933e580a81fa319a2a6030695de396c4c

SHA512
73ee825def352a99e4902a5570a644486fb14dcabf72353655a4b6ed9ad49ac8b6fa3e90fe83b7dd7ba86a14a90447c99af862309c4aa0e620ce8bd78e5965ac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
24a9dc25a9d3582d8e113eb021696cb5

SHA1
3d398b30f63a72cad92a78111af34c990b60cdb9

SHA256
03ca9e7cf503d91acee8443a6f7e08c79c5aee6ea33fb745844c77dabfacf4a8

SHA512
cc4e95b6ccb89d569439fc5c641aac550508f8e6808da57a5e6d80a7bae18f9841d7c252d3159b2fc8f5cc737aa6c37457b28017875de3f82337dbd948e49557

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
61ba6d7cbe56dc8f436048e0b061a8dd

SHA1
eefbda432dfb0e83e1bb1418d49f490400788564

SHA256
3f816b12fd6dc5cf4da01fc6a3998e3f2301fb7dba3b37a32689afcaf49bf3cb

SHA512
e42c97a4feaa9184a9f02d3cdc7706373cd656feff97f933ea6b964fffbe9577d5f3e39502ca517facd0e1fe80578bcb91fcca296c16d868147bf1380424b036

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f4d23091a40fe03a28fb76614a1e1cfe

SHA1
a7e2e4511b7d67df3841abecf3353a3d49af2562

SHA256
7e1e502e8d9771c3511bd57544a6655dd1ff905d919f949b518d0d8b94afdcc9

SHA512
175227a603b340b919ae85f7c7726fa9cd8d62c714b144cfcc30f746f86efe365a6f14296ded3f9cc0b29b0823b98504f052d8da7b7dbc400dcf4ce32853c4b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2434f529fb5ccdcab253471b441ff0bb

SHA1
d489edb6f41b1c5ef4aa9bbd2a3fdf187aa4443f

SHA256
edd5537066be15d368d3783aefbd309df38b1428bd80996746df0e9dee25ee9d

SHA512
55051956e1ede8179a90203e72732c39602743a9d47e027d662f25284c2cc9abe1052d548d7451816052242ee4204e02e358d24662c4af49de20a8a49c865044

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
dbfec96f6ea25b32e206bbc325ea25f7

SHA1
d1a66f0d5beb81bdfc5b008aec8366c2be2efe0f

SHA256
68677ecbfda43b965bacb222192b111743e35eeca4e2cb7053861adb80acadff

SHA512
990c92116c1f184a0d6bdc5835837bc1060b0ad3999ae1f6f58a8b7d3ff273b2a4983b32381a55ee808644bd10c862add47c9f068af856d4d06da990875fc69e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
6d729ee9be97d6fb15c91c02b85bb3bf

SHA1
17dccb51cbff381bb687e851efe1789c12b81398

SHA256
e6b7e6b2adc415953543174921787c13a726b9f9fdf6b707c4999913dbec8907

SHA512
09ae7a9b416249e9ba41281bbfa9ebf18ede54c8826b7065f1cdfd983b0a841fae64a42fd1bb6257c0f27cd61d5ebf9b72372862f52ea2859f6fd53957ad5d20

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
d509a52d54892d191242678c1be3e865

SHA1
caad65eea1a2c5b4b18330017ec9a03dd01cce91

SHA256
42dafad2de39b3fba7d8384e245da4bbfacda84f44ba8057babb322603f41c79

SHA512
2e2df023f8126f69247cd25f1ae728eee073dc9baf5ad7b6ff6e2036df3615e0313bdf9687ed4821b69a13156c80c7cd62c4e3e67928fecd710c1893d8de243e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
cebab711183a6e1cc8125680a89e3c58

