7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 23:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
Size

625KB
MD5

240cc53ae7ce6c07e09cf45ec9582782
SHA1

8b8492e84f05734b8babdaf120f89d7655c50d75
SHA256

7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513
SHA512

815d02f8d73b32e6845d6aa16c582f84d19362a1aaf9d4235fd0073738765f315afb069ae84f0ab5e05584c0215a447c2ba45db3d6db0931e7914609677ffada
SSDEEP

12288:22Q6FggLbrQXbR7jqkf1Hm7tJc0FS3jicGWVSI7dMua43Ek0cIHAN4:TQ6LaRFdGJm0Q3WKVSwdr13Ek0VA

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1808	alg.exe
2668	DiagnosticsHub.StandardCollector.Service.exe
4536	fxssvc.exe
2220	elevation_service.exe
4980	elevation_service.exe
4372	maintenanceservice.exe
3340	msdtc.exe
1048	OSE.EXE
2160	PerceptionSimulationService.exe
2420	perfhost.exe
4564	locator.exe
4468	SensorDataService.exe
3464	snmptrap.exe
860	spectrum.exe
1996	ssh-agent.exe
1940	TieringEngineService.exe
4044	AgentService.exe
1780	vds.exe
904	vssvc.exe
4120	wbengine.exe
2440	WmiApSrv.exe
1544	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4a6730c5293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Windows\system32\AgentService.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Windows\system32\wbengine.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Windows\system32\vssvc.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Windows\System32\vds.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Windows\system32\locator.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Windows\system32\dllhost.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb007e8769adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f97168869adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003863808769adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d5ec898769adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065a4a58869adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009fbe1d8869adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2668	DiagnosticsHub.StandardCollector.Service.exe
2668	DiagnosticsHub.StandardCollector.Service.exe
2668	DiagnosticsHub.StandardCollector.Service.exe
2668	DiagnosticsHub.StandardCollector.Service.exe
2668	DiagnosticsHub.StandardCollector.Service.exe
2668	DiagnosticsHub.StandardCollector.Service.exe
2668	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	940	7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
Token: SeAuditPrivilege	4536	fxssvc.exe
Token: SeRestorePrivilege	1940	TieringEngineService.exe
Token: SeManageVolumePrivilege	1940	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4044	AgentService.exe
Token: SeBackupPrivilege	904	vssvc.exe
Token: SeRestorePrivilege	904	vssvc.exe
Token: SeAuditPrivilege	904	vssvc.exe
Token: SeBackupPrivilege	4120	wbengine.exe
Token: SeRestorePrivilege	4120	wbengine.exe
Token: SeSecurityPrivilege	4120	wbengine.exe
Token: 33	1544	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1544	SearchIndexer.exe
Token: SeDebugPrivilege	1808	alg.exe
Token: SeDebugPrivilege	1808	alg.exe
Token: SeDebugPrivilege	1808	alg.exe
Token: SeDebugPrivilege	2668	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 1488	1544	SearchIndexer.exe	114
PID 1544 wrote to memory of 1488	1544	SearchIndexer.exe	114
PID 1544 wrote to memory of 3268	1544	SearchIndexer.exe	115
PID 1544 wrote to memory of 3268	1544	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe
"C:\Users\Admin\AppData\Local\Temp\7b8f36bc7d193df3c71f57b41a7ffb3f0120f30552fe5e6cd3fa64fd5f074513.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1880

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2220

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4980

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4372

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3340

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1048

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2160

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2420

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4564

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4468

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3464

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:860

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5068

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1780

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2440

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1488
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9a3aaa74e41bcd66c057fe7cfbd2d5d4

SHA1
83e86784aa827cecb061fe30c29eb9153ce5ac93

SHA256
151444279065f8f9c76f8d5e9274acd2d5e6f60f888c59567349df54931a23a9

SHA512
fae1908e81e3e8ac69cd7e31316aad27fe0d315013b0d7e2ec74079487631fca9f5fd40ff9f18a87e677d615808792db823b62c01bbddc897021f2e0a2a16cb1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
52442f5ea0d1818aa9e046947a673c31

