f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 05:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
Size

5.8MB
MD5

6ee912adc59782dfdda3df60e9d8c259
SHA1

2e82ec896027481a2cfeda6905b043eadc51bdba
SHA256

f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4
SHA512

ee1e385a6fae444dba111d77c4578b4e011dc19d9ac6517b0680c6a2105681630fd15caf359fba7c02a495b20a06e1544d7b59ee3d7da6b204a387fa827ab278
SSDEEP

98304:ONDwSlUk9KPsUxfAdNmTVi+qkPZKOBuyaoY7cjGhkk:O1Uk9KmdNmTsOBuyaopjGik

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2672	alg.exe
2844	DiagnosticsHub.StandardCollector.Service.exe
1628	fxssvc.exe
4112	elevation_service.exe
784	elevation_service.exe
2652	maintenanceservice.exe
2196	msdtc.exe
4076	OSE.EXE
1756	PerceptionSimulationService.exe
3444	perfhost.exe
3188	locator.exe
4972	SensorDataService.exe
400	snmptrap.exe
1508	spectrum.exe
4432	ssh-agent.exe
4156	TieringEngineService.exe
1544	AgentService.exe
3816	vds.exe
1916	vssvc.exe
1664	wbengine.exe
1880	WmiApSrv.exe
3904	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Windows\System32\msdtc.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Windows\system32\spectrum.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Windows\system32\msiexec.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Windows\system32\wbengine.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Windows\system32\AgentService.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f039c1261ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Windows\system32\dllhost.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Windows\system32\locator.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4344	1852	WerFault.exe	86

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085f5fe6568aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005261746768aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c11df6668aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004017636668aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a0ed46d68aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004017636668aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2a40f6668aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008cf31d6668aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000122e196668aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb3c896668aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e7f5df6568aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2844	DiagnosticsHub.StandardCollector.Service.exe
2844	DiagnosticsHub.StandardCollector.Service.exe
2844	DiagnosticsHub.StandardCollector.Service.exe
2844	DiagnosticsHub.StandardCollector.Service.exe
2844	DiagnosticsHub.StandardCollector.Service.exe
2844	DiagnosticsHub.StandardCollector.Service.exe
2844	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1056	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
Token: SeAuditPrivilege	1628	fxssvc.exe
Token: SeRestorePrivilege	4156	TieringEngineService.exe
Token: SeManageVolumePrivilege	4156	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1544	AgentService.exe
Token: SeBackupPrivilege	1916	vssvc.exe
Token: SeRestorePrivilege	1916	vssvc.exe
Token: SeAuditPrivilege	1916	vssvc.exe
Token: SeBackupPrivilege	1664	wbengine.exe
Token: SeRestorePrivilege	1664	wbengine.exe
Token: SeSecurityPrivilege	1664	wbengine.exe
Token: 33	3904	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeDebugPrivilege	2672	alg.exe
Token: SeDebugPrivilege	2672	alg.exe
Token: SeDebugPrivilege	2672	alg.exe
Token: SeDebugPrivilege	2844	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1056	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1056	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 1852	1056	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe	86
PID 1056 wrote to memory of 1852	1056	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe	86
PID 1056 wrote to memory of 1852	1056	f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe	86
PID 3904 wrote to memory of 4584	3904	SearchIndexer.exe	114
PID 3904 wrote to memory of 4584	3904	SearchIndexer.exe	114
PID 3904 wrote to memory of 4496	3904	SearchIndexer.exe	115
PID 3904 wrote to memory of 4496	3904	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
"C:\Users\Admin\AppData\Local\Temp\f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Users\Admin\AppData\Local\Temp\f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe
  "C:\Users\Admin\AppData\Local\Temp\f533452cbc575a086bcf2d778b21b27c0348bf6c8fd4183b87af3460ae59a5e4.exe" --type=collab-renderer --proc=1056
  2⤵
  PID:1852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 1080
    3⤵
    - Program crash
    PID:4344

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1852 -ip 1852
1⤵
PID:3636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2248

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4112

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:784

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2196

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4076

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1756

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3444

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3188

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4972

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:400

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1508

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4612

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3816

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1880

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4584
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e8b531147c4f044ce09ee1bcba99fa50