SHA1
b65579fa2d7bf847b5405ffc347f2398e6e3f0de

SHA256
9cd9b0afdbcd081bd5be6bdbc7766d6fc89be200ed9c3d29ba272f3642e1680e

SHA512
b9bd350ace8b097af308a54ef0d28c31177f23d0b7342df6e6e45b2b3259d5dee996129cbc49340c504f0fa3931e9348d2e9d232ecf11e45ededf802b9287550

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
94b5ece713d5c692e2a82c430431877b

SHA1
0cb91fa7abc879c6c528d93ce07b4667b14ecc9a

SHA256
fc01f947291b95d5094727c52953d78d8933f109740a19cc6873c0617fec8381

SHA512
4c839b95d7df881c303cc4328c90028796fd535d61836dbf7cb26ef49404c86660fdc0af5bf721d23a771ea93a11d3415976296d7fa8808c183047f0985dae47

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e57b75fb1fe84aefef783d2b38bcd22e

SHA1
b5bd3d46b9d26cdc4ad88a38e411ddeb010c6947

SHA256
ef53a7caf62973c524a3e172e7ea1ecc372ea2df073b32a2462bc6fc65097d44

SHA512
0ce5697d9d6e758ffbe8c890441de3967301b4b8c39cf8dfb04cfb7fec2fa4aaf9210777e3fe953004f9e018b863d5a6556d30c7f0d0cfdcb017269c67f3d245

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b71e89a7d0c44ecd76b7c3a4b5290fca

SHA1
aee54750d35f3f51f2ec14bf7653ec52586a73ec

SHA256
e1fc1107fa6cfe59bb96e6a32e878eb391f6d1f266cc2bdc80669be4ebddac0c

SHA512
88ad55591db6691ff4fe6e3134dedc872e5b27a70dd2edb83d8edd2ccf970061e765c07b9c2f774ea425662f75fc897677c10ccee8e99fa1c951f874652c315c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
5271652ae3016a1000ed2b5bef2b739a

SHA1
e666c9bdb700cd7b7ea7ef11f2151b5302d56523

SHA256
9837db31a6704225c82918271a9b34ddf64f51c2710c867f9c751ea971aaa6da

SHA512
99490f2df219bbf3324150065d3f977fb78f8adae91c9344abcde9c70bdefbca0d8b6c8e3bbc43d2dadd8bc2bfb4bc383b1e582066100f4ba853dc32a6226cb5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
925f706f23b671af0b7dcbf74ac51a4d

SHA1
ddd821cd6e70faa39618273c89e2fb0315c222a8

SHA256
22257703979677793ee63b2cdeb0f7153371332652bd36a7f89fb6c916181e26

SHA512
757c5512a19fc143d33726c43b92009d4f7d57433dcc67e6812ff18cc3716f65c5f472c200fb990160c7b496c65abab9819ff851ad69c547a870cfe950c3b484

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
6536f472258db2eb854c5b68cdb3e12c

SHA1
255f2586aedf59538c7ac9e1a23debad993e3bab

SHA256
d0f8d557e1757a22cf93fc3bb51ce3ec8d1fd681538c2cb6a608d533079ce24f

SHA512
ee1bc9f79ba6699510dbcc7bc96c61206f0de5a1c6c892dd8409e25fd0a13248fe382bd155c1ef434227610b0457afd777884c714d390969c78fac364ea4bc28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
8903a31d289ec7de91cc1a5573bd055f

SHA1
4ccb49a7bdfaf3227cc740bc9753057eb4060fdf

SHA256
7f7250e634704d611ef2ca89c2f6b2ef5fa07f2a4af12b8333504149010ccd21

SHA512
76896402ec927826fe60dd4f62e9685b5623381e228821a378c8e424b6aac84b11c4baedc8c045c8c76214ab9044fc9e309edb41f3e19c3e66424bb0397d159d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
3de5d4cb7865ce27aa98aafef380a6ff