SHA1
a53a005147ee4413fc96d6030b457fe079a3cade

SHA256
ed2a4aaff7eb4182426b935b9635b9d7169f89f550e5941deedff8dbff91ad0c

SHA512
b8776a2d93febbca67fe78fb3525eb14e935be9e673b6b653fad3fda39abc5eb19c55b9ad1b8e2d1dc92bceaa5b00ab08ede167860a59b85c12945b45be2c9ca

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
b166096d58e0da8c836dca6c7c3bb180

SHA1
b9935de9505a32f9d43fba983ae8f7530a88a1f3

SHA256
ea99c60d4b245716a79ef6702e993c38887b6fac968a1caf107ee05aba7a5e5e

SHA512
b2e547a7f2240a81a5ae53d1bbb52b3dfbaddc441943e648b0088de566eee08455577e2f775d6af37e872daf13b1bbdf62b25d401108dfad35e078c1b98fc0c1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
59df113c78961efbf3170f2e22809d29

SHA1
76a7a7976b447d6655240836dae0975be74ca6b0

SHA256
1b00c070e39b415cbe51a67679c23fcd638d53aea7722599a219d4ef5deaa06a

SHA512
65ac18661ed37ddb6465f44c66c8482baa4c21b78e65238cb7e0ec7224667440e2e25271669edf8224d3922067a8f7805abf5a465fb1348bd649db0be0e48032

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a2d83ee6761e96221258822fdb979c81

SHA1
f592337120ffa9b2d4a7907cd5146349b4ca6eda

SHA256
3aa7e9e06e8cdb320bab0cd17fc9095d3fa2ae2483de8e32bce1a3966c178fac

SHA512
f63e2fe154d39d6a70f737ad0403a421db367c5a5bbd56871313cb78a292555c1d25b32e7fa59d03678a4619886449c0189c589071d64c610ab06c447dd3844e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
e2a3e8cf261990b75995e67e8036b341

SHA1
21e33c93d3d8489033af9aba09513672a22d3e7c

SHA256
87bad5af0b37282598a67ec921466f086e31ea423b1465dd170e700d25536011

SHA512
fe1474f0f9460f9ae103721a07f9ca0e6f5a6b94fa8063e187b6a468b795871fd41f46c0690a52a8cb9e048690f294bae22e757666d48f19b37ffcb94fa21293

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
fbfee86784dbebbfcdac4a2ec1f73ce5

SHA1
2815d810970e1d170e5279fe24c067c456054d92

SHA256
eb72e50ad0e007da632067202358fb107bb71983f4379f68b4df0d934c10e9b3

SHA512
13de0f52c51a0d0e10b6d7276a9e0359fe8394e27c2ddef8ea9e92fbdc41ab614473901f51cd2d7f631446156531c439c3484b54d8d92b8c75f29574f084c2af

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a4de7e43a738012b1f1bae6f1f6aa7d4

SHA1
0e6a1a1b2cc3a60b8e95b37bd4e395d0711013cb

SHA256
531abde77f30b4300085aeab1b87e928151555d69c1b9f4b29e64fe8161d7d97

SHA512
24801a7239be0c3782491b5516b554ff0ca27ad77cd80ab511a37b7f292086d72cc87bd62c8d93d39e0a5f2f3e40aaccaac9639fae52864394ce0ec4696e9a7c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
f86bce9dd1143feeccc19305553a8c9c

SHA1
09845adde08f6e432b6ef1d0f9d1777e1b9c4c48

SHA256
2a2787311a2466cdc404065daf91f6709fa7ec74e1e44b793ea38b687822cdf5

SHA512
7cfb0a7bdd53b7c2b2154d034203e42f712ba1283017496817b6be62e4e1615726c7001446ab568fe0a856a845be4fe8b291cfc85f36d12d323bd11de34fb626

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7129f25697a16ddd72afea7cfae6dc46

SHA1
cc672886663c2fcc4982ca9ba581d6c3f0d524a0

SHA256
18ffd78a56b027c027b1257047fd691277be1c80a7cb5f1f6216d02ea0f7c5d8

SHA512
5141e9ebe0029a1a78eb235903e9860de2822c42dde201425e6cde7242b2a53122a8312845ccc1cc4be8e665aa963266d923ae6145b14d3f0f6761713252ca9b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a29f81a525c03faa6ce31934d3deb181