SHA1
10f437a698114fe9c35aa12d2c9b2715d24b6fd5

SHA256
3104d13b1b87986c8552a8a6f088b3cc92437881ac2c9b13818bd5530a830de1

SHA512
667393a84b187c5224da45f984c2f47c06c4c42c345c46e7b337c37df04c06ac1e4199b01204994290370c7d1104ba83223ab803219920347fa92183999dc099

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9953494a60b56685a568b981c60344c7

SHA1
8a7a386306732a9876c31866176a4398f8754b88

SHA256
d2c0aa4260d3ea1abc43715a1732c41bed2f10e4b22cc46475437cf6419d2d12

SHA512
837621f51a62b688f35a86d3051c974dde28af4fc09324f7b1f57bb3d380c9321bddf247f0d0bec72b1b9944df42f9a41169429397f7170c34723e77e61fb2a2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
399bcfe0f280e79f5904186f521a72cb

SHA1
9d74f7c5c83afc9018643d646b4bc29dbcd2ec6d

SHA256
f640959ce84ad5399f316151257639ca6f662868e87594ca630d610f9c2c458e

SHA512
722ef063205a579871b6af240452bf0b47ce142ef59dc0c30cd927b849b9efd169163db5253e97a9ee4acbea2bc6bebfa2960a2ff5e9599923c5be7b17270a9c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
29b78f9feeb37b596d2ac5dd586ee95a

SHA1
41d702b5538e5b24746ef12f63435d629bcd14b8

SHA256
ed089ef13690abb0d46073d1cebcf43640d204828618dedbea06fe951b53d25b

SHA512
6b425ea1c7b8a7cf4fd9a61b5ae943e20c823b398ed7c3d3ed0c01ba609fdb94f30b7c24bfcf1d1a3ae9d05b1f3fd85b98005d9e9185ef4c3ab01791a49e084a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
75713c08bd17003096f99661bae0fa05

SHA1
9b06df011f54e18cb4774ba084cf18e8e8dcd620

SHA256
89c7278b7db3260ef019ba7edbfd9e3ca97073d669318713c3d3030fcee29af6

SHA512
c77f87cee4b77f0065e4f5166a7a85e479e47622b4acd4d5a0ed1b3d7a797b0e22987d87e76c62bc0d62fb76df36f75741962e2dcbfb4f70b16932fcecdbbd55

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
e88431bf2a5f90e3e8f3e9b37b74959c

SHA1
d6af6de7bcf8c65d5031c7d46ac9e0a3da77c3b2

SHA256
647c837edf051885d5a09cf8f7b2707afef0f4a9b582e9ef71f35e088cf1fefe

SHA512
8ccae46edc32fede7327e1d478d55aa3791d75360924758ffd86b7a38861b0ce3993032e1e60046b2279278fb2b5523ca302a86dfd9c8d10f09a3ab84e920544

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
68bce9ecf8245fa817959dd030119a8c

SHA1
28b6c55992f47e9b0938a1adb375e2d9adece2fa

SHA256
ea7fcceda82e5a15e7f727a73bdeff98a1109d6a2df5e0d47556869dcfdb96aa

SHA512
2980424419fb72d40afa513154df71b0dcb8adca5985b9c5891092c81f2fff2da237cebe57f22f21b1bc63f93b79d82c187f6b2defda5a592a9fa59a8e9442d6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1afadb800f6ef4f89d8bd3f81c04bf7f

SHA1
76b48f6cc1c7b04e1d1a87db6f22b00f2d5a9873

SHA256
f45ed187b2ae213401e9609af0ecdec171f4265ac5ef949be1f24b56732db098

SHA512
275785cf0d626dbdc859ef818c0cc25aecd0aea4da5542d786ff2b973f344de1d585ff3afbde8b16e3f12fbc34f088cacf24f48e36344481cf1432b018c33b62

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
bcf0739243f4ecb4575cc100999a68d9

SHA1
438a5b5b62532b8a3310d73ebe299bc1061f0c84

SHA256
b7dfd3e5cfec6945ce5a9afc505891637e60c163df8e506686f2f95899dc8627

SHA512
a75905fb7521e5c4fe7ee913470f73f141ccbdb8ec34f5bcef6465c92470066a5c791aef8deed905b111db4cb6f941969e6a94c490cc69be89a36715e95f44db