SHA1
ab667849e7e5b6fd1d283efe1d5ec00ca6a5ab5d

SHA256
c2d7bc11d4f880b178c887a9d8cd123c09662fc29912bad63914eafc23e51605

SHA512
63e77b6506ace3d9d32acedf66cae01ecef0fb93f32f4bcaf4ace1c93796ea842bf97c48dc85174e643aafba6138bb9c96156cd97be52f1927aabd6176894e76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
13ce8361e53dddc20bc5c6af11b2b50b

SHA1
d43b89ced1a120f0a94df88747b056771a97b2b9

SHA256
6d281f8d89936a90742f75ee450123e495cadde7e07d4f32e1fa19b7b9bf1b5a

SHA512
494a8e355a8d458ce56b528bbd90372f70a80b861ebb398f471cc359c8e8ac4f5dd3596a22b3a68ce36867075a47647980306d49667039199a79654ba462c479

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
40948c409793ef9ef567bef9bd3baf11

SHA1
94c161ea3c41851617d1038f0fe8cea4229baa42

SHA256
91a282d44af474e68133852a7a714ac7d510ff02e68a35d4ca4540f5f2dfea2d

SHA512
10c6dba7896a1b79189927aa2a0c700af2b32440e880ca8c6cad7dadb0313d060ed5639401cddf14f7d9078ef40fb80e4aa4b473cde2e671dd992fdd40dcf3a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
f88fcf06582b1e8c4babeef2925b601f

SHA1
f2dd071997791c568584718f398b14d65bb45b77

SHA256
7ee49667edc517df0231ac5d56cd25474fb98db3d3fda05b69e30c7357ee4552

SHA512
9dccd53f3b1e109f3557b448a989258b92d278e15000369959ebabcaa24ce7af34afcd59109a9ead01994269140f280370840c61e2fd8455b7f5a6eb03c7bccf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
f68a2e3015a50da364e5f7644e91802e

SHA1
cbaf8369e1d462acfd39b8d7af3d2379564f5153

SHA256
7b0eb77ed8a4ee88ba03074d6da0e29a94fad215db05d776be576f8583720cd1

SHA512
3ddf85252f472341c27d3708909905e6375e8806fbb145f3d628830f9be1597dd69e00a1ab4a6270faac90f176b7934d113cf22ec5afa313317faecd09fce00f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
bce7591f7bc2502a4571e06e2fe1863e

SHA1
6eac83dd87d521c18df272a889fbc981c3512846

SHA256
d46f117d02061807bb92e33da455135243b4e2f11ea4e31270e2ce9a6dc2aa81

SHA512
c6f19267e7b404748dadc18d58b1a6a3189485e0a3f6013984912318a57baf085d132c004fba6c459888e1c7b83ea513c34dce72c76dabb9d557bbe63d91d5f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
ddfc7fe218b0b86b81f5808ed4caa3f1

SHA1
bc504577c057fc5e9ce29c58edb6f879be15838e

SHA256
bb35747908913f6f611615da3ec2030e61123ee55a40cb4409d09c8b3f000936

SHA512
0680dfe8488d55905dcec0909d4feb624f6b1a001747c2f1d7a804882c77228439e568e1ff97b99a8a18aa18229a12d0f7cb0de2b022f23fc4bcb6035e5181cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
7cbd6298297c873d45752110e234a2a8

SHA1
aceb5bef0d6c345e20e69d58f64df455f13ce1eb

SHA256
863b4d4902f1379799e7c12938fd3e2f7fa2817d8bb85fc5937c9035afe47746

SHA512
ab0bac353ee45a8565000cb8bda57a89637558e8ff4907423e09c955178a6edd94c1ac7b4b3990d2d93bdaff10fc57eb40910839b574fcb8d62496215b459bf9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
c32f5e3e1a66d9aed45d8e3f70828fc9