SHA1
f0fa76003fb10a40281b9e3217cba49c737116bc

SHA256
456a1d599802ce88ac8cf18e111df30b381066d64dc0920c05f8101ff8c3653c

SHA512
44f31784093e20dfea9f85a04ab2d1ade1139afbddc7623e22ab92b0d490b0251e165f7a7d5f19d50606d71b7fcf35aeba3b41fa52f71ad420b4ad70fc94f40a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f5175c5754b7100dc5ed62ebe587328e

SHA1
fbc74767c81783acdb0cce02878c41b7c31f6443

SHA256
fde34def9f6044f038a0ac9e3013457e71051e25896902e241f2204e65a8422d

SHA512
19882901c337f9770a67432a57145c5bdfc86552c159f2b18653535fb482dff4608297b80cc705cbced5b619f3adbba9bfa9baed2b623060c0683d49476cdfe6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
1ba2a4a2f3d0ea68c85e77d26b3b35e7

SHA1
0cc1ebfc33e0185f95549e75a3280299d76081d5

SHA256
b54297d2585c4fbe06557883e84bf665ffa203f1d5630945debce33361b1ab23

SHA512
28524a1ad63a09117932efe33e037706f0206969bd36d463b7bfa42a984b57d40643595171c445e28add90b54d6653d9cd4e53391d751ac1459973c8b4b9ffb3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
e0341f4788a72e5fe1d217f969181e49

SHA1
7c324ee354caca3accfac58333290658cbffcb7c

SHA256
d716b7dac5fefaf86b1c51a31ae99426a1d2c0ff0af8c134efdd972c4f6f7b6f

SHA512
d7e35fcdcd37f55b82f2a89402eb5cf17d7b3cd86c57fe76c4fae14be8081b99b75df29162e2e443c49e41eed5448b9841ddc5f8ce7c00fa980178cfccab749f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
15dcf7663380c46f03beff675a8e168b

SHA1
e4af06c49fb2caebb0eaac2bf2a927b83107d296

SHA256
c68ea0ee02b66c1c2b04deaf995afa78c557718710e7738f46faf16e0a234434

SHA512
9bcb3959b1ba26282d4bbef9e0102d99be501c64dcd9041f6ace3e20e4b235708aa5d7e8f95841e3045d230323273d94fe51dd33a734099ff0bb6bfd485f52bd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
1373f479f9fb05fab8671436f55d3d3a

SHA1
49b6a7202fbba912a7937a0ee555a382025060a0

SHA256
4fa92debc9b7bedfa1aebd283b72fa60f72b6c166e497b7bc647c05d454a7a3a

SHA512
b2ee3f70b2153e9cd5073383770ed2301b6a2baf71bd4e558a3ff6263e6bd8210e902bf015620baaf53b7e327144320998bfb591a3ae0da566a1e0117ea0d658

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
017b0b960c489e0ab119d418187ad00f

SHA1
804c1e0aa7697e6949aad811812a3bc495465084

SHA256
72daaac5bfe1cd62dcff50589e94e5a9028c377b598ce4731943763197572287

SHA512
dbeaf0dd79eab22a9c7f723247bb24a4be8559f05bc5359e5235136747b8c3db86f8e6c6de3bc8971fa461ee154ae9868ba0d5174c564ec3fbeaafed5eb4df29

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
245fe206a54cb24df778370eab62b0e1

SHA1
19f944e3b2074601d6273125e702753ed8ec05ce

SHA256
b870d74849690d3e0f154023958c816cffa7c1dc2098c3969baac8c962fa3258

SHA512
cf27f0302a52b6ce80c338a7798eaeae5b6346f67bf01db02f9b332962ca948929df294c7992ab464824849d3ba98303faac9e9a77252e99ba74743ab9b5f75d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
1aadfcdad6ccd7b64567449cef45afa4

SHA1
e31d6a98230d3863cb8b2b77b36e07919bad9e74

SHA256
3222e0b025eaa4af85e1d27f5ab2b0d21d1d4ed308fc7b5b853cca94452d8e9c

SHA512
41a6ad9c30920bddd83b6506bf78d54bdebaed6d4a6e3be045afa70413ac0f37ce6e1ef2a46971d0b6812e6e70e9de1f62b3f52dbf86edb84c0f168031f3df8d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
8897f97bde3c19dc81d8db97e32893e0