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3ba4b4dfd56afd1fa5e77e0727478ae3

SHA1
1c54852a25c62a78584f05163f03f91d54f2ad68

SHA256
a95bf66012ff2070bb9c0522570447368dc33eeed4a2b55bdf4063345fdee33e

SHA512
6f9313ff2e04744256d3dd0fec6ca80ebdfa3612b544754d49b052845f5acf156af6d9ea7455843bdad4f29d19ef8f6effd5844f32928422b7bb133808babd3b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
eec28914de4c8dc9bfd888dd0392720b

SHA1
9bda4fe3cf78ae2479756f5774ab8b58ec00ac25

SHA256
64be217f4c673c3adfa7db60fac029055c35bdea345a8d510a83f439ea1fe775

SHA512
4eea87ed5ee029233c6863395f831fa8daa4d94a938014ccd598b06516e78c18d67b19581d85b2e8d498f1429ae7837f1bf7051766eedd61e107bcff5aa70deb

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2d5fe0e3ed683edd92cbfad823be729a

SHA1
c39a14b07153e17318e46a2f188761fd53cf2478

SHA256
7999888c4d014615bc12c5190f879fec0ef0505580b2406d00f253e02ded0511

SHA512
a20edba02da5ed60083ec92b0c8766fd3caa30a46057b684f710d4b727e0fa9ea6cb2712051ca1d22d1d719709bb6d02ab00924935eb89eae06c32bc015fddc0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
2435b14257d6dfb0165cea9d7878597d

SHA1
498bafd308d5ff3a84d4772d04e2a0970303d93f

SHA256
ad36611cd6ef609f61a10b01455bcf515367f49c061fb6250d3e25887943e28b

SHA512
914271da1c520d28da68203324f8c31b064d5ec47dc93adc2d6129d90bc3e7af37ccbeee52a5e6c10529a4e442ebecacad11c12c2f3b493c13bdcd9bf709a44a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
f2fb96637bc1a8d2658c45cc54a0ee75

SHA1
8d56815eb5a4dfe024f6eb4d6c7c81781de7ab1e

SHA256
ff40657c716db30174431a7533aebda07cd974a70adbf554c5111242eab29445

SHA512
cee7707392dbf7213f33c9de3a11f59e92b12c02a7df28f46702a39b6f50b293be0640f448e453ef0b6f829a8fbe361aa50a7839ba7e3fe3507ccbfd74bdd2bf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
4daaf364b252c5a2a2d06ce3652d3e53

SHA1
30b7dcd09a92e28eb1c23368a99fbc93f05554cd

SHA256
ac3e65502003f488175930e7ebc7e2a5671127565d4883b464c02501e5067559

SHA512
558411b16f362f068fbebd38e14d66f76d4e117e46dd925af07a218111ba6c9fd180cd1a326c1ee60dbaab3e60f20d003ab3218d34656d47861a17176b583ce6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a2f5a85f7a01c2df885416ba599bb623

SHA1
72b60e0cc5ff20a3c9feed75e7a99d7d45a32753

SHA256
e0fa632576f022dff36cd6c3bd561c22ee04e97695e753310e8342a93e24eb9e

SHA512
9e0ca682b37c59d5188cc02874d53ba2d634f331b49ab06c0f64e5ae3326c09460d674449cb68ca75a8f11b02dbd0ef737d14653fa28b4c9832b9d95fc9e514a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
0cb3d0c1f0dcd0b5066b0a39a9170373

SHA1
1e7c18970ad165bac52f0f5d580bfc1983069a95

SHA256
b4bb6130b5bc5aa7f7511efa7e7b596d4551b4e3cf338958a8e7736dec7ea2a3

SHA512
5067fdaab401083341e5fcd25a559514484957739c123a0936740d5d38a6a1c40ddfa28478e57add25f00420d076262c286575c1d6d5a813a2c143bee0567ed1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
3b2d2177fc4dc09d996c4c8aa6440eaf

SHA1
edea14974cdf777d2269da8af59bb5a0ee6e4848

SHA256
89e2e7e1f7e50fcadefe845768bcb4ec1dd03a90c0e0d630761959a6c8a75ee5

SHA512
b317557b290b9401c0cdab51b7a0f623b021c7f88265051d279ce2818c5a28da389053b90ed0a81c3395d8b715836db25571ed1f81feb9c9b03ce34a1ca21298