SHA1
a1cd2ff94af9f65101a02b586e31360ea8c9e0f5

SHA256
51a12dcfa2be55db1a55a3f6f861df7ac270272b85e18e6c45840de1655c2f21

SHA512
ce50a0c204b928670ad32bb412a5e4d8e10cb0e35634a50304461b076720991d500b73a5a5d2ddf39b662ec394531eeff63ec00cb17f34373a18db7268d0cba6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
ee23c9bac3e47e6fc161b66fdf17612f

SHA1
ec99e1de573d4f096221d06e9dae2b61a4e6573c

SHA256
f24b7fb040717fa94a6affd9897acbaca03fc455121e307f09e6ec64ba88faf4

SHA512
5972c251c2648f2cdc4cc045cec5041420186bee229d3082fd7390e969200126c8010b38aaae7efa7337168f5a1a51162b8afa45e5b722f4e6ae5d20dc941d0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
abdea1431a65110e21feddbb52cc7445

SHA1
d287eb7905e081eae581562de0f2cc55c89c115f

SHA256
5f9c90c29298874959d30d9fc3a9f3edf74a0a37596f3e1c074c61d714b05e9e

SHA512
817ec68530a5ae35dbbf56d4235f22b38b9c8f91652227758655a6a5a4f3c7ebf49bed8b8a21897c274b8c069c49cba06234f44ea90a207ad673ee910b632e0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
8f32fc4ab26323806213203b2fa68b6f

SHA1
322e1dd178ec9c3d84cc646632d90026b6aa0d38

SHA256
5b59a7a8db648f75eaf09b0a2a273f2138aec7a5f2909520addaf7471f4ab80d

SHA512
a347d924c9945bf5a2a21430002a58e9a809f1a491e84eb6080dbb73c6270e86ee747d3095b2f62e9da7e9bc645c089edb20ba906bfd9e17b95d88e853082296

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
e6894d227b91c0e0803a2b46febdb48e

SHA1
2d3d5e0eae653fdd9055a380f869fe7fbfd4d873

SHA256
6c784e1065c9f634caebebce219134fadb1e01c4c9ef209501c28dc8d38064bf

SHA512
aa246e9dfc1bf6071cbe1a36f1f27e233bb37276d115b65fd8242d4046f5cf7e5cb146241d5a564502d29afc0c28cf0bb705b82f0ca0d475aa3f0073242c63ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
1d1be98f78f3351b4c2899e72ef8b11f

SHA1
905fa5c4fbd117a0ff06474b2123d0a5e7be2dd3

SHA256
4bf5e023ce047882745759a579af9141b4c974993e3c5171db117ca30c19cf34

SHA512
47d6b39d1cec18df05d578b6b2d1336a109fe12deed45863a329a3eec54fa8d96ba09f4a0df4b68b3829883aca9ea4ca7dbd3db6ad6c9fa678dd32eeb5293154

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
da7f429d86afa7a88c62956852f6e10f

SHA1
741db8cbea91c560bad32619316b9047e816ce7f

SHA256
dba126bb7dcdde1063de241930a86431d08a7836fd28b4f7796bda20bb1fd39c

SHA512
e37aa96bf5a997a74dc411458a01026d86e1f47bbd711f856b5506c722835c1f138b99a62c1faa6d72a3e9ab04b90dc17831846f03dbe749bde60af25fe2a750

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e2867a09f40cb13d65216f3b1b841d62

SHA1
6728600ebbfdff5b5cbd04893471d13baa18613d

SHA256
189fa605770d0856d8fd262667c1b4b771f4c20d734277e4e39e323aced2744e

SHA512
304273e42cb9f500278de6e5bed0a8fa00d0609185d987aeeb418cc12876b205dafef57205a798b183af930e8bf869fc3e98ace84e10c21c4cbebd4bac48bb02

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
fd2895ee3c6bfbf778ed98ba70aa4ded

