6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
Size

1.8MB
MD5

8f3c321f39221711f4b3b7862ba0e1dc
SHA1

ce5c59f6cefb4f1ef8f931dbf227ff9bf29c30ed
SHA256

6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31
SHA512

51660bb24cdee5963c6bd5664f31ea62b1ed351f2f905c65150f64ca20fe04f56cc050081dec625d464797bb0f1c33690ef58505d1596072233e4d5474d96e98
SSDEEP

49152:gM9QPdxwfE7WlFwKAfzuTiDFUFka/snji6attJM:g1PdVQFwKZCFgXEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4704	alg.exe
216	DiagnosticsHub.StandardCollector.Service.exe
508	fxssvc.exe
2520	elevation_service.exe
4264	elevation_service.exe
3636	maintenanceservice.exe
1404	msdtc.exe
740	OSE.EXE
2032	PerceptionSimulationService.exe
616	perfhost.exe
1040	locator.exe
2272	SensorDataService.exe
4180	snmptrap.exe
1064	spectrum.exe
1676	ssh-agent.exe
1736	TieringEngineService.exe
1748	AgentService.exe
3660	vds.exe
1528	vssvc.exe
852	wbengine.exe
1612	WmiApSrv.exe
336	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Windows\system32\spectrum.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Windows\system32\AgentService.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Windows\system32\vssvc.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Windows\system32\wbengine.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7d702236b4b1389a.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Windows\system32\msiexec.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Windows\system32\locator.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Windows\system32\dllhost.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4D55.tmp\goopdateres_hu.dll	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4D55.tmp\goopdateres_iw.dll	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4D55.tmp\goopdateres_ar.dll	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4D55.tmp\goopdateres_pt-BR.dll	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4D55.tmp\GoogleUpdateComRegisterShell64.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4D55.tmp\goopdateres_ca.dll	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4D55.tmp\GoogleUpdate.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4D55.tmp\goopdateres_tr.dll	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000754bb20c5fafda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006dc0c70c5fafda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007434fc0c5fafda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020a48d0d5fafda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da21e90c5fafda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d25ab0c5fafda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d296fe0c5fafda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c249d10c5fafda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b60a60c5fafda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
216	DiagnosticsHub.StandardCollector.Service.exe
216	DiagnosticsHub.StandardCollector.Service.exe
216	DiagnosticsHub.StandardCollector.Service.exe
216	DiagnosticsHub.StandardCollector.Service.exe
216	DiagnosticsHub.StandardCollector.Service.exe
216	DiagnosticsHub.StandardCollector.Service.exe
216	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1772	6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
Token: SeAuditPrivilege	508	fxssvc.exe
Token: SeRestorePrivilege	1736	TieringEngineService.exe
Token: SeManageVolumePrivilege	1736	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1748	AgentService.exe
Token: SeBackupPrivilege	1528	vssvc.exe
Token: SeRestorePrivilege	1528	vssvc.exe
Token: SeAuditPrivilege	1528	vssvc.exe
Token: SeBackupPrivilege	852	wbengine.exe
Token: SeRestorePrivilege	852	wbengine.exe
Token: SeSecurityPrivilege	852	wbengine.exe
Token: 33	336	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeDebugPrivilege	4704	alg.exe
Token: SeDebugPrivilege	4704	alg.exe
Token: SeDebugPrivilege	4704	alg.exe
Token: SeDebugPrivilege	216	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 2168	336	SearchIndexer.exe	114
PID 336 wrote to memory of 2168	336	SearchIndexer.exe	114
PID 336 wrote to memory of 3980	336	SearchIndexer.exe	115
PID 336 wrote to memory of 3980	336	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe
"C:\Users\Admin\AppData\Local\Temp\6b34ff7f5e276ea482b92faf1fcdfd0f5f37f2625f7d264bd971c95277190c31.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1172

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:508

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2520

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4264

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3636

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1404

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:740

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:616

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1040

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2272

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4180

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1064

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4928

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3660

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1612

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2168
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4660b6b8539e8e2fef402488e2f2157a

SHA1
2d667be8890976fece14a3eb5a197480bcd29e9a

SHA256
bcd19fff07ef760f8c03a810d59aeae5d24189540a4bce6ece6042ec8418cfa6

SHA512
36feaf8520153c51d6c9795e006dcdc288d43fb2fc1fd383d73d33e519747b542bb9d81d994b65396f98e59e3409040e912be2833a278ab1f94fddec075df2f1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
6562b442d44902bbe5b7e79f9f549ebd