SHA1
527ce8ec97a74e7562365647396d092db5d769af

SHA256
98b614d97b9400492cc08e796fed6419101fe767efa8a99d6c8b1f635457f8fb

SHA512
019f26258406ee4b3c21d0c0dbbe5b7a653e75c29f54a1c6c7a4d0aeac4c14af29d25c61af5028979cc21c1ea63bc5e57b007d1437c797a2cf80f5a7b706d092

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
16e76cdad7b0866a9a9e8ab5e7d6b8c5

SHA1
85480d97eadb91e5d20f566deba47d1a2743a9b3

SHA256
a38cb7108ad8b6434ca91e9cd1097cd83d8f4a76b8e19c43a1b63054d671ae26

SHA512
2558f9f3598fee0240c40db03bd5000252c6eec04ee6938eb2b3ce5f3996cdb38abc1ada156c779c37af68144918506c3e58c2c5162bb45ddcfa8f5195fed1b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
a2d2e15bd5f7ad25c75e714867eeddec

SHA1
759192868eb9f2dd7e6199c3ad261ebd104bcd97

SHA256
bdeda7b0612ded005ece3aeede352548b4f1629e00c271ae4a6c4615992cafbd

SHA512
216d8116ce990042fadf0d465350271ae60d69d6ab30f5b985893bf2298b4cbdbaa150862f7401b042cd1446ae6052a0ea5ae6a28338550bd0a1b9afe1cc2476

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
0664d6e7e7aa30926b4e3fffd6506071

SHA1
29d09347d7df6588696a528fb060f99329c19b84

SHA256
62bee443bf3c55c79ab38260674ba0d8ad21cfe89fed2b40d75f9a4952abf265

SHA512
3920627695034aee13b6054049c44cd48db3b19a73028d341dd03cc409e7c1bbb80c225defc1a343f0770a60d11c9d69c9a4ce75bb9c8cfeb8e2416eb51ae90a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
5bb63a2ec52a54441e5f57db3bcf175a

SHA1
19c05554397772f4092dfbdebaaded9864860121

SHA256
8aacae37316b9ac8bd1603a91672073e5f677ac85b545ea9167578d27161f5c9

SHA512
98d8cf8d0b5c5b2860311e18eb4cf3a0b0f251c5d77f28a0d0321ae2aac4b4c5b6335e08c64aeb76b466031e6887c2f6d7abe48f46eac1ac769f34969856c119

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
a3fe3a34f7482b92fe48d208d01b0f60

SHA1
3e33ab6ce5aa912567105cb4eb30058a9879bccd

SHA256
53fcece844e46daa8a63859d908ea2b1f1ede66663bf21de09827a2ab2c0af4f

SHA512
246463bfa4cb4e693ed45ad92c5d1911646a9fed405cd859cc51123e28871b3dfa5832bb3b648ad28d6df51247f9e9194db08a098605a5e2657cb0f4c97add11

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
8b08cf3b962b7c45eeedb826eb5ace1a

SHA1
51273630476986db13838048a24d3344208a7cf8

SHA256
40f4e2e8ee3a01de7c4e2dffe1e3fc8341dbe0dd8dafcd435cfe834565f89875

SHA512
a88ded0f8891f7a2d53d5791dda4e476b5ca3f78818c84567610ccbd79724d78abfb14ca59d4c11195f759cb8f99006aff77aaefde97df15c01cdf8c7be3fd78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
f1ec5080b0a81e340f9a2e049b17a7dc

SHA1
87a576b8ce0ba5927caa07797ce81e1dd23517f3

SHA256
9d44aaa8e82ec4f02d7623650caf812213e1269b668d6df6b4f7104df2821297

SHA512
9a1e116dd2316e425cb9b699b85058a8db430a2ff23ed8eee0d571d3155abca4c46b73a0b14b6f8a87f3cb3ea585a7351e672e2c18a3631486610fcb67dc6d40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
b2611852069855a63dfa49593b040e56