SHA1
689b39cfc71dbeeb21ad09976d3a0a936dd3f61a

SHA256
bee64db49d47e0912fcfd77c6bf3ac040911c29b81779efbad505306a8b0a5bf

SHA512
9d6db9f3caa62b7284a2801655c9412147290f7cc0aea0a1a6801d333fb239805d34b8730683a2cff44c12bc16518754d494751ed0fc518fcaed078007bb7f06

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
faf8ad8159ac679d99c7cfd5fd3c4da9

SHA1
29884f95d51c2ba72429d3a2fcfccdfbd7da4687

SHA256
b14e9e77c50b0e2ce38437868b22aab7c2bd52f4136a3737f25d3a251c8f2260

SHA512
fd18caf1bd4c1110fd1a13d2baf43416e323dd12cf2549d7b6ad227504ad8cf0e3d570c21ce5394c55156d2da667ce7a9f39b5f593ff0e800e607d39a6b04ae2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
fbca6d091569a593bfc653bf27c1d30e

SHA1
e366c3eb7a491246905a1aebedadf1181170c26c

SHA256
4b2f9ee111e5d98274cc302988788e635141822b2dacd796c6e3a86b2de298e8

SHA512
fd13bde655e277d7721ace06c4dfdbc4fa056e33e7fc2547d905a7447cbf9ea7bf863c65734fc8a298d9d44ee5040e1b4a5e75b13b51e6ad306f8a608b0dd389

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
2d45089f4292a6d4960ed9092ba7fb1b

SHA1
1422cf4fe7f4938f963e9f175070d588de54dbc9

SHA256
061beba54c8ea8ceb7fdaf8c24240a206e76e125a12697683eb3f7c4ff10bc3a

SHA512
90e1bad1f4b92b1be4c813693d59e06dd7f56eef50d94dd9e8ee49f7b3a45df6e5f99437862c17626ba5f673eaa9be79d080095f39d2396419f9329ef325131d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
023f78daf8bcb37481295a62739b7e8a

SHA1
4592b5b95bad53155cd5be9f1eb47adebce201a8

SHA256
45640a67cf5d56ce8e30daed8223383ab5d9aa07e2ead3abf3a2e92f31a71e14

SHA512
c4aef862ed4284f52ca83b9c6df832029e44cd2704f0d7b94013a240e85d661af64887b9e5a4c79cb41e88d3a26c4c274d23dd49af405595003c572b342c792d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ca7c442dbc95b3cca925b40e6b3f3af6

SHA1
8cb520493b16a64b8ee967706b3239943eff51cb

SHA256
11266f132d59fbd0c9508a890e69cdea9dd6dd96c862e8a55d8b9c132f637ef8

SHA512
e32a444e114304ea096a99caedc32ee011c675b99407a7d4a108e12a0166c60650d613405cf1263922d0369b903602f507299a8b0e05a3fa8568f2809a4eb632

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
54164195e7887daf65c4e423a3ec61a8

SHA1
8d113ac4985bb04f1d133f70e2c7efaffcf217a6

SHA256
819dea39714b407906fe64d395bca3fb6d04043b45a9d67596039a80c8b644fa

SHA512
b58794a5dfa7a625ec5a689d2e36f8cfc6da21a9a5f41e26e714ebeb55e8da79f488a066ef63ffdb4c2024e00123b8878897fb03b7cb2c62eec58e8f21eb0f18

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
702e27388d4875fa55f7b748e7a431f0

SHA1
041e9cdc879e29245b5343701de564d3aed95174

SHA256
d8710ad289fc1897d1864cd2c9d63f190e6d2564b01b6ca4a25f96e69a83e5cf

SHA512
1f591323ebf2243483e53c14cf78acb46016b479e3fd00ad4207d8ca382dd70cd0027803e8548d0f13e54ae46a1f16e3180045181000b66017ac07742710f30b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
377e0b675ddeed81c93b9f57c14f62e9