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
24f206b2f010cc2b1d8b2440805b336b

SHA1
8ef84085a7df6c689fc6a883a970eda80816af6c

SHA256
55ee57f9ec79547254ee736611de6afad7f97cf9e17e57df600902e516b27f93

SHA512
4876b8712b6238a1fb30acf4565681ee748b44f3f1f3a548d2ae2afa2bfc32f3f38003dffd820021df884fa2069c7fac6eca9142aa3b940120d306b88c5b3842

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
89cc670c191f8caaceb879ceb1a84160

SHA1
878426799614738c94033717f46f8618ef0179f5

SHA256
66b3f240b10240da57a9bc4e08b01375beee599748408ec1ab18ac52e88e5143

SHA512
caf9dbcc3c3a3b64b1e5d8d16836bf74fbd4ca686597a4309d63cf660d6c8ed71ae24c16db88b49cfdca615bb3246a1ef6caebd8ccd1c41423021753ae957cda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
36325d339ce6d0a1da8d0808b68726fd

SHA1
9c7a3cdb7699315295767414dfa84e8b3f853f4c

SHA256
6d760afb6a05659b8a14614b58490daeee15e2ac4e5afc713ba72f49370310e9

SHA512
b4a89b2737510abe050813196ab2f1ad8caf5406543ed0dad60a52909f928d4a1ca18e2d0ab62551beb7bf2871808316d437a36767e985f16d6032ce7fe53c17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
2dab6a43ba4abac4903b60d368e0ac92

SHA1
ae2a3e03d351734d29c89c7f1caaa4c42761805d

SHA256
078d4630898bd694ab7789ffa31ccadbd0a7fd42898615f98b511e841382a264

SHA512
7b02df50d0ad8bc5e8f1a9ad167ceb4ab72cf0ee1f413da68249482e699ba5fffe2e5d5e3b992ac19ec33ed6367a8fe910d9f641b0d344a58550915343442317

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
9b3410978eea3e989a2e4987ec7652d2

SHA1
ebea3caa21ccf57caae0c1e86edfb1dcd1ac0ad2

SHA256
dd5f151d39fd19ff43f96bb57fdb369b89652fe94d1b3bedb7817919dd1a2cdc

SHA512
872f352a611e52c6a435d5932a10301a02ba7b3d621f506df0553ac4e1c291e37ea69dbd22fcbc4a2b9d4802c3afe815ec6e02b5e5fcc48d970696cfd8444ef1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
6832fc1801ee0b1d6a7dce41abf37346

SHA1
4ef1b88426695b803d5567b815e4f647596a8a47

SHA256
e0c30fa23e8f5d9e48e043afe3c129f41ead3f8d3ca17e7e203a28f0a1dc07f9

SHA512
45937b023627c409fa1d5eaf0d88f97b362ad928a139682868fefd893e6bc8915ebe6ebec68f66bf4e6ab4b3223cf90c8efe4d854238d4317d98c254454c562b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
2cb2f105addfff97582fb641865d5917

SHA1
07faf8fb520b44583d4e29959e056a77a5e1e7ce

SHA256
70701cf1dc153c37a95d1106ca71791a06963867ff5ebaab2ac04337d436686a

SHA512
3e632f1246f29d6042046ee39b905bc71560f09e353fbe894baae7bcf8df7d5ea60b70306ddae7a982ec5bc3058f0d0e489f6c74203fcd03756033d328fa3e5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
6414824926cbfd6f1d8e9a9fcf59137a

SHA1
dbdf1ad3c6b28b0e933f8db640f33bb692e6b8cf

SHA256
ffeafe0fa148c6a3a24964c221027dcfc419a596dd77264bf031739bc054c0cc

SHA512
b4374ec7439e95d7b041e05c62fe03faf79d4b583bec498d9e0b9169d315a7ab76b3cfe5998bdb3432e97d2d90663cc882e065db3e2d14a00749c125a63545aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
514d9f0168d86d617e486e5029cd90cc