SHA1
76cfae2e01862709cc1f75932316072ba5653ccc

SHA256
6d15750e365bc11df5059fc2ea42a9ac1e32fa05483f8224d89374d5fa5885fb

SHA512
47e4a18b1509b36a91133bcfcc40227ded21c2724a288bb0f99255626b46a2f2bfe7f60b54d3f90b0a319762dbb9ba888119b87b4ba1a99652679a14fb07d686

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
593ad038196f0928974951167260aa2d

SHA1
4023b3d1bc8e617685c3d12a2bb403bd4d01c46e

SHA256
474b9302470ac2c22f80054c249217e02cb254f4a01d3029acdf75b33080ea22

SHA512
badda349779f95ccdd94b5281763b0c0fc939a38994a5fc7ca94e98cb5709b36c5dd9fbd60d15dea80d634e30e211cf087bab75f4ff2110cb36076490a71ce48

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b588439ec0366bc698bebe1cd01f185d

SHA1
e55a64664aadbd48bdc8e69e5fac51752e077746

SHA256
87a4a60906247ba0fb8129dfd79ff907b28edc8f4ae1f40c38cbe87d45dbae32

SHA512
c4439bb1ca026b2c243251e50a71ec35b4535ca20a50bd3aaaae658bbaf3f25fd141e0d8fdd820554b46b27cb11e7b6c37cf263ac2fe6d35d2a033a7bd02fc86

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d6100da7ecb59bf2d87f747c9e471fd4

SHA1
507dc3b03cd94128d7f9c3d180a95958bbdc6b43

SHA256
6c8eb0cf4ec83d872ba71b7bba981e04a31027b28d2077f3fef28e7524e17fde

SHA512
3a1fbb82ccdc9c4be0f69414f89c58324f7754a672c930c660cad3d9ec7dc96b3c2375b895cebb7d4a28f1f3e72474ca833f8dca84c99c839689f709965d51c5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
5439f6ef653180b202c4dcfe22b7e28a

SHA1
2046aa94ba1c305855448ee05ab710cfb29adae2

SHA256
5d05edc65f0f05944e3fd6cea659891b05f35c36c9fc6b3fb2f657d1040db32e

SHA512
8c41b6c2fba01832c1d4d9deddd0f2032029341d54bff171d9363d5ee1f55ef704166342615c32f113fbe63b272a9073c26064e0f2917c44f13d988ebc7cef09

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
7738a26dbfe5bdfea047200fb63a7386

SHA1
cb6afbed5ed3821490a0818320ebcba02b5ad2e7

SHA256
4414fe4e796266b9c57ca5addb5afdc153ec7ef527ab05106c1878e3fd8d81ea

SHA512
e651e964e3509bebc150e5ab7e0862ff5faae4e312abbd1f37d47649c5a736a5b60f08341dad932b443e3976d7d9cc4e7c749390e279d039706f6df30c4104d3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
fb01f47f157e6de7c75230da6e4b4080

SHA1
7f0247d8081202addf07e9e98acf5995748e0392

SHA256
73ccbefd4233cd6b9cc5eda2f5a6174ec9966ac301c79dd418de79ae95faf3b4

SHA512
06cb78b9a4cc1208f03ff756270b48232b2a32a88a611a1741c0ab3d30fab93a869d5a8bb4bebf953267b250449bd483688ad45e63bc8a80679cdf67f40d2004

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
aa261624c8c9b5c4e23471229db1c9a9

SHA1
8f49687ee215e32df445d0955917e369c17834dd

SHA256
4b384f504697ecd404bbf47443231261a8636e8fafb15ff547a798be9c4cbd1c

SHA512
df3c317a5e9789b8c6ad4295189e82c453258de7e7f787680c49767b020f4a5b1e55f320ab57c6e42ee85af3a0f53ad78d87ca5da0bfca5b243c704ebc7680da

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
bb425f77ae2c8601fccfa6b771f9f799