SHA1
d436d74d5f9863d08016d3879a437bbc438e32c1

SHA256
d60dce1118534a070763251199c1e9b769c63384513e2056704013cc7071afe2

SHA512
235741f6d8a452afee268758751656fe64c6aec6bcc69cf43f41b113fd2b070cf4ab2e465b6cadeae3fd066f726b1a74e1aa5dd8ccf99170ae2654c7c491d487

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
fcee9d0492243f9c38388c4924c53411

SHA1
7050e9adf2daeba10915102a2996e204891621ff

SHA256
ae12c8d84a1f2166ec840c27b4710d9e4046244c09bc75ede1210810b1411625

SHA512
a335dccb245ea34630297bfd9f0a89138567e2cc509e2e5430aa6824b42056f84e37926f9709cb91439fd8951e651f75f512a53349cd83d82ffc3a9630d609c9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
dedc977ce0867fb8239bd0d7af6bc40c

SHA1
952bf83b0dbcdda5c1033e0acf0559dadcf8b1a4

SHA256
72a996e12625def05939e07079797146bd990413f3c5af5b6bf7998e933953ca

SHA512
22d32d902bdba18dcde8ebe134677a6b56ede39785d4c8d037bc93e5b02387665dafb930d545124d8ca7d5520492340ba68216ef201f8507d4c4652fba20b4d8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
e47c883ca868e2fba8af0cd8d4be17e7

SHA1
770ac8c616637e1d64716ecfd527749bffc7967f

SHA256
944ddd43d0ff42bd84a3ae4024a1e459547eea6bd9b318ae1125328f1ec2c93e

SHA512
867ce0058aeab04f0b0fc15b464e6b491df1a247cc8e387ebc5536982ddb6995ef370b7f9e3d7b6d48d8a526867b3b5f0bbcd1153c4df8433f8816d10a9a6083

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3eb909b9e6ce7a45fa51be586a5102d0

SHA1
5c7db5e436555d86f8ca3106a4d5306b8f32e1a1

SHA256
b2b9ddaad7e42b76b6c5da3ecdaceb6fb4503b552f2203bbbf2006e9097b632b

SHA512
9384475572927ae5580237c8eb4894ee7c2a86e43189c2db955f5059d50f70fafa59571283fb512c661c11463282b3a36477750c129a5beaeb708d714aac4b4a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
83b2902b2c91ed5eda9df15e21d7364c

SHA1
860c74bde38ff50ea48581a5beb6582d05e150fd

SHA256
3c445b46c68436540e50a1e3e5e4b73a2217fff5dddaee8c5c546018c6178296

SHA512
dec4de8863a9463529f56a2fd6f780098d7034a9675db21c97eac72a38f07e1e1013f6f378f4a5da9978088aaa86d3667aa2714d7bd976fdfb52f19d667443eb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
79a980973ef0e0cb2b035dfa890bdd16

SHA1
455f5a7a393992d1105280c2e1889b89689ae573

SHA256
9283dab5cbff28bba1d4cec96318bb622f7cf9da0faa8a26762d1e1940417c81

SHA512
561d09a92023e28cd2b41fc64d4c747adab4dff165969e1ea35c75dd6a888866c65f3975390b54331ac01c8f1e9d416b4ed119ad0c7aecd0559420e67446823c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
06354cec63b9d9b23bc7c38acab3c255

SHA1
860c4dd49e86ce1d37db9bb2787c40de26a23dbb

SHA256
d569c388d27c9ff6af3f4625243ae4d9e97b2806147e5f82fb405b08d7f4b658

SHA512
5dbdeefac993232b4e1344e278c4550e875a3d9b8518aed0fb2ecbd92bb0923d5f176bb4bc8188b2eac079f56294dcf830b269a10e99fe4718e63db13a8ce520

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3061c0cbd3c2d5d55c38443392e02b4a