SHA1
57a6f0da35832eb87f4966a4c2afb0d84f932dfd

SHA256
dbce2354075272151191dae1048ce1f6e7b79683ee154ba481f91409f0fbe9c5

SHA512
41cddbc9479bc8cca72eceab5ece8e06e0ab4dbe3929f01a4db2b0678faf5f2011abca6484ad2324e4f1e63b75dfddaf59b1a633cab0bd1a418caf254919996d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
bd303d7928ebe51e79ca0706e84a96ee

SHA1
121d6f2560d8c907d1447ade93a496ddcc6eed18

SHA256
1717928abe7d2bbd8d2eba795eb5f09c55dab7ec125c42ec9892059ff74cc764

SHA512
198de569efe7437f68499aa7fc9ead3e6e535529f657b18ec40e37de1d27c16048b809a7805f11714a3a64103dd133f2354be567a7a36064bfc9e394ef131d35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
462e8b062f78232108f7d7ef3eaddd6b

SHA1
fa5a6fdcf95157a189dda6209c53fa32ccf3a956

SHA256
a99e4e79db4d1bb90e143ce29dfbe11a9cb62f395c3d136e986faeeb4f17f714

SHA512
d5fd06c17521609367bcc0a585e35434bb400ce41a1944d5c5f9f2cbd0d0e84224d8df4770ec4fcc46df0bb6796a14a3163f8c0e587d1853b9b6258b38e92a9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
e55a251751b390518bd236b4709ddd56

SHA1
c4c8d781374e246e245a4f000cd94d498f808275

SHA256
6ebe2d09f35f5eac23da7bd44d2e81350c4b28d6c033851070378e8bdec8d400

SHA512
9ea6b497e6d188f0803fbc34ad77701d860dffc7677da4fa941ba3908643061c9341d3dd52129701905b40f65e95bf71f400e1b131c9b460c45b53cef280d234

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
c1cb7cdf7911ba9e2f79a75ef32a146c

SHA1
50935294e47e35c8111728c1ba35ffbf2ffd487f

SHA256
c591d846914736bf84e36d4d34b4cb82660dae24fe9c4b7530d5070519387bee

SHA512
7f8fe04b55eacb83635ae9f3623704a09052a45e8a70ea5f79c239b206b7fb7de1bd7af08225ec605a5419a2147b86c3607e313d054e741b80e35187ef6a73ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
7df8267654e4dc0a19e05fac0b1ad960

SHA1
ff400e0553cb9d50cec643169a0e5bdb52b8fc2e

SHA256
302ff80e5927379e5576058b12460cabb61e7ecc489382939f3a5f5c9d0647f8

SHA512
6d4098a081f67d92cf12f97b55108c7bbddc3fd0ed86ac5457cde5fd3379e398fff5404ec0543d80b10f9a7ffdae461d8ec229084bda66a69392766d8d9e253d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
e4f189bcb9638dfc8c9ea762f0464db2

SHA1
65b0f6072a2ef8d5b9e18a85b7ab84c6dba42500

SHA256
a9a6a34228bb5978c2be4f9499acce701c4d282bb59844e8daf77e64fac2c373

SHA512
1b2d659d7a0dfdb9f66b7476b4ad1b1347cf025204f38d185f3003cd477c540aa74bfb5a40262b175b6e7d3079196c5f644b3cbfa776ed6407960d4654a447fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
0124eb73215fc54bdb0623184ca04770

SHA1
844df11ebcbe873e1a55e03f76dd878ed04439eb

SHA256
c99b07c0b398c9c80b6c766cb40d2bad6814df85959441fac88d000927f928b4

SHA512
6534c975671a3d018e6b06cbb7fe81ab525547aacedd4767e3021947ff6f02863dfaceea4b62357479a24c0fad516659a5cdcc09285329b00c6ef8913da3c1ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
8ce89edb8de1b93272f1ccee8b3bfb82

SHA1
a10e263f96a28e299d05fc40b1e5596c47d25489

SHA256
1541344152298b5b0ddda6859b2b418286a6eced5ff3f97efe98fc4b4f71ac8c

SHA512
170f6c40660caf6ac3ceec399addd00c886e9dc57b008640fb8e7287fc3bfa0bb56e3c33dfb0226af57ed6aeb63554a6649a451c27e2d296e7ebcb4596307664

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f62c0e8a32ff313f63cea975cfb47660