SHA1
2b2288280c970d5e6e23106a07dbdc5c3d437b49

SHA256
b368661c49b36c1b4a9168c656913e020a60f626a9f7af0bf56ca7c42a8abd63

SHA512
3ac9d6d4240e75e7d32e18a1c700fdc55ee79668efd797e749499fcae15c617da9ce927a06ea653eac881b848ad3eafccd7ae0f5ce003ae2eedfb2f7717e00e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
7f6d92c728ee97af3c4d81c544a3a0ce

SHA1
1f06f2eec350099585887f5ca5039381582b6489

SHA256
76c4cfe94f957783f39de02fdb8955e744b31075919a0f70e0c6ba821ace2d1a

SHA512
4978b200251f603756f21477086d1bea43ba1e562069286cd2dda372d7c7073a371d8e60773738a14026d3964ac3f50da69684075826e55588b39debdc228128

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
e326625eab5374e79198537b9bac1f4a

SHA1
ce93fc9c7643eaccef09a79ac1c9db05edd971fb

SHA256
ce2775d42bbbf032a763fe12408555225157862fb381085b5aa5d7e6d44fc9f1

SHA512
9964efd385f62ff220791a1015a12f9e38c4332c94ab7b538ef88f14c5a10bdd83beba8f1d14c30469c88da7767c0c944a07dbfc46680eab81031d51516b991b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
5994ca7861f58ccfb3fb6dc260e538f1

SHA1
525cf5fdcec6ed0c41b82703bb55c9b9586a27c0

SHA256
3ec1d407b8a983c3d0d9041e7885d7aa8a14ad30a2b45d2022077ef85decf450

SHA512
2a9915229ce4af94189aa22a91d86dd8b9ada220cf3557cc0d48fd928d51e01b554f9080dae12be3db4d86338fa35ae6dbec8c998d365bef20df4bf6d766cbe8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
0ef5258cf6c601770ab94e0d90b17014

SHA1
2bad82c0896ebe58568a99510d138b3478f063fe

SHA256
a2fb75a298d188d4a49603b8ae5c63632dcb17ab8d70da1eedbf69e4319b47b4

SHA512
e68019941e88476414a7771336a423fb3df96d37785f88e0cf4ce085a02d62314d49e542da90e4f601072d196d778263a5749819cd9fbbb245f98f3d736a6042

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
9bcd8b09b1dbb93c6c3ce34e0495304a

SHA1
c6682914559b6c2dd5c502260fd5136899d48cd7

SHA256
5b37354a8a01ce7b0bf80838cbfa25e5114c91a6ee5d045bd8a95a61797e4dbf

SHA512
17972b81f55245fc0d102b7aa2e5e390863132bd1ba9d723d9299d965a314c6ba2ba8c1793f10a6b8372bb1b8cf57799b198e42c1e98a23e14c140f1063b339d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
986401c4c5354cd5d6788a3343bae6a8

SHA1
66a1e395e1cdfde52cf695e3cdf70828abcf2262

SHA256
2335b03b64f7c12d42631f79ea9d3e6a563adebb2bac54ccdcedd9b3714257a9

SHA512
01b2ad304eb74d249f95f36594154f2d08f9013e25f693b08d45b3d64c7ac8faf2e7f8c2e1ce4050686bb3d697230cbba57c9db0ce07f85feb1d2b19af08c4db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
29bd8092d5b3f020b2f83f2ffc1973f8

SHA1
845a59490b28a469d910abd13524d54a701c1648

SHA256
92b85f7a660962274ae94ee7c7725e0bfe8d77d56edc9433b3d119f550a1aec0

SHA512
757260c588310a9cd5d24014b1272665ab0538171c2796260ae78abff60c21d5526bee41c6e1d0d5fb53e285f1016edd8d75c37af021de6770e4d11313099672

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
dccfa4996ffa2ca3edfee2bbb14393ec

SHA1
4bbb21f66a5522632eef0d07b6eeb198546abcf6

SHA256
d85b49ab0d636ad3748be6b46590e5ceee6a938f29e0755c3aef325bf84dff6a

SHA512
7bc0414ce1c311f449616faf73d52638fdb382b3468d777864f38e741b0ddb1eff15e4d946c8b5747d51109a510c5ce0a68d8b5c7423beeb158eafefa8a7c9ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
a7dc3192a9ad99f83d3113b6b14d4942