SHA1
d0a189a2fd1ebfeec3e0025b7ff22e23b3e2d857

SHA256
deb7eae4bc9ffa2c2ce524f64c5b92ac2c122cc1a0bb2a7fa3be7fe928fdc1cf

SHA512
28060e96480f2aded65cfd7c000095a3508d8dae36d2192ad1afd0192f644a66522bb878687e98852f7c8f9cd5bc2b086c27a1bd49dac97217e47f076bc130ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4ef7d41e239306dacc7decf7a43143ff

SHA1
b4850b42c35f5b6bda60206b3b0b1067d096d382

SHA256
524226d33b3a1340171ceb1e4e9de49639d44b5a812ceb369155921fa45482fb

SHA512
0eb0398f8742be91a926334b31a9d072b101b4e332c793167f549321f8fcb618a01bff65773f59b278ae86d1a71b46552687637f2441bdcb7fc046d9c69dee7e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
eec0609b6f03ed0b5c5bc6203c1b340b

SHA1
035ef89718eb548b636aca6da96d645f9586b358

SHA256
6508faee37abf436367496f5ce2bd381dcf1f77a0e4526f8664cf6a81cf76d45

SHA512
479f9e9c87ef85dd8bdead70060725734e3454380a1d555dd70e032d8a68f3ae78b6d0b1829901d282fe1536f49e84f99bc14e6dc479b980c985b1755f356907

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
15026246310acb36c8eb2bc55117ad40

SHA1
19c45c2ae1c8fb6d502373798ba7805944e800d4

SHA256
9b6650e0874af70a6ac024abd1046e9130b51af9a2f5fb232247dda709ca37f3

SHA512
f2e2c3db455788f2059e079da32638d13ca430dbc3f40fa6149148d577143c42d9b317a3ea53bde3ff2373650ace2d3a0b5bf476da5e4162ae5733a9dd9d90b3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
29e52fcaa893750359a5e6723aaefb06

SHA1
0f253450fc55139226821230d64d879b33bf5469

SHA256
6a0bc56f66d19f199e4ba9790c3b6bbb2868c7ed39feaa4516ca9ef3f980387d

SHA512
93a81f32477fa9363719ef48c29001890d12ce1e2368b9a5161a4e785c74f921d0c1e5840681c796495a6bd9bfe3fd3bcb10813e7a0ad7ce9c39cdf6a703da89

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
2168513142e6557f519dc91cd3f3a0ad

SHA1
405ed65c7acfa46977dfd4c759138c81d35f911f

SHA256
46386960f11ed987a71d2eea7811399368b02301dd1748985020199e53c433eb

SHA512
fa4ab02c9114f6a76dcc7da4c8282ef3079bb96ccf462fbfd287b3e2b5b5382221fb0c4ad5c914b4792f63536ef5bd744a28737b2dae6f82f721ceddb08c09c8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
cc1d87f59f870a515946bcf9f6fb4717

SHA1
5768511c41310e27cd6e14f81a7f3dbf94ed993c

SHA256
d09da95f69d6caf9faf5f90f194c7be48daccd1f36d3384a23b2dcb5d4497c85

SHA512
e683b6dffa5403b171ec52cb72abba147713503635052c0918ecc37cf5d846dd2b39b0210ba39158d41f9aacd5e91907831370ab9d627e58f0eab99a6bab0062

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
7a411d37d3385fc9ea9bd4433040367a

SHA1
0da07906d77c0a96811fc22912c020c60a49f351

SHA256
aad433eda3b0895641544546986b4ec999c54b477a99e282bf553114be41645e

SHA512
7fbb7f6e5067e1682db3dbaf9808c310bef0fca0fce240c50f78f59836d83749ab402730cd3d10280face81df11622f5aa6dde2982dc35f12b2642e292978ffc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
7b83713239c21e406092e36056550af4

SHA1
bcd921b5e8e38c98689cf077b0f2e496b8f8749e

SHA256
a66c45efb6cfc061070e977447697bb1b67ea80ba04e89beebd2bbe2b315e0bc

SHA512
27f4bcd5082a8914e07fd2e20a2c196ee3d0ab07dcc6b58a38bc422dae83daa81b0d9ad52f0aba4875b038750984f4f3264a0b8ff890c15f6caa065f3228f745

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
dc6ba5cdea2618d5fded8c398a61c6e5