SHA1
4becd8a9d22c64f88f5a6b35cc871e309d51678d

SHA256
d36af86cd3992a424a974183cc889456743a19a21c709d943dcdec2728a2b2f1

SHA512
aec467c22cd47e021acddd4f2668f1ff94f656b024e78d07884f44263364bc3aa4b32152b5c82b41b9d898ccd6776f15f5e6f43a44d7e0a690bb0b0ed151c503

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
61f60378e8d65cc06e64395e489b38d4

SHA1
51b74ae4d9682d02631aadbc9592956db19e9b33

SHA256
6333c77665227028599d0001e36a3411145b8e38b01060f349d780fa84fe636b

SHA512
8a90ee118b7ab2f889e9b2234e4470bf0be856eb9fb743f6ede6b6dc7512847e64f710548cc1e18a635d6653df1549e7df767ad314bae9ed033fa567f7981806

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
f9402b80b140211bfecb0371ed9f6aee

SHA1
7bb770bbc20daf7e0d5cd67055dc3f43f1e4257d

SHA256
a440eed17abb091e9ee0b0780ee1f32ce44d0cf5cd2f821ca53e6928b678ab6d

SHA512
e2a7fbe33d611841d10db2e1e10673ad7112ad02a1bcf94512ef19a1dc06be834f557afddce4639bc075c6c2365dce8cfa50d6423f7c4857a5027ea93d5910e3

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
43699616dae75955395782083c72dae8

SHA1
00279a5e4d35c016b560b8ab35576c298e1b147a

SHA256
aece45f68995ec34bc3328cf0436e0435c51612b5941796b0582c2f616e76964

SHA512
460d98df8baa19aaef1a1e0c20dfa5e23a1e2531755548f9824fcb0df0a32b6f6ddd57ecd11a365e0c72fb35e453d1d30c7b09d5ccaebd977471fa7fa868d231

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
029c5367269a4ac8913d41f37514c94a

SHA1
dbbad9696eae6cc3b4dca08fe825c7d7c814113a

SHA256
5e82c1cb3ea5bc7dcec96f2eda0f83e92366d6c5eb79a422b5ad077a8cac54f6

SHA512
97369915682f32ae4961575daca66a3f4e321a90c163fb2f92fca8aa05dd367ccf891def8deac1b5a78ff954c36fc1056ff17196c8ca24bc92514eae5a8e4ff8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6cf71764ad760a2c3a58e83ca591d193

SHA1
cadededad228efed3829459104e6afca861a1316

SHA256
8285a8cecbfe65ddf82adcc7082a6035477822aaf3a5ac973b9e1a15cc624015

SHA512
2dca80ebf3de31c7027bb094922db4c9036320cd86e78b16e26790c49f87cbb9d24c359389f424e0c464ca3d0889406ae52d74b8f55e5bed25d4fb9fcc89b052

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
930bfa13d291f9646147c549bea9ac93

SHA1
46b93c1fc5b0ad551391bbfecfab0e5eca51875e

SHA256
70e14520e29cd4f9e221b687cf4c77055e2b122decf2e08135752bf2ae77df73

SHA512
d296c7890f4743f256f882c9658b72231ed7fc7fd63d4c84d8cd4b26bc3a9a6f8805644ecb0e68071e1f053567025429676949c24b32660473d98cb7ff8c19cf

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
cb26befdfad87d244facc2831f1db8c6

SHA1
2825dff770019a7debdb79bab1fe73358a7ba6ba

SHA256
cd600af9459148d719ef9f088901d0283d61ada4fed8bf6dd3b611e05ff0a986

SHA512
ea38e3335c4dbf3cb5b91c71083431e4343b456fff5087d0803af5a902d45344f01f7550abc3f8159824b1e96f2ec0362ab088ea73f514cf8f493ec1b9fdc0c2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
907d19a465425dcb665b79cc6604ff4f

SHA1
7c9aee88ea31e34cd21cda8860b02402e321fbd5

SHA256
c4b5d94eada20023ba0217bf1d75227f172d4a98c217b895be4707bff52c6597

SHA512
fa130b4b61922ab33208fc389c1631efa42f35e0d6658be70a992619225d646b14493766bfca836287a4fc35f5e99b7c9f15f9f98fbca66cc63d8f960d05c592

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c0633678b7b66e72f8ae9268538ee265