SHA1
2983895c990e654e3beb40b05d6e5c0d6839eccb

SHA256
cee04ca87992414e75eaea9d47db92b968dfcc37ce5c57b3a7895d25f04f4c17

SHA512
edfff64166b563bc6d023ebc3bafe8138a290ff1d6322b897820e48052b1c075bed8e3f80f2da8a331fdbbdb729056c5732daac8579b0b4f29b437919a239b80

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
5cbf23afcaaf35a7ddadf54f6c27f504

SHA1
09a5f0d99432c78054b8ca84ea1bd6c68e28a010

SHA256
0f0005bceb1a289c0d1ceccb4ebfe6878784feeef6dc59b5c2962a320174734b

SHA512
9c2ef512954a0915f04f5eb6992044070be55b9b42ddbdfd7e424f9143b37a3fa136afae9aeca96e6315e3a068529df6c5aba564dc4a97b90859ea217363e887

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
12b69097673ad9c7bc8254b228820c8d

SHA1
8e7c18a607fd26908ca7c928f3788090eb1088cd

SHA256
ad17a732778b368ccb48142ceb83fe4275380fe909ebd9839aee0c5f0ed5dcc9

SHA512
747b2b4ac91f5a107179c4a3113b9b03d2310d27241915c3f33262331aea69ce3b0378f8d26b47065086f4ad7c0adfb5dd1335f37b24005092197c79c470a926

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
e0740191bc428433e8b8e60b21ff7e2f

SHA1
5565844fca51c6ffc455b38a835a629d902c86f2

SHA256
a39308d02d14b6d333de731b3af74bccb66f5d31fb9c1bba2bf88204fbdbe7b9

SHA512
c7bdbafd3031bff28d0bd0199a3ea7ef2852332acbc3bfe40c73a7f500d3f917d8677aa53728526ba34b88f7a6a1afff4d0670bf7800da735921876feaad4896

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7d3354033a6eeef2ef17c35f1d145d04

SHA1
074a53e8ea1bdf0a4767a7add52ff26ee85d101d

SHA256
d801233817eb32426c2d7a25ec3c18eb984c38f711b592101590b196167319f2

SHA512
1d81e246110069314e3e6b63ff2d00a3b589efb6f506de441b77c99c68a3c5856b9f2d9eb8edd5915c35fdcd19d46140aef6fb8200d7d28b52fd76518a8ebcdb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
db54ae06d6a6ab5733b93b9e82af023c

SHA1
f7400c4d37a28eb68623fdb5d97370399f09e154

SHA256
25e911c6fc810cf3114000e601357be8db3394cccc4af8f34563d60ef2fc70ca

SHA512
e29303cd71e7b23a3d7c091c707982d583962055574fab6a6d516141c6d59641b44f2a5177a166671b822444e12c47c832e219c3df006a94b2f84f225ef2fd87

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5c74728735f3c414c1ebe29c4191e76a

SHA1
cbcebca787fdabbad7894ae6e912e9a29107fd78

SHA256
a965333a7ed11c7af9dd1462afd31337763762aab5286d35c3303c342aa74184

SHA512
fc96dfa9d683ecb0941c373ee2ff191f2f2a8ee5c513ca42f794eedd08dbdb53f916fb164ab062db47f0a101e2e23e9ad8b4071dc67474427192c270f6d01d4a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
764da14927488ded9f523351f9ecbc6b

SHA1
41fbfd14bcf5dddd320c3860f1a63bfe62d4870d

SHA256
63a8f8b7c1893737e184fa13ef98c6354901b4aa553d8e325689582aad75d067

SHA512
443f411ae67c230f12fb0b52f05e0b641d5c0b35a39f017899623ab4e15fa7715125413b37fcec5e7c4e102c3af49cc55d2400b1db79c120caa164e23e059191

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ffceaaedc9709ec62114cb0e7b4811e8

SHA1
bc738af878ee106b858c8b6593403b89ada49cb9

SHA256
6cc639dd98deb51677b60d4aeaa778f81e91370976fafd51a1a09d5c02301cf5

SHA512
c91f9ad2824d7c2a9bc51441ba0908a06c3d0c6aa8da85a0e013beac2f7bc4111e61500caf5dbe586cb0e1be8673786322131e3cfd231c9d8047c4c775869d24