SHA1
05c5f6cdccd7b45a078c78e86b6f88680a391cc6

SHA256
c049936651ffef30c48eeed60ea75c35cf6c1fa03c3842104119fccfd1da0152

SHA512
ea4f6250a6d6d2a7820c783bbb82b33e6475f5ffc086ec9c3bd5ec62b0cd4537310d155ad6980405595d298864ede667ac16653b74a16e0e6f263f93bc0d5dc3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
a723e364cbb4e9e70a0bd1b1a30061cf

SHA1
e46f8a7eec2a4be315c675623588fc647114653d

SHA256
cd88216201d0e2c17fed91e2d8efb9cf224ac59260a139fba7e970aecc3d36dc

SHA512
ca1d59d1aecb5a1278cca113f5ea30ea2f6c9a66838aa2161f39113b2fe403e1ed531edbb486fdcffcbdb6a3b68b76dae00bef106ef8b55dd7f6a14fcda5f931

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
f719a031857878a24d46785a011dc301

SHA1
46e80d3cf6cc32ca069c03e5bb5e6fbd906acf69

SHA256
16e6510641edf8d3ba3dbe7e2c42e5413d3d0dec150ccf53755a2528457ace89

SHA512
88e3aa89c1f8887303a63ea93c498949c2752ba1a029b53a30c091f6e5c80af223f682603653f2fd2e8a8093bb9fdef972a9ebf40ef1c68996c76eda5d04df6c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
635aa58bd32724fd514e68690b25e2bd

SHA1
aced58ecc0cb175a3f74ba2d8744a210fd331087

SHA256
4a6ad6659cc31cd42cbd24d7a5ac7fce25f638821288ae6ccb443700f578fb8f

SHA512
1dcae1bc9fdd1dcffaea0a1bcec7ec4f57a7c2a842074c31a9d432721363633a65d4464a23f3f584534fafcfc8952f93ad1871d740096630d824b9ee4b6750b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
ea34c3c144e89939bee7e1d5f7e675d5

SHA1
99b1efbdec0a1e9e042273e5de574883ac44a6df

SHA256
fa058ce3246bd1affab28ce6f20ae719261c648efaec29d809ebb91cc48f2d45

SHA512
49286d78e6847d946c9dfebfca76152cde690e6ee33d59d147eac715afc22d186d0be72653e3001f6095907cbf5924cbf1f6041d6f342484b5f43e8ff26cccfa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
470017f300093cca6cc447a7e099e10e

SHA1
64ac9536c59755bddffe34e09cd5c56df7b29117

SHA256
509ddecd68138b58464989774bfa0424f26ab78bd8dc1ccdc70855bed3151030

SHA512
ddf4fa296167516725a372aaa8df16f6bbbba99ff0de7b5f446ec707642359a4cae41383c51a4588497e6920b71358018809979dcd94aacacb9fb0c49ba470d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
8f8361835a6ecdc269a094487c732081

SHA1
c596e4217110518b0d5cae367e20235e56ab44f6

SHA256
91f931d87e2a07ce2bc17814c48102ee3720e99d769c5a633f4d53aeda527964

SHA512
696491cf1a7ee41d009827bd0dc3c983b48645dc852d19063edfa69b6fe812daae089c28a71ca0e21d78a7da0c40e07215c5bce7f974a1332a95fbf901669fa2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
2f17805399665fd955ebaecf703c2658

SHA1
79af29a77be97cbd2d440ee38650fbf68a8c34fd

SHA256
3e98b7672102a2cadc7c0d0bb950055468e3cb9bff32d9f6daf8e6f1eecc60d6

SHA512
f182278a67d3e9dc6bc88abe5d214e8948d0908000454086f4a935877e61fc2a64efa3e94099e0d933b73219e65bc9265f7d9bb8609def440b5ec73b05067a1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
e1cb5c9a4218862be9a4d548da23d6fa

SHA1
007bd4c549218af07c9e7085255e51798964ad78

SHA256
8ff49770908cb1cacc85a4f36feff15e0af84b9002ad34e7a4ac8b6c684d6306

SHA512
3c11ef5b8886d7dd1e112c94ddea9335cf767299807382e64e5dedf81b150c6ed8dbd845c212a6990bf6b9731a4931613cdc32656f6f1a962cc40a2643d496fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
34329415a5736ab930cb3a7f7cb87a75