SHA1
8ddacbbe9cab5012f511770b0575394f748d9b77

SHA256
dbdb8f573275ed0e04564d9626c9e5a551a5f29abc1397b3d70e5fd576e066f7

SHA512
cc86d1cc46c80fd4d1efc3660b393ce6b46df610a03bfc19330edcd4b81dc5d89b8ccb57a79b8bfa48d9830265ec290fb15a777dc3f12f3523697524115fbf20

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e82a084b99840493bb4146273e991c5a

SHA1
591417b21920b181b4f34540bbf7c2ab0d57d07f

SHA256
1944709f9c937412620fdd4c1362eb6532e5f59b319a14936d5806616a748a4a

SHA512
86a9b9281bc3e451cd9310fecfe7f34f405433c8dabd85fb965b9dc5edb2a553d82d878654f619112c50f8749131d5d2764919c14fd2e70bd193bbf68a817620

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4d981ea513ac7f8b33dd1a0acacba657

SHA1
b69edb54f57ca86e3c45788d046d61d4040e02e9

SHA256
916725115b848e6874027a2376c37bc2645b25d47eeeaa0515d2393018eed5e8

SHA512
0d8be9e8b4abf51e95d74d2a6b23dc3c480ed8546b3ca43eeb212d1212073d30066a733b32296ae1911d00ae2ec8af963b5ad84e2018bd49c253d8268f9d8b8e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
3a6ce7ec23038d4212a0c98d28ea28a2

SHA1
ce316dbac22c852da2f9bc540d0011a306db2b9a

SHA256
97bc44897966e7c1e5760ceba682e146d3bf05790ff88aa0f22429e1400ac050

SHA512
51e52e859bf73152f022e0a6ae8ec9ed01d7bac6b063cb9fec31eed63ac74c62eb3d6533de8cd448a1d8993d9f9169199372759cf893270e602e08f44a22f6da

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e9a45db4c32b6f2d100cfbd6b7e02985

SHA1
7f7cd4bdc5e65131adefed2beac7d1360ea56597

SHA256
6da33ec3d4a25cecae60ec89f0116aa1f6c5b9d4fe3030fe64fed17d7443a914

SHA512
4e5aed3c27113e862b1387cb7354d88b356de15fad23e4a0c3d53a12c528ece8d69c540a0ee5c91741d0a6a48fdb81d5f68363698efbf488645696dc5b84d208

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
c9e29141d884172264e0991f144641de

SHA1
a24d3d5b8d34afa2043e0abc7805a27f8607c787

SHA256
11411def68e5792d993658360ec62f91fb9d1b3d65f21aeed9186e75a59f00e5

SHA512
7cdd96195cfa17ae5eb15b38301b60edae0f9ce620eab669ea3700e2063f5ae37c31c8c1a91723f41f08b40e394b1e3b1558e9657a8ef755d9c6661f4e867c87

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
f6dd3d2661c92f8a9f241ac0306a8b63

SHA1
02e40c3cb44430ba0ce567ce2af5044e8b099c66

SHA256
bf53dfda5c0f66e1f77274b4c1fe853bae6e60e4c45611fe2a335d1fe110abe6

SHA512
4dafd902dae41934bf6ddf0790d18df23b707dfe29cab46b77d90113f94c06bcc6f7c4dbb1d565eed6ab09b40e5ee4064f7a119af08fe388b86d2a9df2d86b76

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
e81cb1c9170d01da6acf64cb50a1ff91

SHA1
952a609fa023ade4bbe65265c92d98a0a8d8147d

SHA256
b5c5a908b4f72a96c217e439d881da2fe39e85dc77cf4e84c70bd848810af66f

SHA512
b9345571637e3597449dbf6b8078f5f0bb2c98b864a05654d6a8bc66bcbf21da3ffd0eee0e374997d81f38453bcdf65c118c38957daa02e1d8356cc1bf2e09a9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
929d1f3fef6a9efc03439fbc66c9a04d

SHA1
e13166c39ecb3529970e8d8dea682f0b1b441389

SHA256
2b89dd2a7639caab551cb8709f9a087cab776a0f38192c69ce118f2bd40dcd16

SHA512
3556f0efbe0d9cadfc001a48b8f2233ac58d720037bdf2fad9765204757d6fb26d0f0d06b9df1a5e5fdc2c390fdef430885a27ebdf01e1afe12aee34ee7fffce