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
a81c432e32af694e501db45c422d85ce

SHA1
1427a9ceba7e28a66af0ba21e05117892ab827e8

SHA256
36761fcd080ebcb22eaf1489fad43f066026f8e03e712e871cf8fbbe78142672

SHA512
4a13a51788b9f200b5c7668b1fb4ef93f1c259f581384725963a2adf80c7d18839aa273a2660789f11593322d48eaac39999ff414b5423c566940b36e4acf61e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
41f1eab17d112d3999a737c3c3b773ec

SHA1
3ced867d2798405cc5322373d4324bf52e6cd163

SHA256
e0fa01474c760fb24b5a973dae6590a7d09027f0b0fb15726c12657fd375f720

SHA512
0c0a0dd9bf5655b15b0238306affd31bc9bd2bc60b9015db34e844a91a07ba415666d4d11d333679a341197acfdb4193ba54bc8669ff374f279361cd9651c6bb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2d7a77ea7ede5183a4ee997eeb7ceb74

SHA1
4c6f8299e5f822ae58d1f7d89a37db5c6c123cb8

SHA256
6b454b4c4e23474ce01024c269b43c1431850e4af5b1f818ccfbb85b9959b6c8

SHA512
71586f6afbba2808fcc390f9fec79f147a08f5eacf7950dc4a04de8fb53ba80f11f7871f64d64b2221ea1e78c32fbc9892fc8609317bb0e24e924faba098d520

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
09dc1c610d43ca11f9326f11027629e7

SHA1
adde28163bb40984b797ac7c07a69af4dd9db248

SHA256
421a26e6373b3b750dd4a5cb389737b5d51c6fc0eb493c80a3ffec7f2d10a393

SHA512
4621e88b74b586e5bf918c48ea9d171ed39be40b9d0082edc5bd9e0534fc46b07064f98558a33b3d043bf57651b4403f523fd9016eee48ffa7c18867b1305375

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
4fa9ee90fa37cafadfdacb6c3dddfd91

SHA1
b72048606f8d36cd07645c62616a205b0c23f0d3

SHA256
e46bf649c6de3fffa37c5da51ed56d4ba486c7640240cf19ef9691424c6a51f2

SHA512
f31bc9daea7f9c7250cbd0e674d209cd96f6911193ea21afc10546cf8ff33c7ab3e01549d8034b7b8aa8deb1873f8163de54a4fad0a1e0a01b1526c4df8e9f56

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d058b8f3ab518115a2aa3d585bf2bd6c

SHA1
1f32f2c9dc2f8f0112f51dc79b0fe04ae9a5f3ed

SHA256
9584e665b74f92002036e6b435f883098c87a0a4d5be4cdbe86d3c1ffc57306b

SHA512
329b1b7127ab21d4208f4e3b71dbdcc5ebf6be1823321b4a1dc9244f4202ade360fdb30011ca18fa33320135fd0bf4380fa6908fad4e8a50fa7ffc8b53cdc8ff

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
f81ba18588b1ea7f76bce88247182a2a

SHA1
f9ed6249dc342b229bca68f2beade9b3d2c1bab0

SHA256
80098732aae1d225bad9f8a20caae39c229c9b3bf3a9021a20cb5afe0f6846a5

SHA512
6abc7d5aa55ae9babff6423f48727acdb5bba084a2bbe828d99128710d1ed7bd9d36f4e34d5a099bdabf607bda42bedc1418d69f90dc0a786de45a917405ab24

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
7bb8b87f4b8aacbaf631b7255402f6da

SHA1
afba40e968d46e96a4b27a8194f596ee603aac6e

SHA256
c70236707dd98a9fe69bde89082fba7fa24420832a7d5ad179556a8a12028df8

SHA512
62b6c9e64295182d41c34607df56ddeae0a5bb5b7f41433eb3aeed856865a44ce9c5a4a6808a1420a19d6a0101cf33a4227803ee74e5f5aa5b027709242ae5f3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
402a3f88fc66a600d0bb6ee01df5bfa2