SHA1
9a6fb75492a49d5416ac3a2e494450c8b05c04e5

SHA256
db37dd84749c9dce0f08f0cf398393cd75bff5020017f7f7b01571b154b5a3d5

SHA512
4f2b1c98a0583bf59ec70145da8567bfeecd82cdd903b06964be7087b96351be6dd11c58d6bc1c3e85da665c160b2a30f3318c2addeb56771c9f68bd1ef7b20c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
4cffab191afa32012a03bfe5c9d0fffa

SHA1
7235b85fe2b3e2f3f5c368e3068dcfa066da883b

SHA256
22118fa163133698d51dd0cce108137c4302008aaf833af282e8bf6ce3aea5e8

SHA512
22952a8b9abc2686c8b4fc771bde2f03717455beb7fe1d4c092ca932b35945ba0b41a4b6572de0de25f104de2731b035f8966b95b8b914bc3f5dde86db3e8d91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
9c15264153f526afb4edf3e9d53d51d5

SHA1
cf56246d39069769620ee8ca5dcaf8f72b681c03

SHA256
a00172b343bd974448ad2420535a01fd213ed55a634370c83e04bc753c32dcb7

SHA512
75a2ec6d7d78354077bf7dc9558c454ca4772cc8302a24fbdb947e4539a6ff0082a379eefa5a7447b33f9be032ba4413ea213964b0b0721b14185187d877f0ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
2daa559914ae7ef4ea7035a455474098

SHA1
ec3f832d792fb04fc78b2f2dd93f64359f8bd0ae

SHA256
c8c66dd9cf0046a6fa83a11d3bc6829681d53d90e0b743955f8003afee2ad811

SHA512
fe26af5f41cc28d4c7f4e6ec182cc11be1b218f7b6e519b1a3d4ba54e6a8f7703127d5841066789a64021d0758aa69033335478ac96f2a094c7d1c29e8183612

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
3cd110f41a7e748a23198308134d5bf9

SHA1
cf7a041261e7e79575e0abe967f7be696e69fa61

SHA256
4c7524fe7ee298cedea9cf8b8647c87e7955bfc87f31aea84b7fdecda1d112f2

SHA512
1695feb5ab73271ea3c486b88ab529b9dcdf29d499da910500e75d651f0aed41e0add4464e611ca2ab2f2793ece691f7adee05e2fa2595a174a30ee0af013adb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
c8b6c3f4b12491c385ff665693665151

SHA1
eeb50d3ea9eb74aa7a7e992c23080fe0ce151b82

SHA256
16755f0a85904d754fac79687566f089cc8155db9f54454719c37051f6069d6d

SHA512
3f2e130f62b0fa6ea6cdc12b13ae2470e4c9e7a67d2ed2a2aeb827b8dc09b5ae789dc53fbc82283e95102eabe784e1db6905150451227dc12bc5024467e95846

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
ac613919298a9ec848b4cf9e344e33e4

SHA1
3bf1049fb4e4b4bd75173c623c44bf64cdc5eaa5

SHA256
1ba01573b5ebb9d8f7ce5a24d7319d255c61d3e1b8a7d4f0c8abcbb638cd3b23

SHA512
823e3920ad834995457039a6f02a1e1527b7ac30fadc4c0fe6e3a2c074c1aac3ab156bc27906af86bb5adac1b9d9da97bebf94afa516a9abd117d59516d1ca92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
53caf8eb0a5938217eaa3253dabbade0

SHA1
df69d8fecc6905c70d39dc6eed3d460734f6929f

SHA256
7b6cfb72d6d80796e4dadeeef9ca740469bf586dd562749dad658f31b6ffa9d8

SHA512
360ebc7dfc84b6ae9a9e7d2adee6cc4597d5e393a63a1c0bfc33ce0d69587ed6fcf7aa368f40faffdd8eb880cf91014cac78dc6ef9ea73afad68c2c923dc69ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
b3d2cfb7efcd6bab5852a1beb978e31d

SHA1
8378b5bda813e9834e6cbbfa8df3d3cc43ee5c3c

SHA256
9a42ee9d3437a25449278a13eb87bc19e621a643000c890dbde2a20a2596b728

SHA512
32dd78376c613aaeaad05791e7039fb9bfe19be3840058e77e2867b71367d415ac5cef8667f95201ca910e72b1c1ed8ff4f43c685b53c3a43b1cb4d3dd2ad92e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
ee4ecf9ef8c29bdee97a6bbbefbb4ac0