SHA1
40e188fa9da8e28fe0f99e63b4466b0185539fc5

SHA256
37fce79de0779a85e4af5e03fb1876ecc0ea8f8ea8307a7a8974708709823a32

SHA512
dde1aa0caa95f431550262d19bb6211a268f7c31afb56e94de6990b7780ea8137b84c75cb2de09773932854d5669d17a59a46652cecfcdd06729ef672c860c2e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
3d54b040e552e4e08a22600d4754955a

SHA1
ad3e1c8f76f8f5108e558daffaf2f0bf860148f3

SHA256
78afdc421833f07ba28c461e0008eee23b40063f8fc2f6f1d4699093368b3dd1

SHA512
4ee1e038ed0b1aef05415c5cceae207a35c56560a709606eb84ae5237ff4ca063fe1016d7366d71c1b139f8bbebeb2d95c1cec526f6da694474167274ed82d0b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
985dfb8bca39b6897d271a5f8bfa5e47

SHA1
806392bfcea3b9bd907ee1756070d85846b61784

SHA256
c62918f5b0687a977fc4e00845d50a9658e559db41d740a52a0ab6a1b2882e76

SHA512
567e40402dd7eac8564b5d0e69f98cba1b064efd2f55755df202572130a20842d286dba97ae3ae9d83d749bb6d465d730a6ca1bf46da566a414a854a4fe5d3c2

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ef12008ff039b38b6889d790e30b89a7

SHA1
5dbb20d718e9bee1c433a9d2c0f30f3d73899485

SHA256
1ae4d725d36e4212d11a6b468c95c1e1d70cfc2ad851380d85a3938380d5ee55

SHA512
61fadbfb602453d243e2926f04006d00b35d7ad18a778591d737b05a942b1a888aaf44aefa147fa96a7806e5fa58302c8638ecebbcde38438e99aa6e8f5e2208

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
1251cfd06611e8cf8eb6ed1d1232d056

SHA1
bd0918aaee719657b8bd4655ea9a09311dd670de

SHA256
0053a78985ae1429948a2e456ab521b6e0ce6f2119b9bbe6b77d42570cd50a7c

SHA512
aca10bd3b84413bc37149244ee3348f7728cb9510c26aece4333624caba9351990ba865d662b9828c33032b3c03f3e0c12d418c096b455cb8ed979c524043ec9

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
624a08be341591c2caae4cc8b535ee93

SHA1
42c5cc41714513cf4795cc42977031ee8cc952ae

SHA256
5ebf3998da60635060313196190a3762148583c366129a005ac3efd4940301cf

SHA512
9b840b387e0ff1681a4c2b6529744998e727335e61833072dda080e1a768e89b5b9661b2b4e7a493cf2e22f5ec35f43c1454742bc87579262b37f6e45354cf11

Download Submit
memory/412-198-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/412-624-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/1060-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1060-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1060-194-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1060-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1152-139-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1152-260-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1348-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1348-45-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download
memory/1348-39-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download
memory/1348-68-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1348-59-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download
memory/1428-158-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1428-281-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1428-621-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1992-90-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/1992-209-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/1992-91-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/2052-630-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2052-257-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2372-80-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/2372-85-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/2372-87-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2372-83-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2372-74-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/2544-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2544-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2572-283-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2572-632-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2680-615-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2680-182-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2848-626-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2848-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3224-12-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/3224-113-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3224-21-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/3224-20-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3240-114-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3240-236-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3688-441-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/3688-8-0x00000000008C0000-0x0000000000927000-memory.dmp

Filesize
412KB

Download
memory/3688-89-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/3688-0-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/3688-2-0x00000000008C0000-0x0000000000927000-memory.dmp

Filesize
412KB

Download
memory/3708-111-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3708-224-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3840-631-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3840-270-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3912-129-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3912-248-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3964-27-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3964-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3964-26-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3964-128-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/4596-170-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4596-414-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4636-625-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4636-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4684-49-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4684-55-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4684-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4684-173-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4900-622-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4900-195-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download