SHA1
33f2e53b0f86a1fd8b774832c3ae42648688a1a1

SHA256
990af42cb8d51418ed9fdab11ee9647fe41fd2f5bf7d782cd483de15322e7cc9

SHA512
f627d9c3eafe4229af3f9835421e1e00912d103194ad51a2f2915274e91516a59f456c72ee092841e0909beb4d3645a4073c72ef3059de56269a5d6c92cbd340

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
35bd540dc3f7bf9dac89884e9df9b4b1

SHA1
643cc7ae21d6b687a702df5e570eabb73fe7b7c9

SHA256
6c67def5d4bd8454fbaf1193faefe508f26d768a567473e20a8205de512b7928

SHA512
1d7a3857bec3cace94c4d1bf1ccdd7603af05c1cf64a329f1c1bfba6f565d878994e8ee939ea0c31139d730edbe52ef1f4351277701fa5a625b6d2a30b2a51e9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
9e68ca1c332a452a7c5300a2c6e1177a

SHA1
06be51338728bca29b392d884979f7ec12de8b8e

SHA256
4a7ccf5591e882be67777e32c44ec298a82ecf27d26d07ce48a1220becbb8d12

SHA512
2d2f1570f0bb38367c4de8581945d6855f90a5438c1bdff4a4ac6312a093b1429eb66d832e04ba64deb2777c94d9ef81ec25cd5913a37addea4e9d3602c51ac9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f585d38a778a6500d25def66d03e7482

SHA1
a2129e0bdcfb8d67769f3e7b8a5f83b98f445045

SHA256
b35612e09b7b2858c4da4bfac101b2aa80d344f743202b63c7a817abaf449e48

SHA512
6502fd3c17b6cebb7d28c50f178ca6f4d47666cd065818e4b830300d5be05e7eb28dd499a1264b33249df4a328b1c93cde484549d2ce399500ec92818fe2d6b6

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
579d3c625dcb589a1bdeac06410223ae

SHA1
dcfd5bc180dffda0668b55c46266c0364034086f

SHA256
eac6f50d7ca948a026a10fc146a7dfe0a018153a19f5c9951a63d147023a5756

SHA512
e41eb7756370ea0238e8f342db046d7ded37382618c420b1f6ee98c636b5498aa81d90c34a80b9a83ee05111312c2588772d5557e976669934121a8f9954af2a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
a54f788f0f53ef6364ea7b485db44d8b

SHA1
893e0786006185e4dda78823c259543862d27609

SHA256
6dcabdf2c4f25ed412c0392328316e509475604e6255640197186f815d8c8964

SHA512
22f44ac1c96b53663296f133f846e561321ec792ebf37aac6e1d2942a2e2e09bcf5c974b733e6edf550c7a1b5c30fe5f2fe247d40990f43f5ae4a267769f0290

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
f44fb3207200d2c7e873f083080b3371

SHA1
767622ce67799ac70e776b5a6bb2b00a54d0c80d

SHA256
98cd5e6c597dea07c9edd03475a14224d3585b743bd2884e4a627228abd6d05f

SHA512
92762c92458c6b6b7255f132e2264f5e85a3ae865881ba8fc715e720da138cf135cee3abeec30faf759c045775f28b8b70080fc64277c23b635b87b35e08b968

Download Submit
memory/860-540-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/860-164-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/904-572-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/904-233-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/940-87-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/940-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/940-1-0x0000000000A30000-0x0000000000A97000-memory.dmp

Filesize
412KB

Download
memory/940-6-0x0000000000A30000-0x0000000000A97000-memory.dmp

Filesize
412KB

Download
memory/940-447-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1048-214-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1048-109-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1544-578-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1544-276-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1780-571-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1780-215-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1808-114-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1808-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1808-12-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1808-18-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1940-188-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1940-570-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1996-568-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1996-185-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2160-232-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2160-115-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2220-47-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2220-49-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2220-163-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2220-54-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2420-247-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2420-126-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2440-577-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2440-257-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2668-32-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2668-33-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2668-24-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3340-88-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3340-89-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3340-199-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3464-160-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3464-428-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4044-207-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4044-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4120-576-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4120-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4372-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4372-83-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4372-79-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4372-73-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4372-72-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4468-275-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4468-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4468-544-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4536-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4536-37-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4536-43-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4536-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4536-57-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4564-129-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4564-256-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4980-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4980-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4980-176-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4980-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download