SHA1
3a92f5bc47caffdeaf5537ff9a7c29dfa7e17207

SHA256
c58622101d04d50e18f1b145b95a6fcfcc37ad07d14e8d22837c609fe02a0fda

SHA512
8f06a16593b29514fc09d68b05159b11076643faae0d3b1525fa7673bca85169297e7d8fe6cdf865b2f2f6a0b0fe09e4a0770eb3e0215e5fa25ad31d09b2f31f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a2aeb878b92b2cbf7e97a132df89839e

SHA1
1d3a05c740fba491ab1a62ace2682e7df4681a3b

SHA256
f46a1cdc1d43e638945c437e83f7e4275cff00aa6cb2e7ed81cd8ec9ad75638f

SHA512
1fa279f8b3b6d032e0e3bc61b1c77d78d356fd8693bb097fd60dfb8c1a4593427d9184f924536a4a94ed0eda5d03165ec0367ac8724a4049955d989117099d55

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
227455efeae1f1b8f53546e10bd06bdf

SHA1
6327708d600b9e5e73189da18ea0babd8b783e3c

SHA256
549005cc4510d5bb0a0eb9239ad75b374231613d0c42b5018ebb320707269a76

SHA512
975e3482d6c8ae6601d9b21d9977be84763c9262c0d1552167ba6916b7e34f90bc8adba435a16d4c654e9f9d4cf815b2ddcd80975ac1e62c5b5d5c72aa72af90

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
e4563aa3612c76d9584dcb736e4d4cce

SHA1
2a538d935b79889e9c4a683c40653e61fc7a3247

SHA256
b9985ee7e02cdf0afdf6e6aff40c4f95597338d3d5c84770d47309e18cda6ff0

SHA512
5676ad81f59903a8089a99fe42cc8da520050f8500f9d0a1cbfb653e20fd6df63b859b09f1fc74f2b5600eb6a35fc5e474e52d0519a0b117811bc35d87046446

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4fa88f8617ddd8c7c31c6e3c9e158c93

SHA1
f99c20a1fbdbbfc0bf4cdb38fd28b1936f5c07cb

SHA256
10cf429578e33368e72465739895960c77a8693b8fab5264e21755fb16d79055

SHA512
6e31de48a4c5a68edf4797316fa19ff4fa64beb7c03f370d85ae2cbf7159f244d61b939968c184fe273bd117ce702bad3bfc8543903acb289f3e55e32cdba67e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
1658fc3a8e8386a811feddce48ae8fb4

SHA1
d3d73353571faed6ec0ca8f8b1b17f12afb83ab7

SHA256
d5924e5908b07264368e94afe51e8aabb11fa86b8e421c364e9874dafb6ea436

SHA512
f299767c081fe57099b167dba389aa6fcbd6c11e1f52e0435596b77b2f0614d398ca5d41d3bbec0051d361349c064e09d4d03e869f9b9f1cd10bfaf3b3106833

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7807c633da90fb643d7b01353866765c

SHA1
c8d615fa454cfdc5f384a6c3d115758af603e1aa

SHA256
9043d9e69e6567f53e1b24748fc98b84b623c37adac17faa56911685bc3a0980

SHA512
09f16b9edc2edf6af9ab813da4d3d945d1e98ede527695929a14d4d876a61df6896c682c5cadaf1e8fb4928283c11bc7823fc96e38b8750470d315c41dcb41f0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
7a5bdc65bd537cbcbd731ef0eef59188

SHA1
ef3104ea4e84ab18662ec03370520aea9ae87f73

SHA256
60c8d23c9554fe0c698d0021313c7f5c66f9247ca50899c0c1b8bcdf359c4ced

SHA512
3854d471c0b83c0c1841deb2e3356cde998b4c8c2d0390ae87852bb9a4a0b393b43b4f8730a250371717c7670d4dd1055f64a619715291835889eff8ff126a8c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
e9cf8f261a64250778613a1abc5f513c

SHA1
63c8eacd9e6c449ea8d0791a3a0f6a08ddc60aa4

SHA256
2bb7d9423cc874fbf1822a9b56e04f7ff96536afdf08febabbbbbda914bd646d

SHA512
5b01b91984b9dfc3b30c4b45e918ab6d5363cb5c6efcf86ebbe99a99f8fe1ea60c9e3e54f856dbbaab0a95c9119d3a041a7cf6844aec7df85c5d9de48e1d39b4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
9850d4fbcb9e1bc55b1dfa9a1cfab6e7