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
3d7483a06862af91d1173401ae83a92d

SHA1
8c9c4f6de1b31247a70bed83a9aabe53fbf61656

SHA256
738c513e8d18cc07dbe5e7dc17a317576e3df5a9e63f3278c4b6d42cb4de4c8f

SHA512
59dfde558b652af522aeebdbc921133559d56106e762461e2ea2a71a1b4057b6eb89b5bbcb4cfba32705719351eaea0eeac19ea1394eca6fb3668d994c1e9546

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6f13cd0152dfc61b10162ae649394ae7

SHA1
1f45ce66a897d80783aef160610b01269dba741f

SHA256
fb5af42b0f2bb8d3d777f6d12ee87bb562ac249789f48de5b44f555bc6435638

SHA512
6b78a2e288df972ab4c9a42eed0d3a1aaecaf109a13e4a6616589c7b486d5db537a87ab9c3166f8cc0f7edc746c2402d546da00a4e545af90377d673c99743b7

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fc376e1e5c46f86a59e97dd2a05df8bb

SHA1
0e66723a44651d520059aa354d8f368f9aedbe6c

SHA256
7297953ad54c9ba4ed014ec83100f90cdd0cc00a7775f74578d7d31359f55bdf

SHA512
eda92d4689964d350f00e6986dc61df3ea3d651e76352170f0fe4a5761cbcfadb44b86bd079a462d5ac43bc0468e9684b6198e8ce29448f1543a463cbc4e0728

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
2f87c439df02afbced36ab22121a42a7

SHA1
1ed336df2835d686fb8027eea424897d175e4959

SHA256
10980cccccb26fe0ad9eff4c4de32d83b111b019d64d7109a76e05fa4b62e5c0

SHA512
ba956b36bd0f3193f5a174c8cb11f4229c809b5f49954be9ea273b89080538f491e5a9601265a830d8f2bea91cb9a6fbc75d25a5fbcc8998fd5d66cdeddb21d1

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
dd6e95df8443a8131aeb7c16d554c293

SHA1
1473e173073c0f902bf4c9eb72b1b6e7519c5b9b

SHA256
5110c7a5339727c9feac8af8acc50c2eeb009be6144e1ed19bf2196e3263c848

SHA512
25f246506df684a92164c2343458f5847c49726cc22faeb6ec79197752f99c8839bb57529aec31d8a720e3032a9e47bd987f348d336ec7dd21cac676f8361911

Download Submit
memory/400-301-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/784-76-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/784-625-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/784-294-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/784-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1056-0-0x0000000000400000-0x00000000009CF000-memory.dmp

Filesize
5.8MB

Download
memory/1056-6-0x0000000000C80000-0x0000000000CE7000-memory.dmp

Filesize
412KB

Download
memory/1056-339-0x0000000000400000-0x00000000009CF000-memory.dmp

Filesize
5.8MB

Download
memory/1056-1-0x0000000000C80000-0x0000000000CE7000-memory.dmp

Filesize
412KB

Download
memory/1508-302-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1544-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1628-43-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1628-66-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1628-65-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1628-49-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1628-68-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1664-308-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1756-297-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1852-326-0x0000000000400000-0x00000000009CF000-memory.dmp

Filesize
5.8MB

Download
memory/1852-19-0x0000000000E00000-0x0000000000E67000-memory.dmp

Filesize
412KB

Download
memory/1852-29-0x0000000000400000-0x00000000009CF000-memory.dmp

Filesize
5.8MB

Download
memory/1852-61-0x0000000000400000-0x00000000009CF000-memory.dmp

Filesize
5.8MB

Download
memory/1852-26-0x0000000000E00000-0x0000000000E67000-memory.dmp

Filesize
412KB

Download
memory/1880-309-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1916-307-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2196-295-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2652-80-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2652-92-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2652-86-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2672-584-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2672-11-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2672-25-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2672-24-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2844-33-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2844-39-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2844-63-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3188-299-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3444-298-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3816-306-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3904-626-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3904-310-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4076-296-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4112-53-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4112-59-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4112-64-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4112-624-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4156-305-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4432-303-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4972-300-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4972-476-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download