SHA1
174375c072d2c244eb6144c84dba6f0429dcff6d

SHA256
2a6de273d66666f367460b7f14ea467ea6c2c29e6de23bf921930bf993f64b8c

SHA512
ca8f3c235a21da0150dc104deae74b389b68c55d866ce24d0bc5063cc9ab3541f5b2ad40cf6c576c5cfe7f97a05f5aeadae3e5471da2074ed6c3c21504c2de93

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f723ce23c971861ce14006e527eb2a53

SHA1
11dc4601664306cbef91f6a0e24507235a4afad9

SHA256
4c7b5eef437e518eb629929534477aa9c943e5b6b187529fc8cd4674591ee22c

SHA512
29377e51e88c09a02e76001327ad59901c1610fde22c608c20a4d4a542c4e1e4c7267536270db05e1f2401a467e13b3188be70e6d4678a6ef708cbcdfaf49919

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
75784962b35cbb3316d2828650168910

SHA1
77ecd94bbdcdc8542514909749357dc25f29d718

SHA256
5c6ad215b8db09087f78af82fce2c1110fe354629f9917f6ab6e9abaf78b49c3

SHA512
ed19f6842396a9dc419cb68bdf02d0285c57ba007cd9262daa20c01d20b7293371bb036669182fe443e71be6cf9ad4f51120a50c2e1276636f1cdc5400643205

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5df87a7f26c28e839460dbfe1e3992a7

SHA1
96478cd7c5d9b9b338ecbbdb6d67724cbbf017f8

SHA256
fbc9da662aef57cb50d1f7cef647d7a015502b219b8a4e1c29137d52e8fedc5b

SHA512
3b3639c57a06a68bfee3574dd467409ae3189ded874851f83c8627323388e2a5e9c0d84ad4eb8def176280de1b6427c1092b0e2fde2826dedfef3a90e5b31b8a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
9d3ac4f1de23838189f2b07820ea1e17

SHA1
2d81cebd53749311c763b69879dbde7ffc82306c

SHA256
94d1ce66dac06d13fdeea90286df91e9ce413a78f3bb49922a5b067c25976224

SHA512
d774ee1e1e3b537a4f2e41595d1a2e51d1548c1e5c7f53d2552c8a14dfb2e55c6b3ba95be7196029f50f637ce780e69b5df66e141465cee77499fbc3f5cf1285

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
377bc479ced797836999e9cff4c48153

SHA1
deecdaffb81f61e255fb89f8825bc862d54a95be

SHA256
c0033eba0239ff19904a95107d16ef36eb5dfef5e74e274fef5b63ac4ec8b545

SHA512
841a5aad1888766a8868f2f6c669f8bfaa1adf9e7fd3071025c91d5b6c7cd8377f5245cc27150f435793337b572e6b00cd721054d7f928f926f25381450f2517

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
d2785b02483e5828e11636d459fbee33

SHA1
3ac61c4ded8efc0aef661f091449fb59860ec988

SHA256
73f7ececfa644e8ab0b00ed1c5f79929b3b22832d9f3a4c807beef6807b3d6f6

SHA512
4fc98d3c610a5c5862ff8e5a68b9a62d362d6f8ce61872ab02c712810d8de9601d95d8c44a20ed5da46bd1e6054d5c9ef1a3429d3e5440af420d267af0760f06

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
8add5e0cedd0fa502e7c7041cbd44ce3

SHA1
f956f246c9fa08ebcda8c075040fe0cda8567eb6

SHA256
7c7727c7f69288f47c0564c8572118c0b708cdd8311779306006f1a96aed9b03

SHA512
5dae26d4811ea4572cd203a4eed168795ba35af255174b80e7b4139d76bfdca5271721015ac5d1b0d50c6d22412d485c573df46217254f1f6d572d3b73555af6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
1679caa78932216e07e39482fbd5ef46

SHA1
3bff80927604ab835ab2dc88c6dbd82dbbcb63fe

SHA256
1bf9e8d198080358e65b4a4445993f3d29d56169099a50d239f1b847d2e563a2

SHA512
95025d24f37393a2402153cd0a6c68698c65c0b2c04c0825fda8946310d42e5943f6e161fc2e44dd6a87b95911e9ac02d2026e10628cade921b82d2a8e069e83

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2139015a4b1b4f5711acd09312d807b0

SHA1
fc42c9ee9fa8504681436689e571509d10618bbf

SHA256
c695d9071a878f9a05cbf51a04df2aa62ceb20921c830f821f4e6957d0a77c56

SHA512
b97990ee2177a3bcbca5628b66b776cb86b82a95a5511509be4f42d903bba4851ace134c63c9f0058c4d6e0b0ceb01c80f185b1c4ff37cbf2f2c929779280f3c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
086572b10cf76fe11903fa3617f6180a

SHA1
0ef1ab7211441ad690fb15d01cd5b959dd62d550

SHA256
90fdc94e29642eaa8c1c214877713ef90931e2da61254b01c5bae0b62bfeb03b

SHA512
8c62be16d793cd96bf4a5c7bf00bbe9f96025a8c6b3337cdef741405d64ac0cccfd9b707b5dc811cbd9d5235ab38194ed4106a24413b3431583357ace7ab375e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
729b0d506138b646dbeee10ea072443f

SHA1
9d3fd366b71607a4165bcf256f4ad8f1769217f3

SHA256
a8d419addf502866577f2972691035a4a882c1ad555cb5cf72d83625432f6e07

SHA512
009ab406182e1e880dfb3c8f6ac09e6dd1bf328b5871b4a56ec95a11af9951611f03c18c9d89b6c788106bec40e88eb2e08514bb6be646b6d097b88259fd8d76

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
90a03b2d4bdb5769fa8753adc35a4722

SHA1
487f5cd737050dffa963fa2334cb4ef5fd53ef04

SHA256
91a9ce39375baf7db65ab893c89b4f865dbefb691393f968e5857c47dd54c9d0

SHA512
019349cd3385ad3ad8e25d1a6acf3a01caf1b9b80cd19bead85c6d5d3ae5c66dc7bb10b84b27489ddeb912473b1d1bb632c023ded7950e542b4bb1599cfb1db0

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
8c7610878ea496a449182e18cbf289df

SHA1
6439b22efa84d515de0536a386620a69cac822d2

SHA256
8528f0212dd4465a6efcd76bb62bf1965c65b79b07cf48823f0ca6390d523d09

SHA512
119d54d67d6aa441e0695ccd538e3ebd429cd860e771fdedd591ac88564ae7e6b54ec38697af2174d02c752cd582a9cfa6a094e3fceab2cd03af3b40c1e132fe

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
c9ae06ffb448c22504539fdae0552c34

SHA1
fa2d2f5698baf71d5e59e959169facd1c8b7c8e4

SHA256
e6a1eb95eb02fd0d4c19e8b13a9066c19e60aaffe498ed22c65d3350ae790c7e

SHA512
2c657f0e7ce2659530ffc22b1fe467d039781fe58607f026b884b84895eddc3e90d9457139f64578b02a434d4e0932d127c8b0a931417c9db610dce6a5a6071b

Download Submit
memory/216-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/216-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/216-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/336-349-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/336-834-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/508-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/508-44-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/508-126-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/508-128-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/508-38-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/616-202-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/616-315-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/740-291-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/740-169-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/852-316-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/852-832-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1040-206-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1040-327-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1064-822-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1064-247-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1404-276-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1404-157-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1404-158-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1528-828-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1528-304-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1612-328-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1612-833-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1676-825-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1676-254-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1736-271-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1736-826-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1748-277-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1748-289-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1772-1-0x0000000000AA0000-0x0000000000B07000-memory.dmp

Filesize
412KB

Download
memory/1772-8-0x0000000000AA0000-0x0000000000B07000-memory.dmp

Filesize
412KB

Download
memory/1772-601-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/1772-189-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/1772-0-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2032-303-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2032-192-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2272-820-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2272-217-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2272-348-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2520-117-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2520-118-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2520-124-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2520-240-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3636-153-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3636-148-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3636-150-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3636-155-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3660-292-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3660-827-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4180-229-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4180-505-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4264-137-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4264-253-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4264-138-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4264-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4704-12-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/4704-21-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/4704-205-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4704-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download